Changeset - 1346754f1852
Parent rev.
Child rev.
[Not reviewed]
stable
0 2 0
Mads Kiilerich - 10 years ago 2015-09-26 02:34:16
madski@unity3d.com
forms: don't use secure forms with authentication token for GET requests

The token is secret and should never be used in forms posted with GET which are
URL encoded. aef21d16a262 was too aggresive in using secure forms everywhere
and did thus also incorrectly use them for forms posted with GET.

Some token leakage was reported by Gjoko Krstic <gjoko@zeroscience.mk> of Zero
Science Lab.
2 files changed with 13 insertions and 3 deletions:
kallithea/controllers/changelog.py
1
kallithea/lib/helpers.py
13
2
0 comments (0 inline, 0 general)
kallithea/controllers/changelog.py
Show inline comments
 
@@ -98,7 +98,6 @@ class ChangelogController(BaseRepoContro
 
        # TODO: Somehow just don't send this extra junk in the GET URL
 
        if request.GET.get('set'):
 
            request.GET.pop('set', None)
 
            request.GET.pop('_authentication_token', None)
 
            if revision is None:
 
                return redirect(url('changelog_home', repo_name=repo_name, **request.GET))
 
            return redirect(url('changelog_file_home', repo_name=repo_name, revision=revision, f_path=f_path, **request.GET))
kallithea/lib/helpers.py
Show inline comments
 
@@ -36,12 +36,13 @@ from webhelpers.html.builder import make
 
from webhelpers.html.tags import auto_discovery_link, checkbox, css_classes, \
 
    end_form, file, hidden, image, javascript_link, link_to, \
 
    link_to_if, link_to_unless, ol, required_legend, select, stylesheet_link, \
 
    submit, text, password, textarea, title, ul, xml_declaration, radio
 
    submit, text, password, textarea, title, ul, xml_declaration, radio, \
 
    form as insecure_form
 
from webhelpers.html.tools import auto_link, button_to, highlight, \
 
    js_obfuscate, mail_to, strip_links, strip_tags, tag_re
 
from webhelpers.number import format_byte_size, format_bit_size
 
from webhelpers.pylonslib import Flash as _Flash
 
from webhelpers.pylonslib.secure_form import secure_form as form, authentication_token
 
from webhelpers.pylonslib.secure_form import secure_form, authentication_token
 
from webhelpers.text import chop_at, collapse, convert_accented_entities, \
 
    convert_misc_entities, lchop, plural, rchop, remove_formatting, \
 
    replace_whitespace, urlify, truncate, wrap_paragraphs
 
@@ -1451,3 +1452,13 @@ def ip_range(ip_addr):
 
    from kallithea.model.db import UserIpMap
 
    s, e = UserIpMap._get_ip_range(ip_addr)
 
    return '%s - %s' % (s, e)
 

			




	
	
	
		
 

			




	
	
	
		
 
def form(url, method="post", **attrs):

			




	
	
	
		
 
    """Like webhelpers.html.tags.form but automatically using secure_form with

			




	
	
	
		
 
    authentication_token for POST. authentication_token is thus never leaked

			




	
	
	
		
 
    in the URL."""

			




	
	
	
		
 
    if method.lower() == 'get':

			




	
	
	
		
 
        return insecure_form(url, method=method, **attrs)

			




	
	
	
		
 
    # webhelpers will turn everything but GET into POST

			




	
	
	
		
 
    return secure_form(url, method=method, **attrs)

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.