Mercurial > p > roundup > code
annotate roundup/cgi/client.py @ 5218:44f7e6b958fe
Added tests for csrf with xmlrpc.
Fixed the code for xmlrpc csrf defense:
raise UsageError if X-REQUESTED-WITH header is required and missing.
if HTTP_AUTHORIZATION is used, properly seed the random number
generator using the password.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Mon, 27 Mar 2017 22:37:30 -0400 |
| parents | d4cc71beb102 |
| children | 14d8f61e6ef2 |
| rev | line source |
|---|---|
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1 """WWW request handler (also used in the stand-alone server). |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2 """ |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
3 __docformat__ = 'restructuredtext' |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
4 |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
5 import logging |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
6 logger = logging.getLogger('roundup') |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
7 |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
8 import base64, binascii, cgi, codecs, mimetypes, os |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
9 import quopri, re, stat, sys, time |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
10 import socket, errno, hashlib |
|
4980
13f8f88ad984
Replace rfc822 imports with email package (issue2550870)
John Kristensen <john@jerrykan.com>
parents:
4979
diff
changeset
|
11 import email.utils |
|
4543
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
12 from traceback import format_exc |
|
2233
3d9bb1a052d1
fix random seeding for forking server
Richard Jones <richard@users.sourceforge.net>
parents:
2230
diff
changeset
|
13 |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
14 try: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
15 # Use the cryptographic source of randomness if available |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
16 from random import SystemRandom |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
17 random=SystemRandom() |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
18 logger.debug("Importing good random generator") |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
19 except ImportError: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
20 from random import random |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
21 logger.warning("**SystemRandom not available. Using poor random generator") |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
22 |
|
4638
1ebc5f16aeda
Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4623
diff
changeset
|
23 try: |
|
1ebc5f16aeda
Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4623
diff
changeset
|
24 from OpenSSL.SSL import SysCallError |
|
1ebc5f16aeda
Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4623
diff
changeset
|
25 except ImportError: |
|
1ebc5f16aeda
Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4623
diff
changeset
|
26 SysCallError = None |
|
1ebc5f16aeda
Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4623
diff
changeset
|
27 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
1987
diff
changeset
|
28 from roundup import roundupdb, date, hyperdb, password |
|
2557
ff02e9851592
translator object must be Roundup Translation Service...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2514
diff
changeset
|
29 from roundup.cgi import templating, cgitb, TranslationService |
|
5073
d0aa596daca8
Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents:
5044
diff
changeset
|
30 from roundup.cgi import actions |
|
5218
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
31 from roundup.exceptions import LoginError, Reject, RejectRaw, \ |
|
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
32 Unauthorised, UsageError |
|
5073
d0aa596daca8
Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents:
5044
diff
changeset
|
33 from roundup.cgi.exceptions import ( |
|
d0aa596daca8
Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents:
5044
diff
changeset
|
34 FormError, NotFound, NotModified, Redirect, SendFile, SendStaticFile, |
|
5079
65fef7858606
issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents:
5073
diff
changeset
|
35 DetectorError, SeriousError) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
1987
diff
changeset
|
36 from roundup.cgi.form_parser import FormParser |
|
4114
da682f38bad3
bug introduced in the migration to the email package (issue 2550531)
Richard Jones <richard@users.sourceforge.net>
parents:
4109
diff
changeset
|
37 from roundup.mailer import Mailer, MessageSendError, encode_quopri |
|
3427
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
38 from roundup.cgi import accept_language |
|
4079
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
39 from roundup import xmlrpc |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
40 |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
41 from roundup.anypy.cookie_ import CookieError, BaseCookie, SimpleCookie, \ |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
42 get_cookie_date |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
43 from roundup.anypy import http_ |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
44 from roundup.anypy import urllib_ |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
45 |
|
4543
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
46 from email.MIMEBase import MIMEBase |
|
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
47 from email.MIMEText import MIMEText |
|
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
48 from email.MIMEMultipart import MIMEMultipart |
|
4979
f1a2bd1dea77
issue2550877: Writing headers with the email module will use continuation_ws = ' ' now for python 2.5 and 2.6 when importing anypy.email_.
Bernhard Reiter <bernhard@intevation.de>
parents:
4962
diff
changeset
|
49 import roundup.anypy.email_ |
|
4543
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
50 |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
51 def initialiseSecurity(security): |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
52 '''Create some Permissions and Roles on the security object |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
53 |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
54 This function is directly invoked by security.Security.__init__() |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
55 as a part of the Security object instantiation. |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
56 ''' |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
57 p = security.addPermission(name="Web Access", |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
58 description="User may access the web interface") |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
59 security.addPermissionToRole('Admin', p) |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
60 |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
61 # doing Role stuff through the web - make sure Admin can |
|
3276
3124e578db02
Email fixes:
Richard Jones <richard@users.sourceforge.net>
parents:
3069
diff
changeset
|
62 # TODO: deprecate this and use a property-based control |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
63 p = security.addPermission(name="Web Roles", |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
64 description="User may manipulate user Roles through the web") |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
65 security.addPermissionToRole('Admin', p) |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
66 |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
67 def add_message(msg_list, msg, escape=True): |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
68 if escape: |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
69 msg = cgi.escape(msg).replace('\n', '<br />\n') |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
70 else: |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
71 msg = msg.replace('\n', '<br />\n') |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
72 msg_list.append (msg) |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
73 return msg_list # for unittests |
|
3916
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
74 |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
75 default_err_msg = ''"""<html><head><title>An error has occurred</title></head> |
|
3554
5e70726a86dd
fixed schema migration problem when Class keys were removed
Richard Jones <richard@users.sourceforge.net>
parents:
3551
diff
changeset
|
76 <body><h1>An error has occurred</h1> |
|
3551
3c70ab03c917
translate error message shown instead of tracebacks, add page title
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3548
diff
changeset
|
77 <p>A problem was encountered processing your request. |
|
3c70ab03c917
translate error message shown instead of tracebacks, add page title
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3548
diff
changeset
|
78 The tracker maintainers have been notified of the problem.</p> |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
79 </body></html>""" |
|
3548
61d48244e7a8
login may now be for a single session
Richard Jones <richard@users.sourceforge.net>
parents:
3494
diff
changeset
|
80 |
|
3916
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
81 |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
82 class LiberalCookie(SimpleCookie): |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
83 """ Python's SimpleCookie throws an exception if the cookie uses invalid |
|
3916
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
84 syntax. Other applications on the same server may have done precisely |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
85 this, preventing roundup from working through no fault of roundup. |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
86 Numerous other python apps have run into the same problem: |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
87 |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
88 trac: http://trac.edgewall.org/ticket/2256 |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
89 mailman: http://bugs.python.org/issue472646 |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
90 |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
91 This particular implementation comes from trac's solution to the |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
92 problem. Unfortunately it requires some hackery in SimpleCookie's |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
93 internals to provide a more liberal __set method. |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
94 """ |
|
3916
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
95 def load(self, rawdata, ignore_parse_errors=True): |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
96 if ignore_parse_errors: |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
97 self.bad_cookies = [] |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
98 self._BaseCookie__set = self._loose_set |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
99 SimpleCookie.load(self, rawdata) |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
100 if ignore_parse_errors: |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
101 self._BaseCookie__set = self._strict_set |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
102 for key in self.bad_cookies: |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
103 del self[key] |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
104 |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
105 _strict_set = BaseCookie._BaseCookie__set |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
106 |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
107 def _loose_set(self, key, real_value, coded_value): |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
108 try: |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
109 self._strict_set(key, real_value, coded_value) |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
110 except CookieError: |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
111 self.bad_cookies.append(key) |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
112 dict.__setitem__(self, key, None) |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
113 |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
114 |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
115 class Session: |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
116 """ |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
117 Needs DB to be already opened by client |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
118 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
119 Session attributes at instantiation: |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
120 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
121 - "client" - reference to client for add_cookie function |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
122 - "session_db" - session DB manager |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
123 - "cookie_name" - name of the cookie with session id |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
124 - "_sid" - session id for current user |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
125 - "_data" - session data cache |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
126 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
127 session = Session(client) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
128 session.set(name=value) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
129 value = session.get(name) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
130 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
131 session.destroy() # delete current session |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
132 session.clean_up() # clean up session table |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
133 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
134 session.update(set_cookie=True, expire=3600*24*365) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
135 # refresh session expiration time, setting persistent |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
136 # cookie if needed to last for 'expire' seconds |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
137 |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
138 """ |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
139 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
140 def __init__(self, client): |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
141 self._data = {} |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
142 self._sid = None |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
143 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
144 self.client = client |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
145 self.session_db = client.db.getSessionManager() |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
146 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
147 # parse cookies for session id |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
148 self.cookie_name = 'roundup_session_%s' % \ |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
149 re.sub('[^a-zA-Z]', '', client.instance.config.TRACKER_NAME) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
150 cookies = LiberalCookie(client.env.get('HTTP_COOKIE', '')) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
151 if self.cookie_name in cookies: |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
152 if not self.session_db.exists(cookies[self.cookie_name].value): |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
153 self._sid = None |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
154 # remove old cookie |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
155 self.client.add_cookie(self.cookie_name, None) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
156 else: |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
157 self._sid = cookies[self.cookie_name].value |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
158 self._data = self.session_db.getall(self._sid) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
159 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
160 def _gen_sid(self): |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
161 """ generate a unique session key """ |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
162 while 1: |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
163 s = '%s%s'%(time.time(), random.random()) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
164 s = binascii.b2a_base64(s).strip() |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
165 if not self.session_db.exists(s): |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
166 break |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
167 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
168 # clean up the base64 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
169 if s[-1] == '=': |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
170 if s[-2] == '=': |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
171 s = s[:-2] |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
172 else: |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
173 s = s[:-1] |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
174 return s |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
175 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
176 def clean_up(self): |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
177 """Remove expired sessions""" |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
178 self.session_db.clean() |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
179 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
180 def destroy(self): |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
181 self.client.add_cookie(self.cookie_name, None) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
182 self._data = {} |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
183 self.session_db.destroy(self._sid) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
184 self.client.db.commit() |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
185 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
186 def get(self, name, default=None): |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
187 return self._data.get(name, default) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
188 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
189 def set(self, **kwargs): |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
190 self._data.update(kwargs) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
191 if not self._sid: |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
192 self._sid = self._gen_sid() |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
193 self.session_db.set(self._sid, **self._data) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
194 # add session cookie |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
195 self.update(set_cookie=True) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
196 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
197 # XXX added when patching 1.4.4 for backward compatibility |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
198 # XXX remove |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
199 self.client.session = self._sid |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
200 else: |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
201 self.session_db.set(self._sid, **self._data) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
202 self.client.db.commit() |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
203 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
204 def update(self, set_cookie=False, expire=None): |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
205 """ update timestamp in db to avoid expiration |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
206 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
207 if 'set_cookie' is True, set cookie with 'expire' seconds lifetime |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
208 if 'expire' is None - session will be closed with the browser |
|
4648
e645820e8556
Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents:
4640
diff
changeset
|
209 |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
210 XXX the session can be purged within a week even if a cookie |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
211 lifetime is longer |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
212 """ |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
213 self.session_db.updateTimestamp(self._sid) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
214 self.client.db.commit() |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
215 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
216 if set_cookie: |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
217 self.client.add_cookie(self.cookie_name, self._sid, expire=expire) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
218 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
219 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
220 |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
221 class Client: |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
222 """Instantiate to handle one CGI request. |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
223 |
|
1244
8dd4f736370b
merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents:
1236
diff
changeset
|
224 See inner_main for request processing. |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
225 |
|
1244
8dd4f736370b
merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents:
1236
diff
changeset
|
226 Client attributes at instantiation: |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
227 |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
228 - "path" is the PATH_INFO inside the instance (with no leading '/') |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
229 - "base" is the base URL for the instance |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
230 - "form" is the cgi form, an instance of FieldStorage from the standard |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
231 cgi module |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
232 - "additional_headers" is a dictionary of additional HTTP headers that |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
233 should be sent to the client |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
234 - "response_code" is the HTTP response code to send to the client |
|
2557
ff02e9851592
translator object must be Roundup Translation Service...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2514
diff
changeset
|
235 - "translator" is TranslationService instance |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
236 - "client-nonce" is a unique value for this client connection. Can be |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
237 used as a nonce for CSP headers and to sign javascript code |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
238 presented to the browser. This is different from the CSRF nonces |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
239 and can not be used for anti-csrf measures. |
|
1244
8dd4f736370b
merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents:
1236
diff
changeset
|
240 |
|
8dd4f736370b
merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents:
1236
diff
changeset
|
241 During the processing of a request, the following attributes are used: |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
242 |
|
4648
e645820e8556
Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents:
4640
diff
changeset
|
243 - "db" |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
244 - "_error_message" holds a list of error messages |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
245 - "_ok_message" holds a list of OK messages |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
246 - "session" is deprecated in favor of session_api (XXX remove) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
247 - "session_api" is the interface to store data in session |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
248 - "user" is the current user's name |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
249 - "userid" is the current user's id |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
250 - "template" is the current :template context |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
251 - "classname" is the current class context name |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
252 - "nodeid" is the current context item id |
|
1244
8dd4f736370b
merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents:
1236
diff
changeset
|
253 |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
254 Note: _error_message and _ok_message should not be modified |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
255 directly, use add_ok_message and add_error_message, these, by |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
256 default, escape the message added to avoid XSS security issues. |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
257 |
|
1244
8dd4f736370b
merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents:
1236
diff
changeset
|
258 User Identification: |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
259 Users that are absent in session data are anonymous and are logged |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
260 in as that user. This typically gives them all Permissions assigned |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
261 to the Anonymous Role. |
|
1244
8dd4f736370b
merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents:
1236
diff
changeset
|
262 |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
263 Every user is assigned a session. "session_api" is the interface |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
264 to work with session data. |
|
1420
3ac43c62a250
implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents:
1417
diff
changeset
|
265 |
|
3ac43c62a250
implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents:
1417
diff
changeset
|
266 Special form variables: |
|
3ac43c62a250
implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents:
1417
diff
changeset
|
267 Note that in various places throughout this code, special form |
|
3ac43c62a250
implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents:
1417
diff
changeset
|
268 variables of the form :<name> are used. The colon (":") part may |
|
1436
2f6647cf5345
bugger, dropping support for "+" special char
Richard Jones <richard@users.sourceforge.net>
parents:
1435
diff
changeset
|
269 actually be one of either ":" or "@". |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
270 """ |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
271 |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
272 # charset used for data storage and form templates |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
273 # Note: must be in lower case for comparisons! |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
274 # XXX take this from instance.config? |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
275 STORAGE_CHARSET = 'utf-8' |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
276 |
|
1421
90bb11eb40dc
oops, forgot the templating :)
Richard Jones <richard@users.sourceforge.net>
parents:
1420
diff
changeset
|
277 # |
|
1420
3ac43c62a250
implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents:
1417
diff
changeset
|
278 # special form variables |
|
1421
90bb11eb40dc
oops, forgot the templating :)
Richard Jones <richard@users.sourceforge.net>
parents:
1420
diff
changeset
|
279 # |
|
1436
2f6647cf5345
bugger, dropping support for "+" special char
Richard Jones <richard@users.sourceforge.net>
parents:
1435
diff
changeset
|
280 FV_TEMPLATE = re.compile(r'[@:]template') |
|
2f6647cf5345
bugger, dropping support for "+" special char
Richard Jones <richard@users.sourceforge.net>
parents:
1435
diff
changeset
|
