Changeset - 3e4b014bd14b
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Mads Kiilerich - 6 years ago 2019-07-22 02:02:11
mads@kiilerich.com
Grafted from: 80ca5af83519
helpers: handle CSRF protection directly, without using webhelpers, pylonslib and secure_form

Based on webhelpers/pylonslib/secure_form.py .
1 file changed with 16 insertions and 6 deletions:
kallithea/lib/helpers.py
16
6
0 comments (0 inline, 0 general)
kallithea/lib/helpers.py
Show inline comments
 
# -*- coding: utf-8 -*-
 
# This program is free software: you can redistribute it and/or modify
 
# it under the terms of the GNU General Public License as published by
 
# the Free Software Foundation, either version 3 of the License, or
 
# (at your option) any later version.
 
#
 
# This program is distributed in the hope that it will be useful,
 
# but WITHOUT ANY WARRANTY; without even the implied warranty of
 
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 
# GNU General Public License for more details.
 
#
 
# You should have received a copy of the GNU General Public License
 
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
"""
 
Helper functions
 

			




	
	
	
		
 
Consists of functions to typically be used within templates, but also

			




	
	
	
		
 
available to Controllers. This module is available to both as 'h'.

			




	
	
	
		
 
"""

			




	
	
	
		
 
import hashlib

			




	
	
	
		
 
import json

			




	
	
	
		
 
import StringIO

			




	
	
	
		
 
import logging

			




	
	
	
		
 
import re

			




	
	
	
		
 
import urlparse

			




	
	
	
		
 
import textwrap

			




	
	
	
		
 
import random

			




	
	
	
		
 

			




	
	
	
		
 
from beaker.cache import cache_region

			




	
	
	
		
 
from pygments.formatters.html import HtmlFormatter

			




	
	
	
		
 
from pygments import highlight as code_highlight

			




	
	
	
		
 
from tg.i18n import ugettext as _

			




	
	
	
		
 

			




	
	
	
		
 
from webhelpers.html import literal, HTML, escape

			




	
	
	
		
 
from webhelpers.html.tags import checkbox, end_form, hidden, link_to, \

			




	
	
	
		
 
    select, submit, text, password, textarea, radio, form as insecure_form

			




	
	
	
		
 
from webhelpers.number import format_byte_size

			




	
	
	
		
 
from webhelpers.pylonslib import Flash as _Flash

			




	
	
	
		
 
from webhelpers.pylonslib.secure_form import secure_form, authentication_token as session_csrf_secret_token, token_key as session_csrf_secret_name

			




	
	
	
		
 
from webhelpers.text import chop_at, truncate, wrap_paragraphs

			




	
	
	
		
 
from webhelpers.html.tags import _set_input_attrs, _set_id_attr, \

			




	
	
	
		
 
    convert_boolean_attrs, NotGiven, _make_safe_id_component

			




	
	
	
		
 

			




	
	
	
		
 
from kallithea.config.routing import url

			




	
	
	
		
 
from kallithea.lib.annotate import annotate_highlight

			




	
	
	
		
 
from kallithea.lib.pygmentsutils import get_custom_lexer

			




	
	
	
		
 
from kallithea.lib.utils2 import str2bool, safe_unicode, safe_str, \

			




	
	
	
		
 
    time_to_datetime, AttributeDict, safe_int, MENTIONS_REGEX

			




	
	
	
		
 
from kallithea.lib.markup_renderer import url_re

			




	
	
	
		
 
from kallithea.lib.vcs.exceptions import ChangesetDoesNotExistError

			




	
	
	
		
 
from kallithea.lib.vcs.backends.base import BaseChangeset, EmptyChangeset

			




	
	
	
		
 

			




	
	
	
		
 
log = logging.getLogger(__name__)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def canonical_url(*args, **kargs):

			




	
	
	
		
 
    '''Like url(x, qualified=True), but returns url that not only is qualified

			




	
	
	
		
 
    but also canonical, as configured in canonical_url'''

			




	
	
	
		
 
    from kallithea import CONFIG

			




	
	
	
		
 
    try:

			




	
	
	
		
 
        parts = CONFIG.get('canonical_url', '').split('://', 1)

			




	
	
	
		
 
        kargs['host'] = parts[1]

			




	
	
	
		
 
        kargs['protocol'] = parts[0]

			




	
	
	
		
 
    except IndexError:

			




	
	
	
		
 
        kargs['qualified'] = True

			




	
	
	
		
 
    return url(*args, **kargs)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def canonical_hostname():

			




	
	
	
		
 
    '''Return canonical hostname of system'''

			




	
	
	
		
 
    from kallithea import CONFIG

			




	
	
	
		
 
    try:

			




	
	
	
		
 
        parts = CONFIG.get('canonical_url', '').split('://', 1)

			




	
	
	
		
 
        return parts[1].split('/', 1)[0]

			




	
	
	
		
 
    except IndexError:

			




	
	
	
		
 
        parts = url('home', qualified=True).split('://', 1)

			




	
	
	
		
 
        return parts[1].split('/', 1)[0]

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def html_escape(s):

			




	
	
	
		
 
    """Return string with all html escaped.

