Changeset - 1346754f1852
Parent rev.
Child rev.
[Not reviewed]
stable
0 2 0
Mads Kiilerich - 10 years ago 2015-09-26 02:34:16
madski@unity3d.com
forms: don't use secure forms with authentication token for GET requests

The token is secret and should never be used in forms posted with GET which are
URL encoded. aef21d16a262 was too aggresive in using secure forms everywhere
and did thus also incorrectly use them for forms posted with GET.

Some token leakage was reported by Gjoko Krstic <gjoko@zeroscience.mk> of Zero
Science Lab.
2 files changed with 13 insertions and 3 deletions:
kallithea/controllers/changelog.py
1
kallithea/lib/helpers.py
13
2
0 comments (0 inline, 0 general)
kallithea/controllers/changelog.py
Show inline comments
 
@@ -89,25 +89,24 @@ class ChangelogController(BaseRepoContro
 
            log.error(traceback.format_exc())
 
            h.flash(safe_str(e), category='error')
 
        raise HTTPBadRequest()
 

			




	
	
	
		
 
    @LoginRequired()

			




	
	
	
		
 
    @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',

			




	
	
	
		
 
                                   'repository.admin')

			




	
	
	
		
 
    def index(self, repo_name, revision=None, f_path=None):

			




	
	
	
		
 
        # Fix URL after page size form submission via GET

			




	
	
	
		
 
        # TODO: Somehow just don't send this extra junk in the GET URL

			




	
	
	
		
 
        if request.GET.get('set'):

			




	
	
	
		
 
            request.GET.pop('set', None)

			




	
	
	
		
 
            request.GET.pop('_authentication_token', None)

			




	
	
	
		
 
            if revision is None:

			




	
	
	
		
 
                return redirect(url('changelog_home', repo_name=repo_name, **request.GET))

			




	
	
	
		
 
            return redirect(url('changelog_file_home', repo_name=repo_name, revision=revision, f_path=f_path, **request.GET))

			




	
	
	
		
 

			




	
	
	
		
 
        limit = 2000

			




	
	
	
		
 
        default = 100

			




	
	
	
		
 
        if request.GET.get('size'):

			




	
	
	
		
 
            c.size = max(min(safe_int(request.GET.get('size')), limit), 1)

			




	
	
	
		
 
            session['changelog_size'] = c.size

			




	
	
	
		
 
            session.save()

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            c.size = int(session.get('changelog_size', default))

			




        

    


    
    

    

        

                

                    kallithea/lib/helpers.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -27,30 +27,31 @@ import textwrap

			




	
	
	
		
 

			




	
	
	
		
 
from pygments.formatters.html import HtmlFormatter

			




	
	
	
		
 
from pygments import highlight as code_highlight

			




	
	
	
		
 
from pylons import url

			




	
	
	
		
 
from pylons.i18n.translation import _, ungettext

			




	
	
	
		
 

			




	
	
	
		
 
from webhelpers.html import literal, HTML, escape

			




	
	
	
		
 
from webhelpers.html.tools import *

			




	
	
	
		
 
from webhelpers.html.builder import make_tag

			




	
	
	
		
 
from webhelpers.html.tags import auto_discovery_link, checkbox, css_classes, \

			




	
	
	
		
 
    end_form, file, hidden, image, javascript_link, link_to, \

			




	
	
	
		
 
    link_to_if, link_to_unless, ol, required_legend, select, stylesheet_link, \

			




	
	
	
		
 
    submit, text, password, textarea, title, ul, xml_declaration, radio

			




	
	
	
		
 
    submit, text, password, textarea, title, ul, xml_declaration, radio, \

			




	
	
	
		
 
    form as insecure_form

			




	
	
	
		
 
from webhelpers.html.tools import auto_link, button_to, highlight, \

			




	
	
	
		
 
    js_obfuscate, mail_to, strip_links, strip_tags, tag_re

			




	
	
	
		
 
from webhelpers.number import format_byte_size, format_bit_size

			




	
	
	
		
 
from webhelpers.pylonslib import Flash as _Flash

			




	
	
	
		
 
from webhelpers.pylonslib.secure_form import secure_form as form, authentication_token

			




	
	
	
		
 
from webhelpers.pylonslib.secure_form import secure_form, authentication_token

			




	
	
	
		
 
from webhelpers.text import chop_at, collapse, convert_accented_entities, \

			




	
	
	
		
 
    convert_misc_entities, lchop, plural, rchop, remove_formatting, \

			




	
	
	
		
 
    replace_whitespace, urlify, truncate, wrap_paragraphs

			




	
	
	
		
 
from webhelpers.date import time_ago_in_words

			




	
	
	
		
 
from webhelpers.paginate import Page as _Page

			




	
	
	
		
 
from webhelpers.html.tags import _set_input_attrs, _set_id_attr, \

			




	
	
	
		
 
    convert_boolean_attrs, NotGiven, _make_safe_id_component

			




	
	
	
		
 

			




	
	
	
		
 
from kallithea.lib.annotate import annotate_highlight

			




	
	
	
		
 
from kallithea.lib.utils import repo_name_slug, get_custom_lexer

			




	
	
	
		
 
from kallithea.lib.utils2 import str2bool, safe_unicode, safe_str, \

			




	
	
	
		
 
    get_changeset_safe, datetime_to_time, time_to_datetime, AttributeDict,\

			




	
	
		
 
@@ -1442,12 +1443,22 @@ def journal_filter_help():

			




	
	
	
		
 

			




	
	
	
		
 
def not_mapped_error(repo_name):

			




	
	
	
		
 
    flash(_('%s repository is not mapped to db perhaps'

			




	
	
	
		
 
            ' it was created or renamed from the filesystem'

			




	
	
	
		
 
            ' please run the application again'

			




	
	
	
		
 
            ' in order to rescan repositories') % repo_name, category='error')

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def ip_range(ip_addr):

			




	
	
	
		
 
    from kallithea.model.db import UserIpMap

			




	
	
	
		
 
    s, e = UserIpMap._get_ip_range(ip_addr)

			




	
	
	
		
 
    return '%s - %s' % (s, e)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def form(url, method="post", **attrs):

			




	
	
	
		
 
    """Like webhelpers.html.tags.form but automatically using secure_form with

			




	
	
	
		
 
    authentication_token for POST. authentication_token is thus never leaked

			




	
	
	
		
 
    in the URL."""

			




	
	
	
		
 
    if method.lower() == 'get':

			




	
	
	
		
 
        return insecure_form(url, method=method, **attrs)

			




	
	
	
		
 
    # webhelpers will turn everything but GET into POST

			




	
	
	
		
 
    return secure_form(url, method=method, **attrs)

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.