281 FV_OK_MESSAGE = re.compile(r'[@:]ok_message') |
|
2f6647cf5345
bugger, dropping support for "+" special char
Richard Jones <richard@users.sourceforge.net>
parents:
1435
diff
changeset
|
282 FV_ERROR_MESSAGE = re.compile(r'[@:]error_message') |
|
1421
90bb11eb40dc
oops, forgot the templating :)
Richard Jones <richard@users.sourceforge.net>
parents:
1420
diff
changeset
|
283 |
|
90bb11eb40dc
oops, forgot the templating :)
Richard Jones <richard@users.sourceforge.net>
parents:
1420
diff
changeset
|
284 # Note: index page stuff doesn't appear here: |
|
90bb11eb40dc
oops, forgot the templating :)
Richard Jones <richard@users.sourceforge.net>
parents:
1420
diff
changeset
|
285 # columns, sort, sortdir, filter, group, groupdir, search_text, |
|
90bb11eb40dc
oops, forgot the templating :)
Richard Jones <richard@users.sourceforge.net>
parents:
1420
diff
changeset
|
286 # pagesize, startwith |
|
1420
3ac43c62a250
implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents:
1417
diff
changeset
|
287 |
|
3760
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
288 # list of network error codes that shouldn't be reported to tracker admin |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
289 # (error descriptions from FreeBSD intro(2)) |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
290 IGNORE_NET_ERRORS = ( |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
291 # A write on a pipe, socket or FIFO for which there is |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
292 # no process to read the data. |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
293 errno.EPIPE, |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
294 # A connection was forcibly closed by a peer. |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
295 # This normally results from a loss of the connection |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
296 # on the remote socket due to a timeout or a reboot. |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
297 errno.ECONNRESET, |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
298 # Software caused connection abort. A connection abort |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
299 # was caused internal to your host machine. |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
300 errno.ECONNABORTED, |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
301 # A connect or send request failed because the connected party |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
302 # did not properly respond after a period of time. |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
303 errno.ETIMEDOUT, |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
304 ) |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
305 |
|
2467
76ead526113d
client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2366
diff
changeset
|
306 def __init__(self, instance, request, env, form=None, translator=None): |
|
2233
3d9bb1a052d1
fix random seeding for forking server
Richard Jones <richard@users.sourceforge.net>
parents:
2230
diff
changeset
|
307 # re-seed the random number generator |
|
3d9bb1a052d1
fix random seeding for forking server
Richard Jones <richard@users.sourceforge.net>
parents:
2230
diff
changeset
|
308 random.seed() |
|
2230
ca2664e095be
disable forking server when os.fork() not available [SF#938586]
Richard Jones <richard@users.sourceforge.net>
parents:
2183
diff
changeset
|
309 self.start = time.time() |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
310 self.instance = instance |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
311 self.request = request |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
312 self.env = env |
|
2467
76ead526113d
client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2366
diff
changeset
|
313 self.setTranslator(translator) |
|
1799
071ea6fc803f
Extracted duplicated mail-sending code...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
1798
diff
changeset
|
314 self.mailer = Mailer(instance.config) |
|
5166
232c74973a56
issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents:
5165
diff
changeset
|
315 # If True the form contents wins over the database contents when |
|
232c74973a56
issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents:
5165
diff
changeset
|
316 # rendering html properties. This is set when an error occurs so |
|
232c74973a56
issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents:
5165
diff
changeset
|
317 # that we don't lose submitted form contents. |
|
232c74973a56
issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents:
5165
diff
changeset
|
318 self.form_wins = False |
|
1004
5f12d3259f31
logout works better now
Richard Jones <richard@users.sourceforge.net>
parents:
1003
diff
changeset
|
319 |
|
1157
26c8cb2162d7
fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents:
1153
diff
changeset
|
320 # save off the path |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
321 self.path = env['PATH_INFO'] |
|
1004
5f12d3259f31
logout works better now
Richard Jones <richard@users.sourceforge.net>
parents:
1003
diff
changeset
|
322 |
|
1398
b3e1e9ab0500
fixed cookie path to use TRACKER_WEB [SF#667020]
Richard Jones <richard@users.sourceforge.net>
parents:
1393
diff
changeset
|
323 # this is the base URL for this tracker |
|
1157
26c8cb2162d7
fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents:
1153
diff
changeset
|
324 self.base = self.instance.config.TRACKER_WEB |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
325 |
|
4586
b21bb66de6ff
Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4578
diff
changeset
|
326 # should cookies be secure? |
|
b21bb66de6ff
Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4578
diff
changeset
|
327 self.secure = self.base.startswith ('https') |
|
b21bb66de6ff
Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4578
diff
changeset
|
328 |
|
2183
ac24a9c74cca
be paranoid about TRACKER_WEB
Richard Jones <richard@users.sourceforge.net>
parents:
2137
diff
changeset
|
329 # check the tracker_we setting |
|
ac24a9c74cca
be paranoid about TRACKER_WEB
Richard Jones <richard@users.sourceforge.net>
parents:
2137
diff
changeset
|
330 if not self.base.endswith('/'): |
|
ac24a9c74cca
be paranoid about TRACKER_WEB
Richard Jones <richard@users.sourceforge.net>
parents:
2137
diff
changeset
|
331 self.base = self.base + '/' |
|
ac24a9c74cca
be paranoid about TRACKER_WEB
Richard Jones <richard@users.sourceforge.net>
parents:
2137
diff
changeset
|
332 |
|
1398
b3e1e9ab0500
fixed cookie path to use TRACKER_WEB [SF#667020]
Richard Jones <richard@users.sourceforge.net>
parents:
1393
diff
changeset
|
333 # this is the "cookie path" for this tracker (ie. the path part of |
|
b3e1e9ab0500
fixed cookie path to use TRACKER_WEB [SF#667020]
Richard Jones <richard@users.sourceforge.net>
parents:
1393
diff
changeset
|
334 # the "base" url) |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
335 self.cookie_path = urllib_.urlparse(self.base)[2] |
|
2946
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
336 # cookies to set in http responce |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
337 # {(path, name): (value, expire)} |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
338 self._cookies = {} |
|
1398
b3e1e9ab0500
fixed cookie path to use TRACKER_WEB [SF#667020]
Richard Jones <richard@users.sourceforge.net>
parents:
1393
diff
changeset
|
339 |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
340 # define a unique nonce. Can be used for Content Security Policy |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
341 # nonces for scripts. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
342 self.client_nonce = self._gen_nonce() |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
343 |
|
1157
26c8cb2162d7
fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents:
1153
diff
changeset
|
344 # see if we need to re-parse the environment for the form (eg Zope) |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
345 if form is None: |
|
4344
85b00a3820b3
Fix thread safety with stdin in roundup-server
Richard Jones <richard@users.sourceforge.net>
parents:
4329
diff
changeset
|
346 self.form = cgi.FieldStorage(fp=request.rfile, environ=env) |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
347 else: |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
348 self.form = form |
|
1157
26c8cb2162d7
fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents:
1153
diff
changeset
|
349 |
|
26c8cb2162d7
fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents:
1153
diff
changeset
|
350 # turn debugging on/off |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
351 try: |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
352 self.debug = int(env.get("ROUNDUP_DEBUG", 0)) |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
353 except ValueError: |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
354 # someone gave us a non-int debug level, turn it off |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
355 self.debug = 0 |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
356 |
|
1157
26c8cb2162d7
fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents:
1153
diff
changeset
|
357 # flag to indicate that the HTTP headers have been sent |
|
26c8cb2162d7
fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents:
1153
diff
changeset
|
358 self.headers_done = 0 |
|
26c8cb2162d7
fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents:
1153
diff
changeset
|
359 |
|
1120
c26471971d18
Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents:
1103
diff
changeset
|
360 # additional headers to send with the request - must be registered |
|
c26471971d18
Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents:
1103
diff
changeset
|
361 # before the first write |
|
c26471971d18
Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents:
1103
diff
changeset
|
362 self.additional_headers = {} |
|
c26471971d18
Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents:
1103
diff
changeset
|
363 self.response_code = 200 |
|
c26471971d18
Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents:
1103
diff
changeset
|
364 |
|
2947
e611be5ee6c4
initialize self.charset early to enable html output for tracebacks...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2946
diff
changeset
|
365 # default character set |
|
e611be5ee6c4
initialize self.charset early to enable html output for tracebacks...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2946
diff
changeset
|
366 self.charset = self.STORAGE_CHARSET |
|
e611be5ee6c4
initialize self.charset early to enable html output for tracebacks...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2946
diff
changeset
|
367 |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
368 # parse cookies (used for charset lookups) |
|
3916
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
369 # use our own LiberalCookie to handle bad apps on the same |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
370 # server that have set cookies that are out of spec |
|
57ad3e2c2545
handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3900
diff
changeset
|
371 self.cookie = LiberalCookie(self.env.get('HTTP_COOKIE', '')) |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
372 |
|
2928
81c99c857b57
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2923
diff
changeset
|
373 self.user = None |
|
81c99c857b57
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2923
diff
changeset
|
374 self.userid = None |
|
2948
deda13909085
factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents:
2947
diff
changeset
|
375 self.nodeid = None |
|
deda13909085
factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents:
2947
diff
changeset
|
376 self.classname = None |
|
deda13909085
factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents:
2947
diff
changeset
|
377 self.template = None |
|
2928
81c99c857b57
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2923
diff
changeset
|
378 |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
379 def _gen_nonce(self): |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
380 """ generate a unique nonce """ |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
381 n = '%s%s%s'%(random.random(), id(self), time.time() ) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
382 n = hashlib.sha256(n).hexdigest() |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
383 return n |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
384 |
|
2467
76ead526113d
client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2366
diff
changeset
|
385 def setTranslator(self, translator=None): |
|
76ead526113d
client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2366
diff
changeset
|
386 """Replace the translation engine |
|
76ead526113d
client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2366
diff
changeset
|
387 |
|
76ead526113d
client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2366
diff
changeset
|
388 'translator' |
|
2557
ff02e9851592
translator object must be Roundup Translation Service...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2514
diff
changeset
|
389 is TranslationService instance. |
|
ff02e9851592
translator object must be Roundup Translation Service...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2514
diff
changeset
|
390 It must define methods 'translate' (TAL-compatible i18n), |
|
ff02e9851592
translator object must be Roundup Translation Service...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2514
diff
changeset
|
391 'gettext' and 'ngettext' (gettext-compatible i18n). |
|
2467
76ead526113d
client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2366
diff
changeset
|
392 |
|
2557
ff02e9851592
translator object must be Roundup Translation Service...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2514
diff
changeset
|
393 If omitted, create default TranslationService. |
|
2467
76ead526113d
client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2366
diff
changeset
|
394 """ |
|
76ead526113d
client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2366
diff
changeset
|
395 if translator is None: |
|
2808
18c28d22b3b5
pass tracker home directory to get_translation()
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2800
diff
changeset
|
396 translator = TranslationService.get_translation( |
|
2923
29563959c026
language defaults to config option TRACKER_LANGUAGE
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2906
diff
changeset
|
397 language=self.instance.config["TRACKER_LANGUAGE"], |
|
2808
18c28d22b3b5
pass tracker home directory to get_translation()
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2800
diff
changeset
|
398 tracker_home=self.instance.config["TRACKER_HOME"]) |
|
2467
76ead526113d
client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2366
diff
changeset
|
399 self.translator = translator |
|
76ead526113d
client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2366
diff
changeset
|
400 self._ = self.gettext = translator.gettext |
|
76ead526113d
client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2366
diff
changeset
|
401 self.ngettext = translator.ngettext |
|
76ead526113d
client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2366
diff
changeset
|
402 |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
403 def main(self): |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
404 """ Wrap the real main in a try/finally so we always close off the db. |
|
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
405 """ |
|
1133
36ec30d286ea
Cleaned up CHANGES/TODO
Richard Jones <richard@users.sourceforge.net>
parents:
1130
diff
changeset
|
406 try: |
|
4919
24209344b507
Link /xmlrpc to docs if accessed with browser
anatoly techtonik <techtonik@gmail.com>
parents:
4903
diff
changeset
|
407 if self.path == 'xmlrpc': |
|
4079
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
408 self.handle_xmlrpc() |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
409 else: |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
410 self.inner_main() |
|
1133
36ec30d286ea
Cleaned up CHANGES/TODO
Richard Jones <richard@users.sourceforge.net>
parents:
1130
diff
changeset
|
411 finally: |
|
36ec30d286ea
Cleaned up CHANGES/TODO
Richard Jones <richard@users.sourceforge.net>
parents:
1130
diff
changeset
|
412 if hasattr(self, 'db'): |
|
36ec30d286ea
Cleaned up CHANGES/TODO
Richard Jones <richard@users.sourceforge.net>
parents:
1130
diff
changeset
|
413 self.db.close() |
|
4079
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
414 |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
415 |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
416 def handle_xmlrpc(self): |
|
4919
24209344b507
Link /xmlrpc to docs if accessed with browser
anatoly techtonik <techtonik@gmail.com>
parents:
4903
diff
changeset
|
417 if self.env.get('CONTENT_TYPE') != 'text/xml': |
|
24209344b507
Link /xmlrpc to docs if accessed with browser
anatoly techtonik <techtonik@gmail.com>
parents:
4903
diff
changeset
|
|
|
24209344b507
Link /xmlrpc to docs if accessed with browser
anatoly techtonik <techtonik@gmail.com>
parents:
4903
diff
changeset
|
420 "XML-RPC interface</a>.") |
|
24209344b507
Link /xmlrpc to docs if accessed with browser
anatoly techtonik <techtonik@gmail.com>
parents:
4903
diff
changeset
|
421 return |
|
4079
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
422 |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
423 # Pull the raw XML out of the form. The "value" attribute |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
424 # will be the raw content of the POST request. |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
425 assert self.form.file |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
426 input = self.form.value |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
427 # So that the rest of Roundup can query the form in the |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
428 # usual way, we create an empty list of fields. |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
429 self.form.list = [] |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
430 |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
431 # Set the charset and language, since other parts of |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
432 # Roundup may depend upon that. |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
433 self.determine_charset() |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
434 self.determine_language() |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
435 # Open the database as the correct user. |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
436 self.determine_user() |
|
4327
095d92109cc7
allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents:
4326
diff
changeset
|
437 self.check_anonymous_access() |
|
4079
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
438 |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
439 if self.handle_csrf(xmlrpc=True): |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
440 # Call the appropriate XML-RPC method. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
441 handler = xmlrpc.RoundupDispatcher(self.db, |
| 4083 | 442 self.instance.actions, |
| 443 self.translator, | |
|
4079
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
444 allow_none=True) |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
445 output = handler.dispatch(input) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
446 else: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
447 raise Unauthorised, self._error_message |
|
4079
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
448 |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
449 self.setHeader("Content-Type", "text/xml") |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
450 self.setHeader("Content-Length", str(len(output))) |
|
edf526c91412
* Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4077
diff
changeset
|
451 self.write(output) |
|
4648
e645820e8556
Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents:
4640
diff
changeset
|
452 |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
453 def add_ok_message(self, msg, escape=True): |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
454 add_message(self._ok_message, msg, escape) |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
455 |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
456 def add_error_message(self, msg, escape=True): |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
457 add_message(self._error_message, msg, escape) |
|
5166
232c74973a56
issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents:
5165
diff
changeset
|
458 # Want to interpret form values when rendering when an error |
|
232c74973a56
issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents:
5165
diff
changeset
|
459 # occurred: |
|
232c74973a56
issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents:
5165
diff
changeset
|
460 self.form_wins = True |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
461 |
|
1133
36ec30d286ea
Cleaned up CHANGES/TODO
Richard Jones <richard@users.sourceforge.net>
parents:
1130
diff
changeset
|
462 def inner_main(self): |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
463 """Process a request. |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
464 |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
465 The most common requests are handled like so: |
|
1054
3d8ea16347aa
more explanatory docstring
Richard Jones <richard@users.sourceforge.net>
parents:
1053
diff
changeset
|
466 |
|
3427
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
467 1. look for charset and language preferences, set up user locale |
|
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
468 see determine_charset, determine_language |
|
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
469 2. figure out who we are, defaulting to the "anonymous" user |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
470 see determine_user |
|
3427
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
471 3. figure out what the request is for - the context |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
472 see determine_context |
|
3427
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
473 4. handle any requested action (item edit, search, ...) |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
474 see handle_action |
|
3427
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
475 5. render a template, resulting in HTML output |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
476 |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
477 In some situations, exceptions occur: |
|
1054
3d8ea16347aa
more explanatory docstring
Richard Jones <richard@users.sourceforge.net>
parents:
1053
diff
changeset
|
478 |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
479 - HTTP Redirect (generally raised by an action) |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
480 - SendFile (generally raised by determine_context) |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
481 serve up a FileClass "content" property |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
482 - SendStaticFile (generally raised by determine_context) |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
483 serve up a file from the tracker "html" directory |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
484 - Unauthorised (generally raised by an action) |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
485 the action is cancelled, the request is rendered and an error |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
486 message is displayed indicating that permission was not |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
487 granted for the action to take place |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
488 - templating.Unauthorised (templating action not permitted) |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
489 raised by an attempted rendering of a template when the user |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
490 doesn't have permission |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
491 - NotFound (raised wherever it needs to be) |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
492 percolates up to the CGI interface that called the client |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
493 """ |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
494 self._ok_message = [] |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
495 self._error_message = [] |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
496 try: |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
497 self.determine_charset() |
|
3427
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
498 self.determine_language() |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
499 |
|
4109
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
500 try: |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
501 # make sure we're identified (even anonymously) |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
502 self.determine_user() |
|
2938
463902a0fbbb
determine user before context:
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2937
diff
changeset
|
503 |
|
4109
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
504 # figure out the context and desired content template |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
505 self.determine_context() |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
506 |
|
4326
d51a9c498dc4
Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents:
4291
diff
changeset
|
507 # if we've made it this far the context is to a bit of |
|
d51a9c498dc4
Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents:
4291
diff
changeset
|
508 # Roundup's real web interface (not a file being served up) |
|
d51a9c498dc4
Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents:
4291
diff
changeset
|
509 # so do the Anonymous Web Acess check now |
|
4327
095d92109cc7
allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents:
4326
diff
changeset
|
510 self.check_anonymous_access() |
|
4326
d51a9c498dc4
Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents:
4291
diff
changeset
|
511 |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
512 # check for a valid csrf token identifying the right user |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
513 if self.handle_csrf(): |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
514 # csrf checks pass. Run actions etc. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
515 # possibly handle a form submit action (may change |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
516 # self.classname and self.template, and may also |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
517 # append error/ok_messages) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
518 html = self.handle_action() |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
519 else: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
520 html = None |
|
1697
c9f67f2f7ba7
don't open the database for static files
Richard Jones <richard@users.sourceforge.net>
parents:
1692
diff
changeset
|
521 |
|
4109
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
522 if html: |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
523 self.write_html(html) |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
524 return |
|
2045
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
525 |
|
4109
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
526 # now render the page |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
527 # we don't want clients caching our dynamic pages |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
528 self.additional_headers['Cache-Control'] = 'no-cache' |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
529 # Pragma: no-cache makes Mozilla and its ilk |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
530 # double-load all pages!! |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
531 # self.additional_headers['Pragma'] = 'no-cache' |
|
1579
07a6b8587bc2
removed Pragma: no-cache...
