kallithea Changeset - 3e4b014bd14b

Changeset - 3e4b014bd14b

Parent rev.

Child rev.

[Not reviewed]

default

0 1 0

Mads Kiilerich - 6 years ago 2019-07-22 02:02:11
mads@kiilerich.com

Grafted from: 80ca5af83519

helpers: handle CSRF protection directly, without using webhelpers, pylonslib and secure_form

Based on webhelpers/pylonslib/secure_form.py .

1 file changed with 16 insertions and 6 deletions:

kallithea/lib/helpers.py

0 comments (0 inline, 0 general)

kallithea/lib/helpers.py

➞

Show inline comments

@@ @@ -21,24 +21,24 @@ import hashlib @@
 import json
 import StringIO
 import logging
 import re
 import urlparse
 import textwrap
 import random
 from beaker.cache import cache_region
 from pygments.formatters.html import HtmlFormatter
 from pygments import highlight as code_highlight
 from tg.i18n import ugettext as _
 from webhelpers.html import literal, HTML, escape
 from webhelpers.html.tags import checkbox, end_form, hidden, link_to, \
     select, submit, text, password, textarea, radio, form as insecure_form
 from webhelpers.number import format_byte_size
 from webhelpers.pylonslib import Flash as _Flash
 from webhelpers.pylonslib.secure_form import secure_form, authentication_token as session_csrf_secret_token, token_key as session_csrf_secret_name
 from webhelpers.text import chop_at, truncate, wrap_paragraphs
 from webhelpers.html.tags import _set_input_attrs, _set_id_attr, \
     convert_boolean_attrs, NotGiven, _make_safe_id_component
 from kallithea.config.routing import url
 from kallithea.lib.annotate import annotate_highlight
@@ @@ -1270,15 +1270,25 @@ def not_mapped_error(repo_name): @@
 def ip_range(ip_addr):
     from kallithea.model.db import UserIpMap
     s, e = UserIpMap._get_ip_range(ip_addr)
     return '%s - %s' % (s, e)
 session_csrf_secret_name = "_authentication_token"
 def session_csrf_secret_token():
     """Return (and create) the current session's CSRF protection token."""
     from tg import session
     if not session_csrf_secret_name in session:
         session[session_csrf_secret_name] = str(random.getrandbits(128))
         session.save()
     return session[session_csrf_secret_name]
 def form(url, method="post", **attrs):
     """Like webhelpers.html.tags.form but automatically using secure_form with
     session_csrf_secret_token for POST. The secret is thus never leaked in
     """Like webhelpers.html.tags.form , but automatically adding
     session_csrf_secret_token for POST. The secret is thus never leaked in GET
     URLs.
     """
     form = insecure_form(url, method, **attrs)
     if method.lower() == 'get':
         return insecure_form(url, method=method, **attrs)
     # webhelpers will turn everything but GET into POST
     return secure_form(url, method=method, **attrs)
         return form
     return form + HTML.div(hidden(session_csrf_secret_name, session_csrf_secret_token()), style="display: none;")

0 comments (0 inline, 0 general)