kallithea Files · scripts/logformat.py

Files @ 8b47181750a8

Branch filter:

Location: kallithea/scripts/logformat.py - annotation

8b47181750a8 1.8 KiB text/x-python Show Source Show as Raw Download as Raw

Mads Kiilerich

login: fix incorrect CSRF rejection of "Reset Your Password" form (Issue #350)

htmlfill would remove the CSRF token from the form when substituting the query
parameters, causing password reset to break.

By default, htmlfill will clear all input fields that doesn't have a new
"default" value provided. It could be fixed by setting force_defaults to False
- see http://www.formencode.org/en/1.2-branch/modules/htmlfill.html . It could
also be fixed by providing the CSRF token in the defaults to be substituted in
the form.

Instead, refactor password_reset_confirmation to have more explicitly safe
handling of query parameters. Replace htmlfill with the usual template
variables.

The URLs are generated in kallithea/model/user.py send_reset_password_email()
and should only contain email, timestamp (integer as digit string) and a hex
token from get_reset_password_token() .

8bc8366a6874
8bc8366a6874
a8e6bb9ee9ea
a8e6bb9ee9ea
8bc8366a6874
8bc8366a6874
8bc8366a6874
0a277465fddf
8bc8366a6874
8bc8366a6874
8bc8366a6874
8bc8366a6874
8bc8366a6874
8bc8366a6874
8bc8366a6874
8bc8366a6874
8bc8366a6874
4473f1094d3d
4473f1094d3d
8bc8366a6874
8bc8366a6874
63b548dd5ef3
8bc8366a6874
63b548dd5ef3
8bc8366a6874
63b548dd5ef3
8bc8366a6874
63b548dd5ef3
8bc8366a6874
63b548dd5ef3
8bc8366a6874
8bc8366a6874
4473f1094d3d
4473f1094d3d
665dfa112f2c
8bc8366a6874
8bc8366a6874
665dfa112f2c
4473f1094d3d
4473f1094d3d
4473f1094d3d
4473f1094d3d
a8e6bb9ee9ea
a8e6bb9ee9ea
a8e6bb9ee9ea
4473f1094d3d
4473f1094d3d
4473f1094d3d
4473f1094d3d

#!/usr/bin/env python2

from __future__ import print_function

import re
import sys


logre = r'''
(log\.(?:error|info|warning|debug)
[(][ \n]*
)
%s
(
[ \n]*[)]
)
'''


res = [
    # handle % () - keeping spaces around the old %
    (re.compile(logre % r'''("[^"]*"|'[^']*')   ([\n ]*) %  ([\n ]*) \( ( (?:[^()]|\n)* (?: \( (?:[^()]|\n)* \) (?:[^()]|\n)* )* ) \) ''', flags=re.MULTILINE | re.VERBOSE), r'\1\2,\3\4\5\6'),
    # handle % without () - keeping spaces around the old %
    (re.compile(logre % r'''("[^"]*"|'[^']*')   ([\n ]*) %  ([\n ]*)    ( (?:[^()]|\n)* (?: \( (?:[^()]|\n)* \) (?:[^()]|\n)* )* )    ''', flags=re.MULTILINE | re.VERBOSE), r'\1\2,\3\4\5\6'),
    # remove extra space if it is on next line
    (re.compile(logre % r'''("[^"]*"|'[^']*') , (\n [ ]) ([ ][\n ]*)    ( (?:[^()]|\n)* (?: \( (?:[^()]|\n)* \) (?:[^()]|\n)* )* )    ''', flags=re.MULTILINE | re.VERBOSE), r'\1\2,\3\4\5\6'),
    # remove extra space if it is on same line
    (re.compile(logre % r'''("[^"]*"|'[^']*') , [ ]+  () (   [\n ]+)    ( (?:[^()]|\n)* (?: \( (?:[^()]|\n)* \) (?:[^()]|\n)* )* )    ''', flags=re.MULTILINE | re.VERBOSE), r'\1\2,\3\4\5\6'),
    # remove trailing , and space
    (re.compile(logre % r'''("[^"]*"|'[^']*') ,       () (   [\n ]*)    ( (?:[^()]|\n)* (?: \( (?:[^()]|\n)* \) (?:[^()]|\n)* )* [^(), \n] ) [ ,]*''', flags=re.MULTILINE | re.VERBOSE), r'\1\2,\3\4\5\6'),
    ]


def rewrite(f):
    s = open(f).read()
    for r, t in res:
        s = r.sub(t, s)
    open(f, 'w').write(s)


if __name__ == '__main__':
    if len(sys.argv) < 2:
        print('Cleanup of superfluous % formatting of log statements.')
        print('Usage:')
        print('''  hg revert `hg loc '*.py'|grep -v logformat.py` && scripts/logformat.py `hg loc '*.py'` && hg diff''')
        raise SystemExit(1)

    for f in sys.argv[1:]:
        rewrite(f)