Files @ 8b47181750a8
Branch filter:

Location: kallithea/init.d/kallithea-daemon-gentoo

8b47181750a8 1.2 KiB text/plain Show Annotation Show as Raw Download as Raw
Mads Kiilerich
login: fix incorrect CSRF rejection of "Reset Your Password" form (Issue #350)

htmlfill would remove the CSRF token from the form when substituting the query
parameters, causing password reset to break.

By default, htmlfill will clear all input fields that doesn't have a new
"default" value provided. It could be fixed by setting force_defaults to False
- see http://www.formencode.org/en/1.2-branch/modules/htmlfill.html . It could
also be fixed by providing the CSRF token in the defaults to be substituted in
the form.

Instead, refactor password_reset_confirmation to have more explicitly safe
handling of query parameters. Replace htmlfill with the usual template
variables.

The URLs are generated in kallithea/model/user.py send_reset_password_email()
and should only contain email, timestamp (integer as digit string) and a hex
token from get_reset_password_token() .
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#!/sbin/runscript
########################################
#### THIS IS AN GENTOO INIT.D SCRIPT####
########################################

APP_NAME="kallithea"
APP_HOMEDIR="username/python_workspace"
APP_PATH="/home/$APP_HOMEDIR/$APP_NAME"

CONF_NAME="production.ini"

PID_PATH="$APP_PATH/$APP_NAME.pid"
LOG_PATH="$APP_PATH/$APP_NAME.log"

PYTHON_PATH="/home/$APP_HOMEDIR/v-env"

RUN_AS="username"

DAEMON="$PYTHON_PATH/bin/gearbox"

DAEMON_OPTS="serve --daemon \
--user=$RUN_AS \
--group=$RUN_AS \
--pid-file=$PID_PATH \
--log-file=$LOG_PATH -c $APP_PATH/$CONF_NAME"

#extra options
opts="${opts} restartdelay"

depend() {
    need nginx
}

start() {
    ebegin "Starting $APP_NAME"
    start-stop-daemon -d $APP_PATH -e PYTHON_EGG_CACHE="/tmp" \
        --start --quiet \
        --pidfile $PID_PATH \
        --user $RUN_AS \
        --exec $DAEMON -- $DAEMON_OPTS
    eend $?
}

stop() {
    ebegin "Stopping $APP_NAME"
    start-stop-daemon -d $APP_PATH \
        --stop --quiet \
        --pidfile $PID_PATH || echo "$APP_NAME - Not running!"
    if [ -f $PID_PATH ]; then
        rm $PID_PATH
    fi
    eend $?
}

restartdelay() {
    #stop()
    echo "sleep3"
    sleep 3

    #start()
}
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.