			




	
	
	
		
 
    This is also safe for javascript in html but not necessarily correct.

			




	
	
	
		
 
    """

			




	
	
	
		
 
    return (s

			




	
	
	
		
 
        .replace('&', '&amp;')

			




	
	
	
		
 
        .replace(">", "&gt;")

			




	
	
	
		
 
        .replace("<", "&lt;")

			




	
	
		
 
@@ -1228,57 +1228,67 @@ def link_to_ref(repo_name, ref_type, ref

			




	
	
	
		
 
def changeset_status(repo, revision):

			




	
	
	
		
 
    from kallithea.model.changeset_status import ChangesetStatusModel

			




	
	
	
		
 
    return ChangesetStatusModel().get_status(repo, revision)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def changeset_status_lbl(changeset_status):

			




	
	
	
		
 
    from kallithea.model.db import ChangesetStatus

			




	
	
	
		
 
    return ChangesetStatus.get_status_lbl(changeset_status)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def get_permission_name(key):

			




	
	
	
		
 
    from kallithea.model.db import Permission

			




	
	
	
		
 
    return dict(Permission.PERMS).get(key)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def journal_filter_help():

			




	
	
	
		
 
    return _(textwrap.dedent('''

			




	
	
	
		
 
        Example filter terms:

			




	
	
	
		
 
            repository:vcs

			




	
	
	
		
 
            username:developer

			




	
	
	
		
 
            action:*push*

			




	
	
	
		
 
            ip:127.0.0.1

			




	
	
	
		
 
            date:20120101

			




	
	
	
		
 
            date:[20120101100000 TO 20120102]

			




	
	
	
		
 

			




	
	
	
		
 
        Generate wildcards using '*' character:

			




	
	
	
		
 
            "repository:vcs*" - search everything starting with 'vcs'

			




	
	
	
		
 
            "repository:*vcs*" - search for repository containing 'vcs'

			




	
	
	
		
 

			




	
	
	
		
 
        Optional AND / OR operators in queries

			




	
	
	
		
 
            "repository:vcs OR repository:test"

			




	
	
	
		
 
            "username:test AND repository:test*"

			




	
	
	
		
 
    '''))

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def not_mapped_error(repo_name):

			




	
	
	
		
 
    flash(_('%s repository is not mapped to db perhaps'

			




	
	
	
		
 
            ' it was created or renamed from the filesystem'

			




	
	
	
		
 
            ' please run the application again'

			




	
	
	
		
 
            ' in order to rescan repositories') % repo_name, category='error')

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def ip_range(ip_addr):

			




	
	
	
		
 
    from kallithea.model.db import UserIpMap

			




	
	
	
		
 
    s, e = UserIpMap._get_ip_range(ip_addr)

			




	
	
	
		
 
    return '%s - %s' % (s, e)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
session_csrf_secret_name = "_authentication_token"

			




	
	
	
		
 

			




	
	
	
		
 
def session_csrf_secret_token():

			




	
	
	
		
 
    """Return (and create) the current session's CSRF protection token."""

			




	
	
	
		
 
    from tg import session

			




	
	
	
		
 
    if not session_csrf_secret_name in session:

			




	
	
	
		
 
        session[session_csrf_secret_name] = str(random.getrandbits(128))

			




	
	
	
		
 
        session.save()

			




	
	
	
		
 
    return session[session_csrf_secret_name]

			




	
	
	
		
 

			




	
	
	
		
 
def form(url, method="post", **attrs):

			




	
	
	
		
 
    """Like webhelpers.html.tags.form but automatically using secure_form with

			




	
	
	
		
 
    session_csrf_secret_token for POST. The secret is thus never leaked in

			




	
	
	
		
 
    """Like webhelpers.html.tags.form , but automatically adding

			




	
	
	
		
 
    session_csrf_secret_token for POST. The secret is thus never leaked in GET

			




	
	
	
		
 
    URLs.

			




	
	
	
		
 
    """

			




	
	
	
		
 
    form = insecure_form(url, method, **attrs)

			




	
	
	
		
 
    if method.lower() == 'get':

			




	
	
	
		
 
        return insecure_form(url, method=method, **attrs)

			




	
	
	
		
 
    # webhelpers will turn everything but GET into POST

			




	
	
	
		
 
    return secure_form(url, method=method, **attrs)

			




	
	
	
		
 
        return form

			




	
	
	
		
 
    return form + HTML.div(hidden(session_csrf_secret_name, session_csrf_secret_token()), style="display: none;")

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.