Richard Jones <richard@users.sourceforge.net>
parents:
1562
diff
changeset
|
532 |
|
4109
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
533 # pages with messages added expire right now |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
534 # simple views may be cached for a small amount of time |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
535 # TODO? make page expire time configurable |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
536 # <rj> always expire pages, as IE just doesn't seem to do the |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
537 # right thing here :( |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
538 date = time.time() - 1 |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
539 #if self._error_message or self._ok_message: |
|
4109
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
540 # date = time.time() - 1 |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
541 #else: |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
542 # date = time.time() + 5 |
|
4980
13f8f88ad984
Replace rfc822 imports with email package (issue2550870)
John Kristensen <john@jerrykan.com>
parents:
4979
diff
changeset
|
543 self.additional_headers['Expires'] = \ |
|
13f8f88ad984
Replace rfc822 imports with email package (issue2550870)
John Kristensen <john@jerrykan.com>
parents:
4979
diff
changeset
|
544 email.utils.formatdate(date, usegmt=True) |
| 1552 | 545 |
|
4109
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
546 # render the content |
|
3896
fca0365521fc
ignore client shutdown exceptions when sending responses
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3867
diff
changeset
|
547 self.write_html(self.renderContext()) |
|
4109
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
548 except SendFile, designator: |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
549 # The call to serve_file may result in an Unauthorised |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
550 # exception or a NotModified exception. Those |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
551 # exceptions will be handled by the outermost set of |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
552 # exception handlers. |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
553 self.serve_file(designator) |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
554 except SendStaticFile, file: |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
555 self.serve_static_file(str(file)) |
|
3896
fca0365521fc
ignore client shutdown exceptions when sending responses
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3867
diff
changeset
|
556 except IOError: |
|
3900
182ba3207899
wrap comment to less than 75 chars
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3898
diff
changeset
|
557 # IOErrors here are due to the client disconnecting before |
|
4638
1ebc5f16aeda
Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4623
diff
changeset
|
558 # receiving the reply. |
|
1ebc5f16aeda
Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4623
diff
changeset
|
559 pass |
|
1ebc5f16aeda
Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4623
diff
changeset
|
560 except SysCallError: |
|
1ebc5f16aeda
Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4623
diff
changeset
|
561 # OpenSSL.SSL.SysCallError is similar to IOError above |
|
3896
fca0365521fc
ignore client shutdown exceptions when sending responses
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3867
diff
changeset
|
562 pass |
|
2230
ca2664e095be
disable forking server when os.fork() not available [SF#938586]
Richard Jones <richard@users.sourceforge.net>
parents:
2183
diff
changeset
|
563 |
|
2052
78e6a1e4984e
forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents:
2046
diff
changeset
|
564 except SeriousError, message: |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
565 self.write_html(str(message)) |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
566 except Redirect, url: |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
567 # let's redirect - if the url isn't None, then we need to do |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
568 # the headers, otherwise the headers have been set before the |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
569 # exception was raised |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
570 if url: |
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
3687
diff
changeset
|
571 self.additional_headers['Location'] = str(url) |
|
1120
c26471971d18
Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents:
1103
diff
changeset
|
572 self.response_code = 302 |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
573 self.write_html('Redirecting to <a href="%s">%s</a>'%(url, url)) |
|
4265
e24a6ca34448
Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents:
4264
diff
changeset
|
574 except LoginError, message: |
|
e24a6ca34448
Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents:
4264
diff
changeset
|
575 # The user tried to log in, but did not provide a valid |
|
e24a6ca34448
Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents:
4264
diff
changeset
|
576 # username and password. If we support HTTP |
|
e24a6ca34448
Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents:
4264
diff
changeset
|
577 # authorization, send back a response that will cause the |
|
e24a6ca34448
Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents:
4264
diff
changeset
|
578 # browser to prompt the user again. |
|
e24a6ca34448
Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents:
4264
diff
changeset
|
579 if self.instance.config.WEB_HTTP_AUTH: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
580 self.response_code = http_.client.UNAUTHORIZED |
|
4265
e24a6ca34448
Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents:
4264
diff
changeset
|
581 realm = self.instance.config.TRACKER_NAME |
|
e24a6ca34448
Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents:
4264
diff
changeset
|
582 self.setHeader("WWW-Authenticate", |
|
e24a6ca34448
Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents:
4264
diff
changeset
|
583 "Basic realm=\"%s\"" % realm) |
|
e24a6ca34448
Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents:
4264
diff
changeset
|
584 else: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
585 self.response_code = http_.client.FORBIDDEN |
|
4898
850551a1568b
Fix issue2550843 (AttributeError: 'Unauthorised' object has no attribute 'replace')
Thomas Arendsen Hein <thomas@intevation.de>
parents:
4880
diff
changeset
|
586 self.renderFrontPage(str(message)) |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
587 except Unauthorised, message: |
|
1977
f96592a7c357
changes to support the new templating Unauthorised exception.
Richard Jones <richard@users.sourceforge.net>
parents:
1973
diff
changeset
|
588 # users may always see the front page |
|
4064
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
589 self.response_code = 403 |
|
4898
850551a1568b
Fix issue2550843 (AttributeError: 'Unauthorised' object has no attribute 'replace')
Thomas Arendsen Hein <thomas@intevation.de>
parents:
4880
diff
changeset
|
590 self.renderFrontPage(str(message)) |
|
4109
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
591 except NotModified: |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
592 # send the 304 response |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
593 self.response_code = 304 |
|
3f3f44e3534c
Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents:
4088
diff
changeset
|
594 self.header() |
|
3898
dd00c917fc40
per-tracker 404 templating
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3896
diff
changeset
|
595 except NotFound, e: |
|
5165
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
596 if self.response_code == 400: |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
597 # We can't find a parameter (e.g. property name |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
598 # incorrect). Tell the user what was raised. |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
599 # Do not change to the 404 template since the |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
600 # base url is valid just query args are not. |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
601 # copy the page format from SeriousError _str_ exception. |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
602 error_page = """ |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
603 <html><head><title>Roundup issue tracker: An error has occurred</title> |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
604 <link rel="stylesheet" type="text/css" href="@@file/style.css"> |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
605 </head> |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
606 <body class="body" marginwidth="0" marginheight="0"> |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
607 <p class="error-message">%s</p> |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
608 </body></html> |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
609 """ |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
610 self.write_html(error_page%str(e)) |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
611 else: |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
612 self.response_code = 404 |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
613 self.template = '404' |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
614 try: |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
615 cl = self.db.getclass(self.classname) |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
616 self.write_html(self.renderContext()) |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
617 except KeyError: |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
618 # we can't map the URL to a class we know about |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
619 # reraise the NotFound and let roundup_server |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
620 # handle it |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5154
diff
changeset
|
621 raise NotFound(e) |
|
1818
85fd3d0e7d81
Actually use FormError, so we can move the handling up to inner_main().
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
1807
diff
changeset
|
622 except FormError, e: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
623 self.add_error_message(self._('Form Error: ') + str(e)) |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
624 self.write_html(self.renderContext()) |
|
4640
70b1cb9034c3
Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4638
diff
changeset
|
625 except IOError: |
|
70b1cb9034c3
Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4638
diff
changeset
|
626 # IOErrors here are due to the client disconnecting before |
|
70b1cb9034c3
Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4638
diff
changeset
|
627 # receiving the reply. |
|
70b1cb9034c3
Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4638
diff
changeset
|
628 # may happen during write_html and serve_file, too. |
|
70b1cb9034c3
Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4638
diff
changeset
|
629 pass |
|
70b1cb9034c3
Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4638
diff
changeset
|
630 except SysCallError: |
|
70b1cb9034c3
Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4638
diff
changeset
|
631 # OpenSSL.SSL.SysCallError is similar to IOError above |
|
70b1cb9034c3
Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4638
diff
changeset
|
632 # may happen during write_html and serve_file, too. |
|
70b1cb9034c3
Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4638
diff
changeset
|
633 pass |
|
5079
65fef7858606
issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents:
5073
diff
changeset
|
634 except DetectorError as e: |
|
65fef7858606
issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents:
5073
diff
changeset
|
635 if not self.instance.config.WEB_DEBUG: |
|
65fef7858606
issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents:
5073
diff
changeset
|
636 # run when we are not in debug mode, so errors |
|
65fef7858606
issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents:
5073
diff
changeset
|
637 # go to admin too. |
|
65fef7858606
issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents:
5073
diff
changeset
|
638 self.send_error_to_admin(e.subject, e.html, e.txt) |
|
65fef7858606
issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents:
5073
diff
changeset
|
639 self.write_html(e.html) |
|
65fef7858606
issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents:
5073
diff
changeset
|
640 else: |
|
65fef7858606
issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents:
5073
diff
changeset
|
641 # in debug mode, only write error to screen. |
|
65fef7858606
issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents:
5073
diff
changeset
|
642 self.write_html(e.html) |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
643 except: |
|
4264
b1e614c6759f
Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents:
4263
diff
changeset
|
644 # Something has gone badly wrong. Therefore, we should |
|
b1e614c6759f
Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents:
4263
diff
changeset
|
645 # make sure that the response code indicates failure. |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
646 if self.response_code == http_.client.OK: |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
647 self.response_code = http_.client.INTERNAL_SERVER_ERROR |
|
4264
b1e614c6759f
Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents:
4263
diff
changeset
|
648 # Help the administrator work out what went wrong. |
|
b1e614c6759f
Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents:
4263
diff
changeset
|
649 html = ("<h1>Traceback</h1>" |
|
b1e614c6759f
Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents:
4263
diff
changeset
|
650 + cgitb.html(i18n=self.translator) |
|
b1e614c6759f
Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents:
4263
diff
changeset
|
651 + ("<h1>Environment Variables</h1><table>%s</table>" |
|
b1e614c6759f
Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents:
4263
diff
changeset
|
652 % cgitb.niceDict("", self.env))) |
|
b1e614c6759f
Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents:
4263
diff
changeset
|
653 if not self.instance.config.WEB_DEBUG: |
|
b1e614c6759f
Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents:
4263
diff
changeset
|
654 exc_info = sys.exc_info() |
|
b1e614c6759f
Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents:
4263
diff
changeset
|
655 subject = "Error: %s" % exc_info[1] |
|
4543
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
656 self.send_error_to_admin(subject, html, format_exc()) |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
657 self.write_html(self._(default_err_msg)) |
|
3548
61d48244e7a8
login may now be for a single session
Richard Jones <richard@users.sourceforge.net>
parents:
3494
diff
changeset
|
658 else: |
|
4264
b1e614c6759f
Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents:
4263
diff
changeset
|
659 self.write_html(html) |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
660 |
|
1372
3931614b1cce
cleaning old unused sessions only once per hour, not on every cgi request
Andrey Lebedev <kedder@users.sourceforge.net>
parents:
1358
diff
changeset
|
661 def clean_sessions(self): |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
662 """Deprecated |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
663 XXX remove |
|
1937
4c850112895b
Some reformatting and fixing docstrings for emacs.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
1936
diff
changeset
|
664 """ |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
665 self.clean_up() |
|
1372
3931614b1cce
cleaning old unused sessions only once per hour, not on every cgi request
Andrey Lebedev <kedder@users.sourceforge.net>
parents:
1358
diff
changeset
|
666 |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
667 def clean_up(self): |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
668 """Remove expired sessions and One Time Keys. |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
669 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
670 Do it only once an hour. |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
671 """ |
|
1372
3931614b1cce
cleaning old unused sessions only once per hour, not on every cgi request
Andrey Lebedev <kedder@users.sourceforge.net>
parents:
1358
diff
changeset
|
672 hour = 60*60 |
|
3931614b1cce
cleaning old unused sessions only once per hour, not on every cgi request
Andrey Lebedev <kedder@users.sourceforge.net>
parents:
1358
diff
changeset
|
673 now = time.time() |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
674 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
675 # XXX: hack - use OTK table to store last_clean time information |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
676 # 'last_clean' string is used instead of otk key |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
677 last_clean = self.db.getOTKManager().get('last_clean', 'last_use', 0) |
|
2046
f913b6beac35
document and make easier the actions-returning-content idiom
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
678 if now - last_clean < hour: |
|
f913b6beac35
document and make easier the actions-returning-content idiom
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
679 return |
|
f913b6beac35
document and make easier the actions-returning-content idiom
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
680 |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
681 self.session_api.clean_up() |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
682 self.db.getOTKManager().clean() |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
683 self.db.getOTKManager().set('last_clean', last_use=now) |
|
3687
ff9f4ca42454
Postgres backend allows transaction collisions to be ignored when...
