Changeset - dcd55892eee0
Parent rev.
Child rev.
[Not reviewed]
default
0 2 0
Mads Kiilerich - 6 years ago 2019-07-21 18:24:09
mads@kiilerich.com
helpers: always access secure_form through helpers
2 files changed with 7 insertions and 7 deletions:
kallithea/lib/base.py
6
6
kallithea/lib/helpers.py
1
1
0 comments (0 inline, 0 general)
kallithea/lib/base.py
Show inline comments
 
@@ -39,7 +39,6 @@ import webob.exc
 
import paste.httpexceptions
 
import paste.auth.basic
 
import paste.httpheaders
 
from webhelpers.pylonslib import secure_form
 

			




	
	
	
		
 
from tg import config, tmpl_context as c, request, response, session, render_template

			




	
	
	
		
 
from tg import TGController

			




	
	
		
 
@@ -366,8 +365,9 @@ class BaseController(TGController):

			




	
	
	
		
 
            # guaranteed to be side effect free. In practice, the only situation

			




	
	
	
		
 
            # where we allow side effects without ambient authority is when the

			




	
	
	
		
 
            # authority comes from an API key; and that is handled above.

			




	
	
	
		
 
            token = request.POST.get(secure_form.token_key)

			




	
	
	
		
 
            if not token or token != secure_form.authentication_token():

			




	
	
	
		
 
            from kallithea.lib import helpers as h

			




	
	
	
		
 
            token = request.POST.get(h.token_key)

			




	
	
	
		
 
            if not token or token != h.authentication_token():

			




	
	
	
		
 
                log.error('CSRF check failed')

			




	
	
	
		
 
                raise webob.exc.HTTPForbidden()

			




	
	
	
		
 

			




	
	
		
 
@@ -478,11 +478,11 @@ class BaseController(TGController):

			




	
	
	
		
 
            raise webob.exc.HTTPMethodNotAllowed()

			




	
	
	
		
 

			




	
	
	
		
 
        # Make sure CSRF token never appears in the URL. If so, invalidate it.

			




	
	
	
		
 
        if secure_form.token_key in request.GET:

			




	
	
	
		
 
        from kallithea.lib import helpers as h

			




	
	
	
		
 
        if h.token_key in request.GET:

			




	
	
	
		
 
            log.error('CSRF key leak detected')

			




	
	
	
		
 
            session.pop(secure_form.token_key, None)

			




	
	
	
		
 
            session.pop(h.token_key, None)

			




	
	
	
		
 
            session.save()

			




	
	
	
		
 
            from kallithea.lib import helpers as h

			




	
	
	
		
 
            h.flash(_('CSRF token leak has been detected - all form tokens have been expired'),

			




	
	
	
		
 
                    category='error')

			




	
	
	
		
 

			




        

    


    
    

    

        

                

                    kallithea/lib/helpers.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -35,7 +35,7 @@ from webhelpers.html.tags import checkbo

			




	
	
	
		
 
    select, submit, text, password, textarea, radio, form as insecure_form

			




	
	
	
		
 
from webhelpers.number import format_byte_size

			




	
	
	
		
 
from webhelpers.pylonslib import Flash as _Flash

			




	
	
	
		
 
from webhelpers.pylonslib.secure_form import secure_form, authentication_token

			




	
	
	
		
 
from webhelpers.pylonslib.secure_form import secure_form, authentication_token, token_key

			




	
	
	
		
 
from webhelpers.text import chop_at, truncate, wrap_paragraphs

			




	
	
	
		
 
from webhelpers.html.tags import _set_input_attrs, _set_id_attr, \

			




	
	
	
		
 
    convert_boolean_attrs, NotGiven, _make_safe_id_component

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.