kallithea Changeset - f47d6187095f

Changeset - f47d6187095f

Parent rev.

Child rev.

[Not reviewed]

default

0 1 0

Mads Kiilerich - 10 years ago 2015-06-09 22:51:01
madski@unity3d.com

1 file changed with 9 insertions and 8 deletions:

kallithea/controllers/login.py

0 comments (0 inline, 0 general)

kallithea/controllers/login.py

➞

Show inline comments

@@ @@ -42,121 +42,122 @@ from kallithea.lib.auth import AuthUser, @@
 from kallithea.lib.auth_modules import importplugin
 from kallithea.lib.base import BaseController, render
 from kallithea.lib.exceptions import UserCreationError
 from kallithea.lib.utils2 import safe_str
 from kallithea.model.db import User, Setting
 from kallithea.model.forms import LoginForm, RegisterForm, PasswordResetForm
 from kallithea.model.user import UserModel
 from kallithea.model.meta import Session
 log = logging.getLogger(__name__)
 class LoginController(BaseController):
     def __before__(self):
         super(LoginController, self).__before__()
     def _store_user_in_session(self, username, remember=False):
         user = User.get_by_username(username, case_insensitive=True)
         auth_user = AuthUser(user.user_id)
         auth_user.set_authenticated()
         cs = auth_user.get_cookie_store()
         session['authuser'] = cs
         user.update_lastlogin()
         Session().commit()
         # If they want to be remembered, update the cookie
         if remember:
             _year = (datetime.datetime.now() +
                      datetime.timedelta(seconds=60 * 60 * 24 * 365))
             session._set_cookie_expires(_year)
         session.save()
         log.info('user %s is now authenticated and stored in '
                  'session, session attrs %s' % (username, cs))
         # dumps session attrs back to cookie
         session._update_cookie_out()
         # we set new cookie
         headers = None
         if session.request['set_cookie']:
             # send set-cookie headers back to response to update cookie
             headers = [('Set-Cookie', session.request['cookie_out'])]
         return headers
     def _validate_came_from(self, came_from):
         """Return True if came_from is valid and can and should be used"""
         if not came_from:
-            return came_from
+            return False
         parsed = urlparse.urlparse(came_from)
         server_parsed = urlparse.urlparse(url.current())
         allowed_schemes = ['http', 'https']
         if parsed.scheme and parsed.scheme not in allowed_schemes:
             log.error('Suspicious URL scheme detected %s for url %s' %
                      (parsed.scheme, parsed))
             came_from = url('home')
         elif server_parsed.netloc != parsed.netloc:
             return False
         if server_parsed.netloc != parsed.netloc:
             log.error('Suspicious NETLOC detected %s for url %s server url '
                       'is: %s' % (parsed.netloc, parsed, server_parsed))
             came_from = url('home')
         return came_from
             return False
         return True
     def _redirect_to_origin(self, origin, headers=None):
         '''redirect to the original page, preserving any get arguments given'''
         request.GET.pop('came_from', None)
         raise HTTPFound(location=url(origin, **request.GET), headers=headers)
     def index(self):
         _default_came_from = url('home')
         came_from = self._validate_came_from(safe_str(request.GET.get('came_from', '')))
         c.came_from = came_from or _default_came_from
         c.came_from = safe_str(request.GET.get('came_from', ''))
         if not self._validate_came_from(c.came_from):
             c.came_from = url('home')
         not_default = self.authuser.username != User.DEFAULT_USER
         ip_allowed = self.authuser.ip_allowed
         # redirect if already logged in
         if self.authuser.is_authenticated and not_default and ip_allowed:
             return self._redirect_to_origin(c.came_from)
         if request.POST:
             # import Login Form validator class
             login_form = LoginForm()
             try:
                 session.invalidate()
                 c.form_result = login_form.to_python(dict(request.POST))
                 # form checks for username/password, now we're authenticated
                 headers = self._store_user_in_session(
                                         username=c.form_result['username'],
                                         remember=c.form_result['remember'])
                 return self._redirect_to_origin(c.came_from, headers)
             except formencode.Invalid, errors:
                 defaults = errors.value
                 # remove password from filling in form again
                 del defaults['password']
                 return htmlfill.render(
                     render('/login.html'),
                     defaults=errors.value,
                     errors=errors.error_dict or {},
                     prefix_error=False,
                     encoding="UTF-8",
                     force_defaults=False)
             except UserCreationError, e:
                 # container auth or other auth functions that create users on
                 # the fly can throw this exception signaling that there's issue
                 # with user creation, explanation should be provided in
                 # Exception itself
                 h.flash(e, 'error')
         # check if we use container plugin, and try to login using it.
         auth_plugins = Setting.get_auth_plugins()
         if any((importplugin(name).is_container_auth for name in auth_plugins)):
             from kallithea.lib import auth_modules
             try:
                 auth_info = auth_modules.authenticate('', '', request.environ)
             except UserCreationError, e:
                 log.error(e)
                 h.flash(e, 'error')
                 # render login, with flash message about limit

0 comments (0 inline, 0 general)