Richard Jones <richard@users.sourceforge.net>
parents:
3628
diff
changeset
|
684 self.db.commit(fail_ok=True) |
|
1372
3931614b1cce
cleaning old unused sessions only once per hour, not on every cgi request
Andrey Lebedev <kedder@users.sourceforge.net>
parents:
1358
diff
changeset
|
685 |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
686 def determine_charset(self): |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
687 """Look for client charset in the form parameters or browser cookie. |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
688 |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
689 If no charset requested by client, use storage charset (utf-8). |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
690 |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
691 If the charset is found, and differs from the storage charset, |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
692 recode all form fields of type 'text/plain' |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
693 """ |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
694 # look for client charset |
|
2946
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
695 charset_parameter = 0 |
|
4799
b474adb17fda
Fix case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
696 # Python 2.6 form may raise a TypeError if list in form is None |
|
b474adb17fda
Fix case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
697 charset = None |
|
4800
3961b2b91568
2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4799
diff
changeset
|
698 try: |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
699 charset = self.form['@charset'].value |
|
2946
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
700 if charset.lower() == "none": |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
701 charset = "" |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
702 charset_parameter = 1 |
|
4799
b474adb17fda
Fix case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
703 except (KeyError, TypeError): |
|
b474adb17fda
Fix case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
704 pass |
|
b474adb17fda
Fix case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
705 if charset is None and 'roundup_charset' in self.cookie: |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
706 charset = self.cookie['roundup_charset'].value |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
707 if charset: |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
708 # make sure the charset is recognized |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
709 try: |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
710 codecs.lookup(charset) |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
711 except LookupError: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
712 self.add_error_message(self._('Unrecognized charset: %r') |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
713 % charset) |
|
2946
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
714 charset_parameter = 0 |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
715 else: |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
716 self.charset = charset.lower() |
|
2946
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
717 # If we've got a character set in request parameters, |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
718 # set the browser cookie to keep the preference. |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
719 # This is done after codecs.lookup to make sure |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
720 # that we aren't keeping a wrong value. |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
721 if charset_parameter: |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
722 self.add_cookie('roundup_charset', charset) |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
723 |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
724 # if client charset is different from the storage charset, |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
725 # recode form fields |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
726 # XXX this requires FieldStorage from Python library. |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
727 # mod_python FieldStorage is not supported! |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
728 if self.charset != self.STORAGE_CHARSET: |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
729 decoder = codecs.getdecoder(self.charset) |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
730 encoder = codecs.getencoder(self.STORAGE_CHARSET) |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
731 re_charref = re.compile('&#([0-9]+|x[0-9a-f]+);', re.IGNORECASE) |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
732 def _decode_charref(matchobj): |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
733 num = matchobj.group(1) |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
734 if num[0].lower() == 'x': |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
735 uc = int(num[1:], 16) |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
736 else: |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
737 uc = int(num) |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
738 return unichr(uc) |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
739 |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
740 for field_name in self.form: |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
741 field = self.form[field_name] |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
742 if (field.type == 'text/plain') and not field.filename: |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
743 try: |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
744 value = decoder(field.value)[0] |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
745 except UnicodeError: |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
746 continue |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
747 value = re_charref.sub(_decode_charref, value) |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
748 field.value = encoder(value)[0] |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
749 |
|
3427
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
750 def determine_language(self): |
|
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
751 """Determine the language""" |
|
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
752 # look for language parameter |
|
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
753 # then for language cookie |
|
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
754 # last for the Accept-Language header |
|
4800
3961b2b91568
2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4799
diff
changeset
|
755 # Python 2.6 form may raise a TypeError if list in form is None |
|
3961b2b91568
2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4799
diff
changeset
|
756 language = None |
|
3961b2b91568
2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4799
diff
changeset
|
757 try: |
|
3427
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
758 language = self.form["@language"].value |
|
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
759 if language.lower() == "none": |
|
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
760 language = "" |
|
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
761 self.add_cookie("roundup_language", language) |
|
4800
3961b2b91568
2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4799
diff
changeset
|
762 except (KeyError, TypeError): |
|
3961b2b91568
2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4799
diff
changeset
|
763 pass |
|
3961b2b91568
2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4799
diff
changeset
|
764 if language is None: |
|
3961b2b91568
2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4799
diff
changeset
|
765 if "roundup_language" in self.cookie: |
|
3961b2b91568
2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4799
diff
changeset
|
766 language = self.cookie["roundup_language"].value |
|
3961b2b91568
2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4799
diff
changeset
|
767 elif self.instance.config["WEB_USE_BROWSER_LANGUAGE"]: |
|
3961b2b91568
2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4799
diff
changeset
|
768 hal = self.env.get('HTTP_ACCEPT_LANGUAGE') |
|
3961b2b91568
2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4799
diff
changeset
|
769 language = accept_language.parse(hal) |
|
3961b2b91568
2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4799
diff
changeset
|
770 else: |
|
3961b2b91568
2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4799
diff
changeset
|
771 language = "" |
|
3427
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
772 |
|
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
773 self.language = language |
|
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
774 if language: |
|
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
775 self.setTranslator(TranslationService.get_translation( |
|
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
776 language, |
|
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
777 tracker_home=self.instance.config["TRACKER_HOME"])) |
|
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
778 |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
779 def determine_user(self): |
|
3427
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
780 """Determine who the user is""" |
|
1724
bc4f0aec594e
oops, we really do need a database
Richard Jones <richard@users.sourceforge.net>
parents:
1719
diff
changeset
|
781 self.opendb('admin') |
|
bc4f0aec594e
oops, we really do need a database
Richard Jones <richard@users.sourceforge.net>
parents:
1719
diff
changeset
|
782 |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
783 # get session data from db |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
784 # XXX: rename |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
785 self.session_api = Session(self) |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
786 |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
787 # take the opportunity to cleanup expired sessions and otks |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
788 self.clean_up() |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
789 |
|
3453
8e3c0b88afad
prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3427
diff
changeset
|
790 user = None |
|
8e3c0b88afad
prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3427
diff
changeset
|
791 # first up, try http authorization if enabled |
|
8e3c0b88afad
prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3427
diff
changeset
|
792 if self.instance.config['WEB_HTTP_AUTH']: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
793 if 'REMOTE_USER' in self.env: |
|
3453
8e3c0b88afad
prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3427
diff
changeset
|
794 # we have external auth (e.g. by Apache) |
|
3356
2913b42c0810
enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents:
3276
diff
changeset
|
795 user = self.env['REMOTE_USER'] |
|
2913b42c0810
enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents:
3276
diff
changeset
|
796 elif self.env.get('HTTP_AUTHORIZATION', ''): |
|
3453
8e3c0b88afad
prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3427
diff
changeset
|
797 # try handling Basic Auth ourselves |
|
3356
2913b42c0810
enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents:
3276
diff
changeset
|
798 auth = self.env['HTTP_AUTHORIZATION'] |
|
2913b42c0810
enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents:
3276
diff
changeset
|
799 scheme, challenge = auth.split(' ', 1) |
|
2913b42c0810
enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents:
3276
diff
changeset
|
800 if scheme.lower() == 'basic': |
|
2913b42c0810
enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents:
3276
diff
changeset
|
801 try: |
|
2913b42c0810
enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents:
3276
diff
changeset
|
802 decoded = base64.decodestring(challenge) |
|
2913b42c0810
enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents:
3276
diff
changeset
|
803 except TypeError: |
|
2913b42c0810
enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents:
3276
diff
changeset
|
804 # invalid challenge |
|
2913b42c0810
enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents:
3276
diff
changeset
|
805 pass |
|
4574
35adb3950a39
Fix xmlrpc URL parsing so that passwords may contain a ':' character
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4543
diff
changeset
|
806 username, password = decoded.split(':', 1) |
|
3356
2913b42c0810
enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents:
3276
diff
changeset
|
807 try: |
|
4669
d7ac6c7bc371
Fix basic authentication.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4649
diff
changeset
|
808 # Current user may not be None, otherwise |
|
d7ac6c7bc371
Fix basic authentication.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4649
diff
changeset
|
809 # instatiation of the login action will fail. |
|
d7ac6c7bc371
Fix basic authentication.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4649
diff
changeset
|
810 # So we set the user to anonymous first. |
|
d7ac6c7bc371
Fix basic authentication.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4649
diff
changeset
|
811 self.make_user_anonymous() |
|
3356
2913b42c0810
enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents:
3276
diff
changeset
|
812 login = self.get_action_class('login')(self) |
|
2913b42c0810
enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents:
3276
diff
changeset
|
813 login.verifyLogin(username, password) |
|
2913b42c0810
enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents:
3276
diff
changeset
|
814 except LoginError, err: |
|
2913b42c0810
enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents:
3276
diff
changeset
|
815 self.make_user_anonymous() |
|
4265
e24a6ca34448
Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents:
4264
diff
changeset
|
816 raise |
|
3356
2913b42c0810
enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents:
3276
diff
changeset
|
817 user = username |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
818 # try to seed with something harder to guess than |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
819 # just the time. If random is SystemRandom, |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
820 # this is a no-op. |
|
5218
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
821 random.seed("%s%s"%(password,time.time())) |
|
2928
81c99c857b57
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2923
diff
changeset
|
822 |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
823 # if user was not set by http authorization, try session lookup |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
824 if not user: |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
825 user = self.session_api.get('user') |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
826 if user: |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
827 # update session lifetime datestamp |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
828 self.session_api.update() |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
829 |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
830 # if no user name set by http authorization or session lookup |
|
3453
8e3c0b88afad
prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3427
diff
changeset
|
831 # the user is anonymous |
|
8e3c0b88afad
prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3427
diff
changeset
|
832 if not user: |
|
8e3c0b88afad
prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3427
diff
changeset
|
833 user = 'anonymous' |
|
8e3c0b88afad
prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3427
diff
changeset
|
834 |
|
8e3c0b88afad
prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3427
diff
changeset
|
835 # sanity check on the user still being valid, |
|
8e3c0b88afad
prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3427
diff
changeset
|
836 # getting the userid at the same time |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
837 try: |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
838 self.userid = self.db.user.lookup(user) |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
839 except (KeyError, TypeError): |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
840 user = 'anonymous' |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
841 |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
842 # make sure the anonymous user is valid if we're using it |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
843 if user == 'anonymous': |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
844 self.make_user_anonymous() |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
845 else: |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
846 self.user = user |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
847 |
|
1003
f89b8d32291b
Hack hack hack...
Richard Jones <richard@users.sourceforge.net>
parents:
1002
diff
changeset
|
848 # reopen the database as the correct user |
|
f89b8d32291b
Hack hack hack...
Richard Jones <richard@users.sourceforge.net>
parents:
1002
diff
changeset
|
849 self.opendb(self.user) |
|
f89b8d32291b
Hack hack hack...
