add xsrf checks on files endpoints

7 years ago · d7becafd59
parent 98773c1a8a
commit d7becafd59
3 changed files with 13 additions and 2 deletions
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@ -650,14 +650,21 @@ class AuthenticatedFileHandler(IPythonHandler, web.StaticFileHandler):
        return super(AuthenticatedFileHandler, self).content_security_policy + \
                "; sandbox allow-scripts"

+    @web.authenticated
+    def head(self, path):
+        self.check_xsrf_cookie()
+        return super(AuthenticatedFileHandler, self).head(path)
+
    @web.authenticated
    def get(self, path):
+        self.check_xsrf_cookie()
+
        if os.path.splitext(path)[1] == '.ipynb' or self.get_argument("download", False):
            name = path.rsplit('/', 1)[-1]
            self.set_attachment_header(name)

        return web.StaticFileHandler.get(self, path)
-    
+
    def get_content_type(self):
        path = self.absolute_path.strip('/')
        if '/' in path:
--- a/notebook/files/handlers.py
+++ b/notebook/files/handlers.py
@ -31,10 +31,13 @@ class FilesHandler(IPythonHandler):

    @web.authenticated
    def head(self, path):
-        self.get(path, include_body=False)
+        self.check_xsrf_cookie()
+        return self.get(path, include_body=False)

    @web.authenticated
    def get(self, path, include_body=True):
+        # /files/ requests must originate from the same site
+        self.check_xsrf_cookie()
        cm = self.contents_manager

        if cm.is_hidden(path) and not cm.allow_hidden:
--- a/notebook/services/nbconvert/handlers.py
+++ b/notebook/services/nbconvert/handlers.py
@ -9,6 +9,7 @@ class NbconvertRootHandler(APIHandler):

    @web.authenticated
    def get(self):
+        self.check_xsrf_cookie()
        try:
            from nbconvert.exporters import base
        except ImportError as e: