root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Remove direct login route 

Event though this was an undocumented feature, it was a potential XSS
vector, as captured in #85. Since OAuth 2 support was introduced in #722,
this functionality is less useful and it's time to remove it.
This commit is contained in:
Gerhard Lazu 2019-11-08 16:51:40 +00:00
parent 9887b7672d
commit c1e023dc7c
2 changed files with 0 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
deps/rabbitmq_management/priv/www/js/dispatcher.js vendored
View File

@ -14,7 +14,6 @@ dispatcher_add(function(sammy) {
}
render(reqs, 'overview', '#/');
});
sammy.get('#/login/:username/:password', login_route);
path('#/cluster-name', {'cluster_name': '/cluster-name'}, 'cluster-name');
sammy.put('#/cluster-name', function() {

27
deps/rabbitmq_management/priv/www/js/main.js vendored
View File

@ -44,31 +44,6 @@ function set_auth_pref(userinfo) {
store_cookie_value_with_expiration('auth', encodeURIComponent(b64), date);
}
function login_route () {
var userpass = '' + this.params['username'] + ':' + this.params['password'],
location = window.location.href,
hash = window.location.hash;
set_auth_pref(decodeURIComponent(userpass));
location = location.substr(0, location.length - hash.length);
window.location.replace(location);
// because we change url, we don't need to hit check_login as
// we'll end up doing that at the bottom of start_app_login after
// we've changed url.
}
function login_route_with_path() {
var params = ('' + this.params['splat']).split('/');
var user = params.shift();
var pass = params.shift();
var userpass = '' + user + ':' + pass,
location = window.location.href,
hash = window.location.hash;
set_auth_pref(decodeURIComponent(userpass));
location = location.substr(0, location.length - hash.length) + '#/' + params.join('/');
check_login();
window.location.replace(location);
}
function getParameterByName(name) {
var match = RegExp('[#&]' + name + '=([^&]*)').exec(window.location.hash);
return match && decodeURIComponent(match[1].replace(/\+/g, ' '));
@ -87,8 +62,6 @@ function start_app_login() {
set_auth_pref(username + ':' + password);
check_login();
});
this.get('#/login/:username/:password', login_route);
this.get(/\#\/login\/(.*)/, login_route_with_path);
});
if (enable_uaa) {
var token = getAccessToken();