Richard Jones <richard@users.sourceforge.net>
parents:
1002
diff
changeset
|
850 |
|
4327
095d92109cc7
allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents:
4326
diff
changeset
|
851 def check_anonymous_access(self): |
|
4326
d51a9c498dc4
Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents:
4291
diff
changeset
|
852 """Check that the Anonymous user is actually allowed to use the web |
|
d51a9c498dc4
Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents:
4291
diff
changeset
|
853 interface and short-circuit all further processing if they're not. |
|
d51a9c498dc4
Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents:
4291
diff
changeset
|
854 """ |
|
4327
095d92109cc7
allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents:
4326
diff
changeset
|
855 # allow Anonymous to use the "login" and "register" actions (noting |
|
095d92109cc7
allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents:
4326
diff
changeset
|
856 # that "register" has its own "Register" permission check) |
|
4367
fa5587802af9
Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents:
4362
diff
changeset
|
857 |
|
4802
e1ffab417c28
Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4801
diff
changeset
|
858 action = '' |
|
e1ffab417c28
Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4801
diff
changeset
|
859 try: |
|
e1ffab417c28
Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4801
diff
changeset
|
860 if ':action' in self.form: |
|
e1ffab417c28
Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4801
diff
changeset
|
861 action = self.form[':action'] |
|
e1ffab417c28
Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4801
diff
changeset
|
862 elif '@action' in self.form: |
|
e1ffab417c28
Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4801
diff
changeset
|
863 action = self.form['@action'] |
|
e1ffab417c28
Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4801
diff
changeset
|
864 except TypeError: |
|
e1ffab417c28
Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4801
diff
changeset
|
865 pass |
|
4367
fa5587802af9
Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents:
4362
diff
changeset
|
866 if isinstance(action, list): |
|
fa5587802af9
Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents:
4362
diff
changeset
|
867 raise SeriousError('broken form: multiple @action values submitted') |
|
4384
b0d812e10549
fix actions check for < Python2.6
Richard Jones <richard@users.sourceforge.net>
parents:
4380
diff
changeset
|
868 elif action != '': |
|
4367
fa5587802af9
Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents:
4362
diff
changeset
|
869 action = action.value.lower() |
|
4327
095d92109cc7
allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents:
4326
diff
changeset
|
870 if action in ('login', 'register'): |
|
095d92109cc7
allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents:
4326
diff
changeset
|
871 return |
|
095d92109cc7
allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents:
4326
diff
changeset
|
872 |
|
4329
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4327
diff
changeset
|
873 # allow Anonymous to view the "user" "register" template if they're |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4327
diff
changeset
|
874 # allowed to register |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4327
diff
changeset
|
875 if (self.db.security.hasPermission('Register', self.userid, 'user') |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4327
diff
changeset
|
876 and self.classname == 'user' and self.template == 'register'): |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4327
diff
changeset
|
877 return |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4327
diff
changeset
|
878 |
|
4327
095d92109cc7
allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents:
4326
diff
changeset
|
879 # otherwise for everything else |
|
4326
d51a9c498dc4
Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents:
4291
diff
changeset
|
880 if self.user == 'anonymous': |
|
d51a9c498dc4
Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents:
4291
diff
changeset
|
881 if not self.db.security.hasPermission('Web Access', self.userid): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
882 raise Unauthorised(self._("Anonymous users are not " |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
883 "allowed to use the web interface")) |
|
4326
d51a9c498dc4
Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents:
4291
diff
changeset
|
884 |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
885 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
886 def handle_csrf(self, xmlrpc=False): |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
887 '''Handle csrf token lookup and validate current user and session |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
888 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
889 This implements (or tries to implement) the |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
890 Session-Dependent Nonce from |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
891 https://seclab.stanford.edu/websec/csrf/csrf.pdf. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
892 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
893 Changing this to an HMAC(sessionid,secret) will |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
894 remove the need for saving a fair amount of |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
895 state on the server (one nonce per form per |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
896 page). If you have multiple forms/page this can |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
897 lead to abandoned csrf tokens that have to time |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
898 out and get cleaned up.But you lose per form |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
899 tokens which may be an advantage. Also the HMAC |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
900 is constant for the session, so provides more |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
901 occasions for it to be exposed. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
902 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
903 This only runs on post (or put and delete for |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
904 future use). Nobody should be changing data |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
905 with a get. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
906 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
907 A session token lifetime is settable in |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
908 config.ini. A future enhancement to the |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
909 creation routines should allow for the requester |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
910 of the token to set the lifetime.t |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
911 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
912 The unique session key and user id is stored |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
913 with the token. The token is valid if the stored |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
914 values match the current client's userid and |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
915 session. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
916 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
917 If a user logs out, the csrf keys are |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
918 invalidated since no other connection should |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
919 have the same session id. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
920 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
921 At least to start I am reporting anti-csrf to |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
922 the user. If it's an attacker who can see the |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
923 site, they can see the @csrf fields and can |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
924 probably figure out that he needs to supply |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
925 valid headers. Or they can just read this code |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
926 8-). So hiding it doesn't seem to help but it |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
927 does arguably show the enforcement settings, but |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
928 given the newness of this code notifying the |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
929 user and having them notify the admins for |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
930 debugging seems to be an advantage. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
931 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
932 ''' |
|
5210
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
933 # Create the otks handle here as we need it almost immediately. |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
934 # If this is perf issue, set to None here and check below |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
935 # once all header checks have passed if it needs to be opened. |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
936 otks=self.db.getOTKManager() |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
937 |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
938 # Assume: never allow changes via GET |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
939 if self.env['REQUEST_METHOD'] not in ['POST', 'PUT', 'DELETE']: |
|
5210
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
940 if "@csrf" in self.form: |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
941 # We have a nonce being used with a method it should |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
942 # not be. If the nonce exists, report to admin so they |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
943 # can fix the nonce leakage and destroy it. (nonces |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
944 # used in a get are more exposed than those used in a |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
945 # post.) Note, I don't attempt to validate here since |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
946 # existance here is the sign of a failure. If nonce |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
947 # exists try to report the referer header to try to |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
948 # find where this comes from so it can be fixed. If |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
949 # nonce doesn't exist just ignore it. Maybe we should |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
950 # report, but somebody could spam us with a ton of |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
951 # invalid keys and fill up the logs. |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
952 if 'HTTP_REFERER' in self.env: |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
953 referer = self.env['HTTP_REFERER'] |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
954 else: |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
955 referer = self._("Referer header not available.") |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
956 key=self.form['@csrf'].value |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
957 if otks.exists(key): |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
958 logger.error( |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
959 self._("csrf key used with wrong method from: %s"), |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
960 referer) |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
961 otks.destroy(key) |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
962 self.db.commit() |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
963 return True |
|
5210
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
964 |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
965 config=self.instance.config |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
966 user=self.db.getuid() |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
967 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
968 # the HTTP headers we check. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
969 # Note that the xmlrpc header is missing. Its enforcement is |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
970 # different (yes/required are the same for example) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
971 # so we don't include here. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
972 header_names = [ |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
973 "ORIGIN", |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
974 "REFERER", |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
975 "X-FORWARDED-HOST", |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
976 "HOST" |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
977 ] |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
978 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
979 header_pass = 0 # count of passing header checks |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
980 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
981 # if any headers are required and missing, report |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
982 # an error |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
983 for header in header_names: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
984 if (config["WEB_CSRF_ENFORCE_HEADER_%s"%header] == 'required' |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
985 and "HTTP_%s"%header not in self.env): |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
986 self.add_error_message(self._("Missing header: %s")%header) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
987 logger.error(self._("csrf header %s required but missing for user%s."), header, user) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
988 return False |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
989 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
990 # if you change these make sure to consider what |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
991 # happens if header variable exists but is empty. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
992 # self.base.find("") returns 0 for example not -1 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
993 # |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
994 # self.base always matches: ^https?://hostname |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
995 enforce=config['WEB_CSRF_ENFORCE_HEADER_ORIGIN'] |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
996 if 'HTTP_ORIGIN' in self.env and enforce != "no": |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
997 origin = self.env['HTTP_ORIGIN'] |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
998 foundat = self.base.find(origin +'/') |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
999 if foundat != 0: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1000 if enforce in ('required', 'yes'): |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1001 self.add_error_message("Invalid Origin %s"%origin) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1002 logger.error(self._("csrf Origin header check failed for user%s. Value=%s"), user, origin) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1003 return False |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1004 elif enforce == 'logfailure': |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1005 logger.warning(self._("csrf Origin header check failed for user%s. Value=%s"), user, origin) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1006 else: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1007 header_pass += 1 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1008 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1009 enforce=config['WEB_CSRF_ENFORCE_HEADER_REFERER'] |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1010 if 'HTTP_REFERER' in self.env and enforce != "no": |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1011 referer = self.env['HTTP_REFERER'] |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1012 # self.base always has trailing / |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1013 foundat = referer.find(self.base) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1014 if foundat != 0: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1015 if enforce in ('required', 'yes'): |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1016 self.add_error_message(self._("Invalid Referer %s, %s")%(referer,self.base)) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1017 logger.error(self._("csrf Referer header check failed for user%s. Value=%s"), user, referer) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1018 return False |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1019 elif enforce == 'logfailure': |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1020 logger.warning(self._("csrf Referer header check failed for user%s. Value=%s"), user, referer) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1021 else: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1022 header_pass += 1 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1023 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1024 enforce=config['WEB_CSRF_ENFORCE_HEADER_X-FORWARDED-HOST'] |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1025 if 'HTTP_X-FORWARDED-HOST' in self.env and enforce != "no": |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1026 host = self.env['HTTP_X-FORWARDED-HOST'] |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1027 foundat = self.base.find('://' + host + '/') |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1028 # 4 means self.base has http:/ prefix, 5 means https:/ prefix |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1029 if foundat not in [4, 5]: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1030 if enforce in ('required', 'yes'): |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1031 self.add_error_message(self._("Invalid X-FORWARDED-HOST %s")%host) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1032 logger.error(self._("csrf X-FORWARDED-HOST header check failed for user%s. Value=%s"), user, host) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1033 return False |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1034 elif enforce == 'logfailure': |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1035 logger.warning(self._("csrf X-FORWARDED-HOST header check failed for user%s. Value=%s"), user, host) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1036 else: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1037 header_pass += 1 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1038 else: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1039 # https://seclab.stanford.edu/websec/csrf/csrf.pdf |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1040 # recommends checking HTTP HOST header as well. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1041 # If there is an X-FORWARDED-HOST header, check |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1042 # that only. The proxy setting X-F-H has probably set |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1043 # the host header to a local hostname that is |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1044 # internal name of system not name supplied by user. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1045 enforce=config['WEB_CSRF_ENFORCE_HEADER_HOST'] |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1046 if 'HTTP_HOST' in self.env and enforce != "no": |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1047 host = self.env['HTTP_HOST'] |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1048 foundat = self.base.find('://' + host + '/') |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1049 # 4 means http:// prefix, 5 means https:// prefix |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1050 if foundat not in [4, 5]: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1051 if enforce in ('required', 'yes'): |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1052 self.add_error_message(self._("Invalid HOST %s")%host) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1053 logger.error(self._("csrf HOST header check failed for user%s. Value=%s"), user, host) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1054 return False |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1055 elif enforce == 'logfailure': |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1056 logger.warning(self._("csrf HOST header check failed for user%s. Value=%s"), user, host) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1057 else: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1058 header_pass += 1 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1059 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1060 enforce=config['WEB_CSRF_HEADER_MIN_COUNT'] |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1061 if header_pass < enforce: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1062 self.add_error_message(self._("Unable to verify sufficient headers")) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1063 logger.error(self._("Csrf: unable to verify sufficient headers")) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1064 return False |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1065 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1066 enforce=config['WEB_CSRF_ENFORCE_HEADER_X-REQUESTED-WITH'] |
|
5218
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
1067 if xmlrpc: |
|
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
1068 if enforce in ['required', 'yes']: |
|
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
1069 # if we get here we have usually passed at least one |
|
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
1070 # header check. We check for presence of this custom |
|
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
1071 # header for xmlrpc calls only. |
|
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
1072 # E.G. X-Requested-With: XMLHttpRequest |
|
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
1073 # Note we do not use CSRF nonces for xmlrpc requests. |
|
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
1074 # |
|
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
1075 # see: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers |
|
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
1076 if 'HTTP_X-REQUESTED-WITH' not in self.env: |
|
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
1077 logger.error(self._("csrf X-REQUESTED-WITH xmlrpc required header check failed for user%s."), user) |
|
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
1078 raise UsageError, "Required Header Missing" |
|
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
1079 return False # unreached |
|
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
1080 else: |
|
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
1081 return True |
|
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
1082 else: |
|
44f7e6b958fe
Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents:
5212
diff
changeset
|
1083 return True |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1084 |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1085 enforce=config['WEB_CSRF_ENFORCE_TOKEN'] |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1086 if "@csrf" not in self.form: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1087 if enforce == 'required': |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1088 self.add_error_message(self._("No csrf token found")) |
|
5202
47bd81998ddc
My testing was with dbm backends which do an automatic commit on the
John Rouillard <rouilj@ieee.org>
parents:
5201
diff
changeset
|
1089 logger.error(self._("required csrf field missing for user%s"), user) |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1090 return False |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1091 else: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1092 if enforce == 'logfailure': |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1093 # FIXME include url |
|
5202
47bd81998ddc
My testing was with dbm backends which do an automatic commit on the
John Rouillard <rouilj@ieee.org>
parents:
5201
diff
changeset
|
1094 logger.warning(self._("required csrf field missing for user%s"), user) |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1095 return True |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1096 |
|
5211
f4b6a2a3e605
Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents:
5210
diff
changeset
|
1097 # Expire old csrf tokens now so we don't use them. These will |
|
f4b6a2a3e605
Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents:
5210
diff
changeset
|
1098 # be committed after the otks.destroy below. Note that the |
|
f4b6a2a3e605
Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents:
5210
diff
changeset
|
1099 # self.clean_up run as part of determine_user() will run only |
|
f4b6a2a3e605
Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents:
5210
diff
changeset
|
1100 # once an hour. If we have short lived (e.g. 5 minute) keys |
|
f4b6a2a3e605
Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents:
5210
diff
changeset
|
1101 # they will live too long if we depend on clean_up. So we do |
|
f4b6a2a3e605
Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents:
5210
diff
changeset
|
1102 # our own. |
|
f4b6a2a3e605
Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents:
5210
diff
changeset
|
1103 otks.clean() |
|
f4b6a2a3e605
Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents:
5210
diff
changeset
|
1104 |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1105 key=self.form['@csrf'].value |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1106 uid = otks.get(key, 'uid', default=None) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1107 sid = otks.get(key, 'sid', default=None) |
|
5210
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
1108 |
|
5211
f4b6a2a3e605
Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents:
5210
diff
changeset
|
1109 # The key has been used or compromised. |
|
f4b6a2a3e605
Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents:
5210
diff
changeset
|
1110 # Delete it to prevent replay. |
|
5210
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
1111 otks.destroy(key) |
|
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
1112 self.db.commit() |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1113 |
|
5211
f4b6a2a3e605
Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents:
5210
diff
changeset
|
1114 current_session = self.session_api._sid |
|
f4b6a2a3e605
Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents:
5210
diff
changeset
|
1115 |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1116 ''' |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1117 # I think now that LogoutAction redirects to |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1118 # self.base ([tracker] web parameter in config.ini), |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1119 # this code is not needed. However I am keeping it |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1120 # around in case it has to come back to life. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1121 # Delete if this is still around in 3/2018. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1122 # rouilj 3/2017. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1123 # |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1124 # Note using this code may cause a CSRF Login vulnerability. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1125 # Handle the case where user logs out and tries to |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1126 # log in again in same window. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1127 # The csrf token for the login button is associated |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1128 # with the prior login, so it will not validate. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1129 # |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1130 # To bypass error, Verify that uid != user and that |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1131 # user is '2' (anonymous) and there is no current |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1132 # session key. Validate that the csrf exists |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1133 # in the db and uid and sid are not None. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1134 # Also validate that the action is Login. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1135 # Lastly requre at least one csrf header check to pass. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1136 # If all of those work process the login. |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1137 if user != uid and \ |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1138 user == '2' and \ |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1139 current_session is None and \ |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1140 uid is not None and \ |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1141 sid is not None and \ |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1142 "@action" in self.form and \ |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1143 self.form["@action"].value == "Login": |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1144 if header_pass > 0: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1145 otks.destroy(key) |
|
5202
47bd81998ddc
My testing was with dbm backends which do an automatic commit on the
John Rouillard <rouilj@ieee.org>
parents:
5201
diff
changeset
|
1146 self.db.commit() |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1147 return True |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1148 else: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1149 self.add_error_message("Reload window before logging in.") |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1150 ''' |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1151 |
|
5210
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
1152 # validate against user and session |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1153 if uid != user: |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1154 if enforce in ('required', "yes"): |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1155 self.add_error_message(self._("Invalid csrf token found: %s")%key) |
|
5210
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
1156 logger.error(self._("csrf uid mismatch for user%s."), user) |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1157 return False |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1158 elif enforce == 'logfailure': |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1159 logger.warning(self._("csrf uid mismatch for user%s."), user) |
|
5202
47bd81998ddc
My testing was with dbm backends which do an automatic commit on the
John Rouillard <rouilj@ieee.org>
parents:
5201
diff
changeset
|
1160 if current_session != sid: |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1161 if enforce in ('required', "yes"): |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1162 self.add_error_message(self._( |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1163 "Invalid csrf session found: %s")%key) |
|
5210
7da56980754d
Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents:
5202
diff
changeset
|
1164 logger.error(self._("csrf session mismatch for user%s."), user) |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1165 return False |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1166 elif enforce == 'logfailure': |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1167 logger.warning(self._("csrf session mismatch for user%s."), user) |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1168 return True |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5188
diff
changeset
|
1169 |
|
2940
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1170 def opendb(self, username): |
|
3427
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
1171 """Open the database and set the current user. |
|
2940
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1172 |
|
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1173 Opens a database once. On subsequent calls only the user is set on |
|
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1174 the database object the instance.optimize is set. If we are in |
|
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1175 "Development Mode" (cf. roundup_server) then the database is always |
|
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1176 re-opened. |
|
3427
198fe87b0254
add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3396
diff
changeset
|
1177 """ |
|
2940
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1178 # don't do anything if the db is open and the user has not changed |
|
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1179 if hasattr(self, 'db') and self.db.isCurrentUser(username): |
|
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1180 return |
|
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1181 |
|
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1182 # open the database or only set the user |
|
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1183 if not hasattr(self, 'db'): |
|
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1184 self.db = self.instance.open(username) |
| 4781 | 1185 self.db.tx_Source = "web" |
|
2940
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1186 else: |
|
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1187 if self.instance.optimize: |
|
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1188 self.db.setCurrentUser(username) |
| 4781 | 1189 self.db.tx_Source = "web" |
|
2940
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1190 else: |
|
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1191 self.db.close() |
|
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1192 self.db = self.instance.open(username) |
| 4781 | 1193 self.db.tx_Source = "web" |
|
4212
51a098592b78
Reopen session with database.
Stefan Seefeld <stefan@seefeld.name>
parents:
4145
diff
changeset
|
1194 # The old session API refers to the closed database; |
|
51a098592b78
Reopen session with database.
Stefan Seefeld <stefan@seefeld.name>
parents:
4145
diff
changeset
|
1195 # we can no longer use it. |
|
51a098592b78
Reopen session with database.
