Require xsrf/csrf when using a password (#6396)

This commit is contained in:
Jesse Hills 2024-03-19 13:39:01 +13:00 committed by GitHub
parent 61f11386a9
commit 9b7438a56d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 7 additions and 1 deletions

View file

@ -688,6 +688,11 @@ class MainRequestHandler(BaseHandler):
@authenticated @authenticated
def get(self) -> None: def get(self) -> None:
begin = bool(self.get_argument("begin", False)) begin = bool(self.get_argument("begin", False))
if settings.using_password:
# Simply accessing the xsrf_token sets the cookie for us
self.xsrf_token # pylint: disable=pointless-statement
else:
self.clear_cookie("_xsrf")
self.render( self.render(
"index.template.html", "index.template.html",
@ -1102,6 +1107,7 @@ def make_app(debug=get_bool_env(ENV_DEV)) -> tornado.web.Application:
"log_function": log_function, "log_function": log_function,
"websocket_ping_interval": 30.0, "websocket_ping_interval": 30.0,
"template_path": get_base_frontend_path(), "template_path": get_base_frontend_path(),
"xsrf_cookies": settings.using_password,
} }
rel = settings.relative_url rel = settings.relative_url
return tornado.web.Application( return tornado.web.Application(

View file

@ -12,7 +12,7 @@ pyserial==3.5
platformio==6.1.13 # When updating platformio, also update Dockerfile platformio==6.1.13 # When updating platformio, also update Dockerfile
esptool==4.7.0 esptool==4.7.0
click==8.1.7 click==8.1.7
esphome-dashboard==20231107.0 esphome-dashboard==20240319.0
aioesphomeapi==23.1.1 aioesphomeapi==23.1.1
zeroconf==0.131.0 zeroconf==0.131.0
python-magic==0.4.27 python-magic==0.4.27