kallithea Changeset - dcd55892eee0

Changeset - dcd55892eee0

Parent rev.

Child rev.

[Not reviewed]

default

0 2 0

Mads Kiilerich - 6 years ago 2019-07-21 18:24:09
mads@kiilerich.com

helpers: always access secure_form through helpers

2 files changed with 7 insertions and 7 deletions:

kallithea/lib/base.py

kallithea/lib/helpers.py

0 comments (0 inline, 0 general)

kallithea/lib/base.py

➞

Show inline comments

@@ @@ -36,13 +36,12 @@ import traceback @@
 import warnings
 import webob.exc
 import paste.httpexceptions
 import paste.auth.basic
 import paste.httpheaders
 from webhelpers.pylonslib import secure_form
 from tg import config, tmpl_context as c, request, response, session, render_template
 from tg import TGController
 from tg.i18n import ugettext as _
 from kallithea import __version__, BACKENDS
@@ @@ -363,14 +362,15 @@ class BaseController(TGController): @@
             # CSRF protection: Whenever a request has ambient authority (whether
             # through a session cookie or its origin IP address), it must include
             # the correct token, unless the HTTP method is GET or HEAD (and thus
             # guaranteed to be side effect free. In practice, the only situation
             # where we allow side effects without ambient authority is when the
             # authority comes from an API key; and that is handled above.
             token = request.POST.get(secure_form.token_key)
             if not token or token != secure_form.authentication_token():
             from kallithea.lib import helpers as h
             token = request.POST.get(h.token_key)
             if not token or token != h.authentication_token():
                 log.error('CSRF check failed')
                 raise webob.exc.HTTPForbidden()
         c.kallithea_version = __version__
         rc_config = Setting.get_app_settings()
@@ @@ -475,17 +475,17 @@ class BaseController(TGController): @@
         if request.params.get('_method') is None:
             pass # no override, no problem
         else:
             raise webob.exc.HTTPMethodNotAllowed()
         # Make sure CSRF token never appears in the URL. If so, invalidate it.
         if secure_form.token_key in request.GET:
         from kallithea.lib import helpers as h
         if h.token_key in request.GET:
             log.error('CSRF key leak detected')
-            session.pop(secure_form.token_key, None)
+            session.pop(h.token_key, None)
             session.save()
             from kallithea.lib import helpers as h
             h.flash(_('CSRF token leak has been detected - all form tokens have been expired'),
                     category='error')
         # WebOb already ignores request payload parameters for anything other
         # than POST/PUT, but double-check since other Kallithea code relies on
         # this assumption.

kallithea/lib/helpers.py

➞

Show inline comments

@@ @@ -32,13 +32,13 @@ from tg.i18n import ugettext as _ @@
 from webhelpers.html import literal, HTML, escape
 from webhelpers.html.tags import checkbox, end_form, hidden, link_to, \
     select, submit, text, password, textarea, radio, form as insecure_form
 from webhelpers.number import format_byte_size
 from webhelpers.pylonslib import Flash as _Flash
 from webhelpers.pylonslib.secure_form import secure_form, authentication_token
+from webhelpers.pylonslib.secure_form import secure_form, authentication_token, token_key
 from webhelpers.text import chop_at, truncate, wrap_paragraphs
 from webhelpers.html.tags import _set_input_attrs, _set_id_attr, \
     convert_boolean_attrs, NotGiven, _make_safe_id_component
 from kallithea.config.routing import url
 from kallithea.lib.annotate import annotate_highlight

0 comments (0 inline, 0 general)