Stefan Seefeld <stefan@seefeld.name>
parents:
4145
diff
changeset
|
1196 self.session_api = Session(self) |
|
4648
e645820e8556
Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents:
4640
diff
changeset
|
1197 |
|
2940
00f609d53a8c
tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents:
2938
diff
changeset
|
1198 |
|
2829
aa1cb9df09c3
ignore leading zeroes in the ID part of a node designator
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2808
diff
changeset
|
1199 def determine_context(self, dre=re.compile(r'([^\d]+)0*(\d+)')): |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1200 """Determine the context of this page from the URL: |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1201 |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1202 The URL path after the instance identifier is examined. The path |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1203 is generally only one entry long. |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1204 |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1205 - if there is no path, then we are in the "home" context. |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1206 - if the path is "_file", then the additional path entry |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1207 specifies the filename of a static file we're to serve up |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1208 from the instance "html" directory. Raises a SendStaticFile |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1209 exception.(*) |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1210 - if there is something in the path (eg "issue"), it identifies |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1211 the tracker class we're to display. |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1212 - if the path is an item designator (eg "issue123"), then we're |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1213 to display a specific item. |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1214 - if the path starts with an item designator and is longer than |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1215 one entry, then we're assumed to be handling an item of a |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1216 FileClass, and the extra path information gives the filename |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1217 that the client is going to label the download with (ie |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1218 "file123/image.png" is nicer to download than "file123"). This |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1219 raises a SendFile exception.(*) |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1220 |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1221 Both of the "*" types of contexts stop before we bother to |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1222 determine the template we're going to use. That's because they |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1223 don't actually use templates. |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1224 |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1225 The template used is specified by the :template CGI variable, |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1226 which defaults to: |
|
1053
b28393def972
more explanatory docsting
Richard Jones <richard@users.sourceforge.net>
parents:
1051
diff
changeset
|
1227 |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1228 - only classname suplied: "index" |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1229 - full item designator supplied: "item" |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1230 |
|
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1231 We set: |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1232 |
|
1041
c28603c9f831
Class help and generic class editing done.
Richard Jones <richard@users.sourceforge.net>
parents:
1029
diff
changeset
|
1233 self.classname - the class to display, can be None |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1234 |
|
1041
c28603c9f831
Class help and generic class editing done.
Richard Jones <richard@users.sourceforge.net>
parents:
1029
diff
changeset
|
1235 self.template - the template to render the current context with |
|
2005
fc52d57c6c3e
documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2004
diff
changeset
|
1236 |
|
1041
c28603c9f831
Class help and generic class editing done.
Richard Jones <richard@users.sourceforge.net>
parents:
1029
diff
changeset
|
1237 self.nodeid - the nodeid of the class we're displaying |
|
1937
4c850112895b
Some reformatting and fixing docstrings for emacs.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
1936
diff
changeset
|
1238 """ |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1239 # default the optional variables |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1240 self.classname = None |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1241 self.nodeid = None |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1242 |
|
1420
3ac43c62a250
implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents:
1417
diff
changeset
|
1243 # see if a template or messages are specified |
|
3ac43c62a250
implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents:
1417
diff
changeset
|
1244 template_override = ok_message = error_message = None |
|
4801
bff9e4145f70
Fix another instance of a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4800
diff
changeset
|
1245 try: |
|
bff9e4145f70
Fix another instance of a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4800
diff
changeset
|
1246 keys = self.form.keys() |
|
bff9e4145f70
Fix another instance of a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4800
diff
changeset
|
1247 except TypeError: |
|
bff9e4145f70
Fix another instance of a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4800
diff
changeset
|
1248 keys = () |
|
bff9e4145f70
Fix another instance of a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4800
diff
changeset
|
1249 for key in keys: |
|
1420
3ac43c62a250
implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents:
1417
diff
changeset
|
1250 if self.FV_TEMPLATE.match(key): |
|
3ac43c62a250
implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents:
1417
diff
changeset
|
1251 template_override = self.form[key].value |
|
3ac43c62a250
implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents:
1417
diff
changeset
|
1252 elif self.FV_OK_MESSAGE.match(key): |
|
3ac43c62a250
implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents:
1417
diff
changeset
|
1253 ok_message = self.form[key].value |
|
3ac43c62a250
implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents:
1417
diff
changeset
|
1254 elif self.FV_ERROR_MESSAGE.match(key): |
|
3ac43c62a250
implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents:
1417
diff
changeset
|
1255 error_message = self.form[key].value |
|
3ac43c62a250
implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents:
1417
diff
changeset
|
1256 |
|
1977
f96592a7c357
changes to support the new templating Unauthorised exception.
Richard Jones <richard@users.sourceforge.net>
parents:
1973
diff
changeset
|
1257 # see if we were passed in a message |
|
f96592a7c357
changes to support the new templating Unauthorised exception.
Richard Jones <richard@users.sourceforge.net>
parents:
1973
diff
changeset
|
1258 if ok_message: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
1259 self.add_ok_message(ok_message) |
|
1977
f96592a7c357
changes to support the new templating Unauthorised exception.
Richard Jones <richard@users.sourceforge.net>
parents:
1973
diff
changeset
|
1260 if error_message: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
1261 self.add_error_message(error_message) |
|
1977
f96592a7c357
changes to support the new templating Unauthorised exception.
Richard Jones <richard@users.sourceforge.net>
parents:
1973
diff
changeset
|
1262 |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1263 # determine the classname and possibly nodeid |
|
1157
26c8cb2162d7
fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents:
1153
diff
changeset
|
1264 path = self.path.split('/') |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1265 if not path or path[0] in ('', 'home', 'index'): |
|
1420
3ac43c62a250
implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents:
1417
diff
changeset
|
1266 if template_override is not None: |
|
3ac43c62a250
implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents:
1417
diff
changeset
|
1267 self.template = template_override |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1268 else: |
|
1041
c28603c9f831
Class help and generic class editing done.
Richard Jones <richard@users.sourceforge.net>
parents:
1029
diff
changeset
|
1269 self.template = '' |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1270 return |
|
1911
f5c804379c85
fixed ZRoundup - mostly changes to classic template
Richard Jones <richard@users.sourceforge.net>
parents:
1905
diff
changeset
|
1271 elif path[0] in ('_file', '@@file'): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1272 raise SendStaticFile(os.path.join(*path[1:])) |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1273 else: |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1274 self.classname = path[0] |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1275 if len(path) > 1: |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1276 # send the file identified by the designator in path[0] |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1277 raise SendFile(path[0]) |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1278 |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1279 # see if we got a designator |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1280 m = dre.match(self.classname) |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1281 if m: |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1282 self.classname = m.group(1) |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1283 self.nodeid = m.group(2) |
|
3494
5a56abcf1b22
catch bad classname in URL (related to [SF#1240541])
Richard Jones <richard@users.sourceforge.net>
parents:
3453
diff
changeset
|
1284 try: |
|
5a56abcf1b22
catch bad classname in URL (related to [SF#1240541])
Richard Jones <richard@users.sourceforge.net>
parents:
3453
diff
changeset
|
1285 klass = self.db.getclass(self.classname) |
|
5a56abcf1b22
catch bad classname in URL (related to [SF#1240541])
Richard Jones <richard@users.sourceforge.net>
parents:
3453
diff
changeset
|
1286 except KeyError: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1287 raise NotFound('%s/%s'%(self.classname, self.nodeid)) |
|
3494
5a56abcf1b22
catch bad classname in URL (related to [SF#1240541])
Richard Jones <richard@users.sourceforge.net>
parents:
3453
diff
changeset
|
1288 if not klass.hasnode(self.nodeid): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1289 raise NotFound('%s/%s'%(self.classname, self.nodeid)) |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1290 # with a designator, we default to item view |
|
1041
c28603c9f831
Class help and generic class editing done.
Richard Jones <richard@users.sourceforge.net>
parents:
1029
diff
changeset
|
1291 self.template = 'item' |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1292 else: |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1293 # with only a class, we default to index view |
|
1041
c28603c9f831
Class help and generic class editing done.
Richard Jones <richard@users.sourceforge.net>
parents:
1029
diff
changeset
|
1294 self.template = 'index' |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1295 |
|
1288
ad8de51d7cd5
handle "classname" URL path errors cleaner (generate a 404)
Richard Jones <richard@users.sourceforge.net>
parents:
1277
diff
changeset
|
1296 # make sure the classname is valid |
|
ad8de51d7cd5
handle "classname" URL path errors cleaner (generate a 404)
Richard Jones <richard@users.sourceforge.net>
parents:
1277
diff
changeset
|
1297 try: |
|
ad8de51d7cd5
handle "classname" URL path errors cleaner (generate a 404)
Richard Jones <richard@users.sourceforge.net>
parents:
1277
diff
changeset
|
1298 self.db.getclass(self.classname) |
|
ad8de51d7cd5
handle "classname" URL path errors cleaner (generate a 404)
Richard Jones <richard@users.sourceforge.net>
parents:
1277
diff
changeset
|
1299 except KeyError: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1300 raise NotFound(self.classname) |
|
1288
ad8de51d7cd5
handle "classname" URL path errors cleaner (generate a 404)
Richard Jones <richard@users.sourceforge.net>
parents:
1277
diff
changeset
|
1301 |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1302 # see if we have a template override |
|
1420
3ac43c62a250
implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents:
1417
diff
changeset
|
1303 if template_override is not None: |
|
3ac43c62a250
implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents:
1417
diff
changeset
|
1304 self.template = template_override |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1305 |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1306 def serve_file(self, designator, dre=re.compile(r'([^\d]+)(\d+)')): |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
1307 """ Serve the file from the content property of the designated item. |
|
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
1308 """ |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1309 m = dre.match(str(designator)) |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1310 if not m: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1311 raise NotFound(str(designator)) |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1312 classname, nodeid = m.group(1), m.group(2) |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1313 |
|
4263
bd000a1e9a57
Robustify web interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4224
diff
changeset
|
1314 try: |
|
bd000a1e9a57
Robustify web interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4224
diff
changeset
|
1315 klass = self.db.getclass(classname) |
|
bd000a1e9a57
Robustify web interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4224
diff
changeset
|
1316 except KeyError: |
|
bd000a1e9a57
Robustify web interface.
Stefan Seefeld <stefan@seefeld.name>
parents:
4224
diff
changeset
|
1317 # The classname was not valid. |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1318 raise NotFound(str(designator)) |
|
4648
e645820e8556
Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents:
4640
diff
changeset
|
1319 |
|
4326
d51a9c498dc4
Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents:
4291
diff
changeset
|
1320 # perform the Anonymous user access check |
|
4327
095d92109cc7
allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents:
4326
diff
changeset
|
1321 self.check_anonymous_access() |
|
1946
c538a64b94a7
Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents:
1937
diff
changeset
|
1322 |
|
1967
d30cd44321f2
commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents:
1946
diff
changeset
|
1323 # make sure we have the appropriate properties |
|
d30cd44321f2
commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents:
1946
diff
changeset
|
1324 props = klass.getprops() |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1325 if 'type' not in props: |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1326 raise NotFound(designator) |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1327 if 'content' not in props: |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1328 raise NotFound(designator) |
|
1967
d30cd44321f2
commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents:
1946
diff
changeset
|
1329 |
|
2870
795cdba40c05
enforce View Permission when serving file content [SF#1050470]
Richard Jones <richard@users.sourceforge.net>
parents:
2864
diff
changeset
|
1330 # make sure we have permission |
|
795cdba40c05
enforce View Permission when serving file content [SF#1050470]
Richard Jones <richard@users.sourceforge.net>
parents:
2864
diff
changeset
|
1331 if not self.db.security.hasPermission('View', self.userid, |
|
795cdba40c05
enforce View Permission when serving file content [SF#1050470]
Richard Jones <richard@users.sourceforge.net>
parents:
2864
diff
changeset
|
1332 classname, 'content', nodeid): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1333 raise Unauthorised(self._("You are not allowed to view " |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1334 "this file.")) |
|
2870
795cdba40c05
enforce View Permission when serving file content [SF#1050470]
Richard Jones <richard@users.sourceforge.net>
parents:
2864
diff
changeset
|
1335 |
|
4962
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1336 |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1337 # --- mime-type security |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1338 # mime type detection is performed in cgi.form_parser |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1339 |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1340 # everything not here is served as 'application/octet-stream' |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1341 whitelist = [ |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1342 'text/plain', |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1343 'text/x-csrc', # .c |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1344 'text/x-chdr', # .h |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1345 'text/x-patch', # .patch and .diff |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1346 'text/x-python', # .py |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1347 'text/xml', |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1348 'text/csv', |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1349 'text/css', |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1350 'application/pdf', |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1351 'image/gif', |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1352 'image/jpeg', |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1353 'image/png', |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1354 'image/webp', |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1355 'audio/ogg', |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1356 'video/webm', |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1357 ] |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1358 |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1359 if self.instance.config['WEB_ALLOW_HTML_FILE']: |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1360 whitelist.append('text/html') |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1361 |
|
4530
c1c395058dee
issue2550715: IndexError when requesting non-existing file via http.
Bernhard Reiter <Bernhard.Reiter@intevation.de>
parents:
4523
diff
changeset
|
1362 try: |
|
c1c395058dee
issue2550715: IndexError when requesting non-existing file via http.
Bernhard Reiter <Bernhard.Reiter@intevation.de>
parents:
4523
diff
changeset
|
1363 mime_type = klass.get(nodeid, 'type') |
|
c1c395058dee
issue2550715: IndexError when requesting non-existing file via http.
Bernhard Reiter <Bernhard.Reiter@intevation.de>
parents:
4523
diff
changeset
|
1364 except IndexError, e: |
|
c1c395058dee
issue2550715: IndexError when requesting non-existing file via http.
Bernhard Reiter <Bernhard.Reiter@intevation.de>
parents:
4523
diff
changeset
|
1365 raise NotFound(e) |
|
4291
b1772fdb09d0
Fix traceback on .../msgN/ url...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4265
diff
changeset
|
1366 # Can happen for msg class: |
|
b1772fdb09d0
Fix traceback on .../msgN/ url...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4265
diff
changeset
|
1367 if not mime_type: |
|
b1772fdb09d0
Fix traceback on .../msgN/ url...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4265
diff
changeset
|
1368 mime_type = 'text/plain' |
|
4047
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1369 |
|
4962
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1370 if mime_type not in whitelist: |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1371 mime_type = 'application/octet-stream' |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1372 |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1373 # --/ mime-type security |
|
63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents:
4919
diff
changeset
|
1374 |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1375 |
|
4047
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1376 # If this object is a file (i.e., an instance of FileClass), |
|
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1377 # see if we can find it in the filesystem. If so, we may be |
|
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1378 # able to use the more-efficient request.sendfile method of |
|
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1379 # sending the file. If not, just get the "content" property |
|
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1380 # in the usual way, and use that. |
|
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1381 content = None |
|
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1382 filename = None |
|
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1383 if isinstance(klass, hyperdb.FileClass): |
|
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1384 try: |
|
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1385 filename = self.db.filename(classname, nodeid) |
|
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1386 except AttributeError: |
|
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1387 # The database doesn't store files in the filesystem |
|
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1388 # and therefore doesn't provide the "filename" method. |
|
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1389 pass |
|
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1390 except IOError: |
|
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1391 # The file does not exist. |
|
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1392 pass |
|
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1393 if not filename: |
|
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1394 content = klass.get(nodeid, 'content') |
|
4648
e645820e8556
Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents:
4640
diff
changeset
|
1395 |
|
1967
d30cd44321f2
commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents:
1946
diff
changeset
|
1396 lmt = klass.get(nodeid, 'activity').timestamp() |
|
1946
c538a64b94a7
Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents:
1937
diff
changeset
|
1397 |
|
4047
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1398 self._serve_file(lmt, mime_type, content, filename) |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1399 |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1400 def serve_static_file(self, file): |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
1401 """ Serve up the file named from the templates dir |
|
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
1402 """ |
|
2864
930e780c751f
support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2853
diff
changeset
|
1403 # figure the filename - try STATIC_FILES, then TEMPLATES dir |
|
930e780c751f
support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2853
diff
changeset
|
1404 for dir_option in ('STATIC_FILES', 'TEMPLATES'): |
|
930e780c751f
support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2853
diff
changeset
|
1405 prefix = self.instance.config[dir_option] |
|
930e780c751f
support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2853
diff
changeset
|
1406 if not prefix: |
|
930e780c751f
support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2853
diff
changeset
|
1407 continue |
|
930e780c751f
support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2853
diff
changeset
|
1408 # ensure the load doesn't try to poke outside |
|
930e780c751f
support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2853
diff
changeset
|
1409 # of the static files directory |
|
930e780c751f
support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2853
diff
changeset
|
1410 prefix = os.path.normpath(prefix) |
|
930e780c751f
support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2853
diff
changeset
|
1411 filename = os.path.normpath(os.path.join(prefix, file)) |
|
930e780c751f
support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2853
diff
changeset
|
1412 if os.path.isfile(filename) and filename.startswith(prefix): |
|
930e780c751f
support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2853
diff
changeset
|
1413 break |
|
930e780c751f
support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2853
diff
changeset
|
1414 else: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1415 raise NotFound(file) |
|
1946
c538a64b94a7
Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents:
1937
diff
changeset
|
1416 |
|
c538a64b94a7
Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents:
1937
diff
changeset
|
1417 # last-modified time |
|
c538a64b94a7
Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents:
1937
diff
changeset
|
1418 lmt = os.stat(filename)[stat.ST_MTIME] |
|
c538a64b94a7
Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents:
1937
diff
changeset
|
1419 |
|
c538a64b94a7
Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents:
1937
diff
changeset
|
1420 # detemine meta-type |
|
c538a64b94a7
Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents:
1937
diff
changeset
|
1421 file = str(file) |
|
c538a64b94a7
Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents:
1937
diff
changeset
|
1422 mime_type = mimetypes.guess_type(file)[0] |
|
c538a64b94a7
Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents:
1937
diff
changeset
|
1423 if not mime_type: |
|
c538a64b94a7
Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents:
1937
diff
changeset
|
1424 if file.endswith('.css'): |
|
c538a64b94a7
Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents:
1937
diff
changeset
|
1425 mime_type = 'text/css' |
|
c538a64b94a7
Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents:
1937
diff
changeset
|
1426 else: |
|
c538a64b94a7
Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents:
1937
diff
changeset
|
1427 mime_type = 'text/plain' |
|
c538a64b94a7
Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents:
1937
diff
changeset
|
1428 |
|
4047
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1429 self._serve_file(lmt, mime_type, '', filename) |
|
1946
c538a64b94a7
Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents:
1937
diff
changeset
|
1430 |
|
4047
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1431 def _serve_file(self, lmt, mime_type, content=None, filename=None): |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
1432 """ guts of serve_file() and serve_static_file() |
|
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
1433 """ |
|
4047
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1434 |
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
3687
diff
changeset
|
1435 # spit out headers |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
3687
diff
changeset
|
1436 self.additional_headers['Content-Type'] = mime_type |
|
4980
13f8f88ad984
Replace rfc822 imports with email package (issue2550870)
John Kristensen <john@jerrykan.com>
parents:
4979
diff
changeset
|
1437 self.additional_headers['Last-Modified'] = email.utils.formatdate(lmt) |
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
3687
diff
changeset
|
1438 |
|
1498
203f6a154b30
even better if-modified-since handling for cgi-bin
Andrey Lebedev <kedder@users.sourceforge.net>
parents:
1497
diff
changeset
|
1439 ims = None |
|
1469
79d8956de3f5
implemented last-modified and if-modified-since support
Richard Jones <richard@users.sourceforge.net>
parents:
1468
diff
changeset
|
1440 # see if there's an if-modified-since... |
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
3687
diff
changeset
|
1441 # XXX see which interfaces set this |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
3687
diff
changeset
|
1442 #if hasattr(self.request, 'headers'): |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
3687
diff
changeset
|
1443 #ims = self.request.headers.getheader('if-modified-since') |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1444 if 'HTTP_IF_MODIFIED_SINCE' in self.env: |
|
1497
2704d8438823
better if-modified-since handling for cgi-bin
Richard Jones <richard@users.sourceforge.net>
parents:
1477
diff
changeset
|
1445 # cgi will put the header in the env var |
|
1469
79d8956de3f5
implemented last-modified and if-modified-since support
Richard Jones <richard@users.sourceforge.net>
parents:
1468
diff
changeset
|
1446 ims = self.env['HTTP_IF_MODIFIED_SINCE'] |
|
79d8956de3f5
implemented last-modified and if-modified-since support
Richard Jones <richard@users.sourceforge.net>
parents:
1468
diff
changeset
|
1447 if ims: |
|
4980
13f8f88ad984
Replace rfc822 imports with email package (issue2550870)
John Kristensen <john@jerrykan.com>
parents:
4979
diff
changeset
|
1448 ims = email.utils.parsedate(ims)[:6] |
|
3800
75d3896929bb
really fix the last-modified code
Richard Jones <richard@users.sourceforge.net>
parents:
3796
diff
changeset
|
1449 lmtt = time.gmtime(lmt)[:6] |
|
1469
79d8956de3f5
implemented last-modified and if-modified-since support
Richard Jones <richard@users.sourceforge.net>
parents:
1468
diff
changeset
|
1450 if lmtt <= ims: |
|
79d8956de3f5
implemented last-modified and if-modified-since support
Richard Jones <richard@users.sourceforge.net>
parents:
1468
diff
changeset
|
1451 raise NotModified |
|
79d8956de3f5
implemented last-modified and if-modified-since support
Richard Jones <richard@users.sourceforge.net>
parents:
1468
diff
changeset
|
1452 |
|
4047
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1453 if filename: |
|
4064
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1454 self.write_file(filename) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1455 else: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1456 self.additional_headers['Content-Length'] = str(len(content)) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1457 self.write(content) |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1458 |
|
4543
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
1459 def send_error_to_admin(self, subject, html, txt): |
|
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
1460 """Send traceback information to admin via email. |
|
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
1461 We send both, the formatted html (with more information) and |
|
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
1462 the text version of the traceback. We use |
|
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
1463 multipart/alternative so the receiver can chose which version |
|
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
1464 to display. |
|
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
1465 """ |
|
4264
b1e614c6759f
Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents:
4263
diff
changeset
|
1466 to = [self.mailer.config.ADMIN_EMAIL] |
|
4543
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
1467 message = MIMEMultipart('alternative') |
|
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
1468 self.mailer.set_message_attributes(message, to, subject) |
|
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
1469 part = MIMEBase('text', 'html') |
|
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
1470 part.set_charset('utf-8') |
|
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
1471 part.set_payload(html) |
|
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
1472 encode_quopri(part) |
|
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
1473 message.attach(part) |
|
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
1474 part = MIMEText(txt) |
|
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
1475 message.attach(part) |
|
4523
a03646a02f68
Fix issue2550691 where a Unix From-Header was sometimes inserted...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4384
diff
changeset
|
1476 self.mailer.smtp_send(to, message.as_string()) |
|
4648
e645820e8556
Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents:
4640
diff
changeset
|
1477 |
|
4265
e24a6ca34448
Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents:
4264
diff
changeset
|
1478 def renderFrontPage(self, message): |
|
e24a6ca34448
Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents:
4264
diff
changeset
|
1479 """Return the front page of the tracker.""" |
|
4648
e645820e8556
Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents:
4640
diff
changeset
|
1480 |
|
4265
e24a6ca34448
Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents:
4264
diff
changeset
|
1481 self.classname = self.nodeid = None |
|
e24a6ca34448
Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents:
4264
diff
changeset
|
1482 self.template = '' |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
1483 self.add_error_message(message) |
|
4265
e24a6ca34448
Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents:
4264
diff
changeset
|
1484 self.write_html(self.renderContext()) |
|
e24a6ca34448
Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents:
4264
diff
changeset
|
1485 |
|
4740
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1486 def selectTemplate(self, name, view): |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
1487 """ Choose existing template for the given combination of |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
1488 classname (name parameter) and template request variable |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
1489 (view parameter) and return its name. |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
1490 |
|
5185
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1491 View can be a single template or two templates separated |
|
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1492 by a vbar '|' character. If the Client object has a |
|
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1493 non-empty _error_message attribute, the right hand |
|
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1494 template (error template) will be used. If the |
|
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1495 _error_message is empty, the left hand template (ok |
|
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1496 template) will be used. |
|
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1497 |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
1498 In most cases the name will be "classname.view", but |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
1499 if "view" is None, then template name "classname" will |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
1500 be returned. |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
1501 |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
1502 If "classname.view" template doesn't exist, the |
|
4740
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1503 "_generic.view" is used as a fallback. |
|
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1504 |
|
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1505 [ ] cover with tests |
|
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1506 """ |
|
5185
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1507 |
|
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1508 # determine if view is oktmpl|errortmpl. If so assign the |
|
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1509 # right one to the view parameter. If we don't have alternate |
|
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1510 # templates, just leave view alone. |
|
5188
8768a95c9a4f
Small fix. Make sure view is defined before trying to find('|') in it.
John Rouillard <rouilj@ieee.org>
parents:
5185
diff
changeset
|
1511 if (view and view.find('|') != -1 ): |
|
5185
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1512 # we have alternate templates, parse them apart. |
|
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1513 (oktmpl, errortmpl) = view.split("|", 2) |
|
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1514 if self._error_message: |
|
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1515 # we have an error, use errortmpl |
|
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1516 view = errortmpl |
|
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1517 else: |
|
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1518 # no error message recorded, use oktmpl |
|
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1519 view = oktmpl |
|
349bef975367
Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents:
5166
diff
changeset
|
1520 |
|
4739
94be76e04140
templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents:
4728
diff
changeset
|
1521 loader = self.instance.templates |
|
94be76e04140
templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents:
4728
diff
changeset
|
1522 |
|
94be76e04140
templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents:
4728
diff
changeset
|
1523 # if classname is not set, use "home" template |
|
94be76e04140
templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents:
4728
diff
changeset
|
1524 if name is None: |
|
94be76e04140
templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents:
4728
diff
changeset
|
1525 name = 'home' |
|
94be76e04140
templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents:
4728
diff
changeset
|
1526 |
|
4740
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1527 tplname = name |
|
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1528 if view: |
|
5154
f608eeecf638
issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1529 # Support subdirectories for templates. Value is path/to/VIEW |
|
f608eeecf638
issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1530 # or just VIEW if the template is in the html directory of |
|
f608eeecf638
issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1531 # the tracker. |
|
f608eeecf638
issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1532 slash_loc = view.rfind("/") |
|
f608eeecf638
issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1533 if slash_loc == -1: |
|
f608eeecf638
issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1534 # try plain class.view |
|
f608eeecf638
issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1535 tplname = '%s.%s' % (name, view) |
|
f608eeecf638
issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1536 else: |
|
f608eeecf638
issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1537 # try path/class.view |
|
f608eeecf638
issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1538 tplname = '%s/%s.%s'%( |
|
f608eeecf638
issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1539 view[:slash_loc], name, view[slash_loc+1:]) |
|
4740
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1540 |
|
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1541 if loader.check(tplname): |
|
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1542 return tplname |
|
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1543 |
|
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1544 # rendering class/context with generic template for this view. |
|
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1545 # with no view it's impossible to choose which generic template to use |
|
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1546 if not view: |
|
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1547 raise templating.NoTemplate('Template "%s" doesn\'t exist' % name) |
|
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1548 |
|
5154
f608eeecf638
issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1549 if slash_loc == -1: |
|
f608eeecf638
issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1550 generic = '_generic.%s' % view |
|
f608eeecf638
issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1551 else: |
|
f608eeecf638
issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1552 generic = '%s/_generic.%s' % (view[:slash_loc], view[slash_loc+1:]) |
|
4740
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1553 if loader.check(generic): |
|
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1554 return generic |
|
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1555 |
|
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1556 raise templating.NoTemplate('No template file exists for templating ' |
|
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1557 '"%s" with template "%s" (neither "%s" nor "%s")' % (name, view, |
|
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1558 tplname, generic)) |
|
4739
94be76e04140
templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents:
4728
diff
changeset
|
1559 |
|
1204
b862bbf2067a
Replaced the content() callback ickiness with Page Template macro usage
Richard Jones <richard@users.sourceforge.net>
parents:
1196
diff
changeset
|
1560 def renderContext(self): |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
1561 """ Return a PageTemplate for the named page |
|
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
1562 """ |
|
4740
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1563 tplname = self.selectTemplate(self.classname, self.template) |
|
1204
b862bbf2067a
Replaced the content() callback ickiness with Page Template macro usage
Richard Jones <richard@users.sourceforge.net>
parents:
1196
diff
changeset
|
1564 |
|
1103
db787cef1385
handled some XXXs
Richard Jones <richard@users.sourceforge.net>
parents:
1096
diff
changeset
|
1565 # catch errors so we can handle PT rendering errors more nicely |
|
1204
b862bbf2067a
Replaced the content() callback ickiness with Page Template macro usage
Richard Jones <richard@users.sourceforge.net>
parents:
1196
diff
changeset
|
1566 args = { |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
1567 'ok_message': self._ok_message, |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
1568 'error_message': self._error_message |
|
1204
b862bbf2067a
Replaced the content() callback ickiness with Page Template macro usage
Richard Jones <richard@users.sourceforge.net>
parents:
1196
diff
changeset
|
1569 } |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1570 try: |
|
4740
fe9568a6cbd6
Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents:
4739
diff
changeset
|
1571 pt = self.instance.templates.load(tplname) |
|
1016
d6c13142e7b9
Keep a cache of compiled PageTemplates.
Richard Jones <richard@users.sourceforge.net>
parents:
1008
diff
changeset
|
1572 # let the template render figure stuff out |
|
1967
d30cd44321f2
commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents:
1946
diff
changeset
|
1573 result = pt.render(self, None, None, **args) |
|
d30cd44321f2
commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents:
1946
diff
changeset
|
1574 self.additional_headers['Content-Type'] = pt.content_type |
|
2942
a50e4f7c9276
look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2940
diff
changeset
|
1575 if self.env.get('CGI_SHOW_TIMING', ''): |
|
a50e4f7c9276
look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2940
diff
changeset
|
1576 if self.env['CGI_SHOW_TIMING'].upper() == 'COMMENT': |
|
a50e4f7c9276
look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2940
diff
changeset
|
1577 timings = {'starttag': '<!-- ', 'endtag': ' -->'} |
|
a50e4f7c9276
look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2940
diff
changeset
|
1578 else: |
|
a50e4f7c9276
look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2940
diff
changeset
|
1579 timings = {'starttag': '<p>', 'endtag': '</p>'} |
|
a50e4f7c9276
look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2940
diff
changeset
|
1580 timings['seconds'] = time.time()-self.start |
|
a50e4f7c9276
look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2940
diff
changeset
|
1581 s = self._('%(starttag)sTime elapsed: %(seconds)fs%(endtag)s\n' |
|
a50e4f7c9276
look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2940
diff
changeset
|
1582 ) % timings |
|
2237
f624fc20f8fe
added capturing of stats
Richard Jones <richard@users.sourceforge.net>
parents:
2233
diff
changeset
|
1583 if hasattr(self.db, 'stats'): |
|
2942
a50e4f7c9276
look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2940
diff
changeset
|
1584 timings.update(self.db.stats) |
|
a50e4f7c9276
look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2940
diff
changeset
|
1585 s += self._("%(starttag)sCache hits: %(cache_hits)d," |
|
a50e4f7c9276
look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2940
diff
changeset
|
1586 " misses %(cache_misses)d." |
|
a50e4f7c9276
look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2940
diff
changeset
|
1587 " Loading items: %(get_items)f secs." |
|
a50e4f7c9276
look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2940
diff
changeset
|
1588 " Filtering: %(filtering)f secs." |
|
a50e4f7c9276
look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2940
diff
changeset
|
1589 "%(endtag)s\n") % timings |
|
2237
f624fc20f8fe
added capturing of stats
Richard Jones <richard@users.sourceforge.net>
parents:
2233
diff
changeset
|
1590 s += '</body>' |
|
2230
ca2664e095be
disable forking server when os.fork() not available [SF#938586]
Richard Jones <richard@users.sourceforge.net>
parents:
2183
diff
changeset
|
1591 result = result.replace('</body>', s) |
|
1967
d30cd44321f2
commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents:
1946
diff
changeset
|
1592 return result |
|
1977
f96592a7c357
changes to support the new templating Unauthorised exception.
Richard Jones <richard@users.sourceforge.net>
parents:
1973
diff
changeset
|
1593 except templating.NoTemplate, message: |
|
4380
11d9f3f98897
fix potential XSS hole
Richard Jones <richard@users.sourceforge.net>
parents:
4370
diff
changeset
|
1594 return '<strong>%s</strong>'%cgi.escape(str(message)) |
|
1977
f96592a7c357
changes to support the new templating Unauthorised exception.
Richard Jones <richard@users.sourceforge.net>
parents:
1973
diff
changeset
|
1595 except templating.Unauthorised, message: |
|
4380
11d9f3f98897
fix potential XSS hole
Richard Jones <richard@users.sourceforge.net>
parents:
4370
diff
changeset
|
1596 raise Unauthorised(cgi.escape(str(message))) |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1597 except: |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1598 # everything else |
|
4045
82213b1971b4
Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents:
4027
diff
changeset
|
1599 if self.instance.config.WEB_DEBUG: |
|
82213b1971b4
Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents:
4027
diff
changeset
|
1600 return cgitb.pt_html(i18n=self.translator) |
|
82213b1971b4
Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents:
4027
diff
changeset
|
1601 exc_info = sys.exc_info() |
|
82213b1971b4
Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents:
4027
diff
changeset
|
1602 try: |
|
82213b1971b4
Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents:
4027
diff
changeset
|
1603 # If possible, send the HTML page template traceback |
|
82213b1971b4
Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents:
4027
diff
changeset
|
1604 # to the administrator. |
|
82213b1971b4
Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents:
4027
diff
changeset
|
1605 subject = "Templating Error: %s" % exc_info[1] |
|
4543
d16d9bf655d8
- fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4530
diff
changeset
|
1606 self.send_error_to_admin(subject, cgitb.pt_html(), format_exc()) |
|
4045
82213b1971b4
Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents:
4027
diff
changeset
|
1607 # Now report the error to the user. |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
1608 return self._(default_err_msg) |
|
4045
82213b1971b4
Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents:
4027
diff
changeset
|
1609 except: |
|
82213b1971b4
Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents:
4027
diff
changeset
|
1610 # Reraise the original exception. The user will |
|
82213b1971b4
Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents:
4027
diff
changeset
|
1611 # receive an error message, and the adminstrator will |
|
82213b1971b4
Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents:
4027
diff
changeset
|
1612 # receive a traceback, albeit with less information |
|
82213b1971b4
Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents:
4027
diff
changeset
|
1613 # than the one we tried to generate above. |
|
4649
fc513bd18167
Use "raise E, V, T" instead of "raise E(V).with_traceback(T)" (with_traceback is not available in Python 2).
Ezio Melotti <ezio.melotti@gmail.com>
parents:
4648
diff
changeset
|
1614 raise exc_info[0], exc_info[1], exc_info[2] |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1615 |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1616 # these are the actions that are available |
| 2904 | 1617 actions = ( |
|
5073
d0aa596daca8
Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents:
5044
diff
changeset
|
1618 ('edit', actions.EditItemAction), |
|
d0aa596daca8
Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents:
5044
diff
changeset
|
1619 ('editcsv', actions.EditCSVAction), |
|
d0aa596daca8
Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents:
5044
diff
changeset
|
1620 ('new', actions.NewItemAction), |
|
d0aa596daca8
Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents:
5044
diff
changeset
|
1621 ('register', actions.RegisterAction), |
|
d0aa596daca8
Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents:
5044
diff
changeset
|
1622 ('confrego', actions.ConfRegoAction), |
|
d0aa596daca8
Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents:
5044
diff
changeset
|
1623 ('passrst', actions.PassResetAction), |
|
d0aa596daca8
Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents:
5044
diff
changeset
|
1624 ('login', actions.LoginAction), |
|
d0aa596daca8
Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents:
5044
diff
changeset
|
1625 ('logout', actions.LogoutAction), |
|
d0aa596daca8
Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents:
5044
diff
changeset
|
1626 ('search', actions.SearchAction), |
|
5119
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5079
diff
changeset
|
1627 ('restore', actions.RestoreAction), |
|
5073
d0aa596daca8
Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents:
5044
diff
changeset
|
1628 ('retire', actions.RetireAction), |
|
d0aa596daca8
Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents:
5044
diff
changeset
|
1629 ('show', actions.ShowAction), |
|
d0aa596daca8
Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents:
5044
diff
changeset
|
1630 ('export_csv', actions.ExportCSVAction), |
| 2904 | 1631 ) |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1632 def handle_action(self): |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
1633 """ Determine whether there should be an Action called. |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1634 |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1635 The action is defined by the form variable :action which |
|
1477
ed725179953d
Added password reset facility for forgotten passwords.
Richard Jones <richard@users.sourceforge.net>
parents:
1472
diff
changeset
|
1636 identifies the method on this object to call. The actions |
| 2904 | 1637 are defined in the "actions" sequence on this class. |
|
2045
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
1638 |
|
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
1639 Actions may return a page (by default HTML) to return to the |
|
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
1640 user, bypassing the usual template rendering. |
|
3388
0c66acaea802
present Reject exception messages to web users [SF#1237685]
Richard Jones <richard@users.sourceforge.net>
parents:
3356
diff
changeset
|
1641 |
|
0c66acaea802
present Reject exception messages to web users [SF#1237685]
Richard Jones <richard@users.sourceforge.net>
parents:
3356
diff
changeset
|
1642 We explicitly catch Reject and ValueError exceptions and |
|
0c66acaea802
present Reject exception messages to web users [SF#1237685]
Richard Jones <richard@users.sourceforge.net>
parents:
3356
diff
changeset
|
1643 present their messages to the user. |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
1644 """ |
|
4804
bc4144417861
More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4802
diff
changeset
|
1645 action = None |
|
bc4144417861
More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4802
diff
changeset
|
1646 try: |
|
bc4144417861
More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4802
diff
changeset
|
1647 if ':action' in self.form: |
|
bc4144417861
More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4802
diff
changeset
|
1648 action = self.form[':action'] |
|
bc4144417861
More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4802
diff
changeset
|
1649 elif '@action' in self.form: |
|
bc4144417861
More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4802
diff
changeset
|
1650 action = self.form['@action'] |
|
bc4144417861
More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4802
diff
changeset
|
1651 except TypeError: |
|
bc4144417861
More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4802
diff
changeset
|
1652 pass |
|
bc4144417861
More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4802
diff
changeset
|
1653 if action is None: |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1654 return None |
|
2638
18e86941c950
Load up extensions in the tracker "extensions" directory.
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1655 |
|
4367
fa5587802af9
Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents:
4362
diff
changeset
|
1656 if isinstance(action, list): |
|
fa5587802af9
Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents:
4362
diff
changeset
|
1657 raise SeriousError('broken form: multiple @action values submitted') |
|
fa5587802af9
Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents:
4362
diff
changeset
|
1658 else: |
|
fa5587802af9
Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents:
4362
diff
changeset
|
1659 action = action.value.lower() |
|
fa5587802af9
Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents:
4362
diff
changeset
|
1660 |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1661 try: |
|
2948
deda13909085
factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents:
2947
diff
changeset
|
1662 action_klass = self.get_action_class(action) |
|
2019
8fab5d394f22
Call actions in a different way so we won't hide any bad TypeErrors.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2018
diff
changeset
|
1663 |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1664 # call the mapped action |
|
2019
8fab5d394f22
Call actions in a different way so we won't hide any bad TypeErrors.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2018
diff
changeset
|
1665 if isinstance(action_klass, type('')): |
|
8fab5d394f22
Call actions in a different way so we won't hide any bad TypeErrors.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2018
diff
changeset
|
1666 # old way of specifying actions |
|
2045
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
1667 return getattr(self, action_klass)() |
|
2019
8fab5d394f22
Call actions in a different way so we won't hide any bad TypeErrors.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2018
diff
changeset
|
1668 else: |
|
2045
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
1669 return action_klass(self).execute() |
|
5010
0428d2004a86
Fix exception handling to be python2.5 compatible
John Kristensen <john@jerrykan.com>
parents:
5004
diff
changeset
|
1670 except (ValueError, Reject), err: |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4980
diff
changeset
|
1671 escape = not isinstance(err, RejectRaw) |
|
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4980
diff
changeset
|
1672 self.add_error_message(str(err), escape=escape) |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1673 |
|
2948
deda13909085
factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents:
2947
diff
changeset
|
1674 def get_action_class(self, action_name): |
|
deda13909085
factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents:
2947
diff
changeset
|
1675 if (hasattr(self.instance, 'cgi_actions') and |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1676 action_name in self.instance.cgi_actions): |
|
2948
deda13909085
factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents:
2947
diff
changeset
|
1677 # tracker-defined action |
|
deda13909085
factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents:
2947
diff
changeset
|
1678 action_klass = self.instance.cgi_actions[action_name] |
|
deda13909085
factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents:
2947
diff
changeset
|
1679 else: |
|
deda13909085
factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents:
2947
diff
changeset
|
1680 # go with a default |
|
deda13909085
factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents:
2947
diff
changeset
|
1681 for name, action_klass in self.actions: |
|
deda13909085
factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents:
2947
diff
changeset
|
1682 if name == action_name: |
|
deda13909085
factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents:
2947
diff
changeset
|
1683 break |
|
deda13909085
factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents:
2947
diff
changeset
|
1684 else: |
|
4578
941681fec1b0
issue2550711 Fix XSS vulnerability in @action parameter.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4574
diff
changeset
|
1685 raise ValueError('No such action "%s"'%cgi.escape(action_name)) |
|
2948
deda13909085
factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents:
2947
diff
changeset
|
1686 return action_klass |
|
deda13909085
factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents:
2947
diff
changeset
|
1687 |
|
3760
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
1688 def _socket_op(self, call, *args, **kwargs): |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
1689 """Execute socket-related operation, catch common network errors |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
1690 |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
1691 Parameters: |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
1692 call: a callable to execute |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
1693 args, kwargs: call arguments |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
1694 |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
1695 """ |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
1696 try: |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
1697 call(*args, **kwargs) |
|
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
1698 except socket.error, err: |
|
3807
c27aafab067d
Band-aid over handling of netework errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3800
diff
changeset
|
1699 err_errno = getattr (err, 'errno', None) |
|
3808
36eb9e8faf30
Real handling of network errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3807
diff
changeset
|
1700 if err_errno is None: |
|
36eb9e8faf30
Real handling of network errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3807
diff
changeset
|
1701 try: |
|
36eb9e8faf30
Real handling of network errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3807
diff
changeset
|
1702 err_errno = err[0] |
|
36eb9e8faf30
Real handling of network errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3807
diff
changeset
|
1703 except TypeError: |
|
36eb9e8faf30
Real handling of network errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3807
diff
changeset
|
1704 pass |
|
3807
c27aafab067d
Band-aid over handling of netework errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3800
diff
changeset
|
1705 if err_errno not in self.IGNORE_NET_ERRORS: |
|
3760
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
1706 raise |
|
4064
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1707 except IOError: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1708 # Apache's mod_python will raise IOError -- without an |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1709 # accompanying errno -- when a write to the client fails. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1710 # A common case is that the client has closed the |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1711 # connection. There's no way to be certain that this is |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1712 # the situation that has occurred here, but that is the |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1713 # most likely case. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1714 pass |
|
3760
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
1715 |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1716 def write(self, content): |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1717 if not self.headers_done: |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1718 self.header() |
|
2592
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2565
diff
changeset
|
1719 if self.env['REQUEST_METHOD'] != 'HEAD': |
|
3760
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
1720 self._socket_op(self.request.wfile.write, content) |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1721 |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
1722 def write_html(self, content): |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
1723 if not self.headers_done: |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
1724 # at this point, we are sure about Content-Type |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1725 if 'Content-Type' not in self.additional_headers: |
|
3867
2563ddf71cd7
Enabled over-riding of content-type in web interface (thanks John Mitchell)
Richard Jones <richard@users.sourceforge.net>
parents:
3808
diff
changeset
|
1726 self.additional_headers['Content-Type'] = \ |
|
2563ddf71cd7
Enabled over-riding of content-type in web interface (thanks John Mitchell)
Richard Jones <richard@users.sourceforge.net>
parents:
3808
diff
changeset
|
1727 'text/html; charset=%s' % self.charset |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
1728 self.header() |
|
2592
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2565
diff
changeset
|
1729 |
|
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2565
diff
changeset
|
1730 if self.env['REQUEST_METHOD'] == 'HEAD': |
|
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2565
diff
changeset
|
1731 # client doesn't care about content |
|
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2565
diff
changeset
|
1732 return |
|
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2565
diff
changeset
|
1733 |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
1734 if self.charset != self.STORAGE_CHARSET: |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
1735 # recode output |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
1736 content = content.decode(self.STORAGE_CHARSET, 'replace') |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
1737 content = content.encode(self.charset, 'xmlcharrefreplace') |
|
2592
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2565
diff
changeset
|
1738 |
|
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2565
diff
changeset
|
1739 # and write |
|
3760
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
1740 self._socket_op(self.request.wfile.write, content) |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
1741 |
|
4064
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1742 def http_strip(self, content): |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1743 """Remove HTTP Linear White Space from 'content'. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1744 |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1745 'content' -- A string. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1746 |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1747 returns -- 'content', with all leading and trailing LWS |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1748 removed.""" |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1749 |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1750 # RFC 2616 2.2: Basic Rules |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1751 # |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1752 # LWS = [CRLF] 1*( SP | HT ) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1753 return content.strip(" \r\n\t") |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1754 |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1755 def http_split(self, content): |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1756 """Split an HTTP list. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1757 |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1758 'content' -- A string, giving a list of items. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1759 |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1760 returns -- A sequence of strings, containing the elements of |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1761 the list.""" |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1762 |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1763 # RFC 2616 2.1: Augmented BNF |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1764 # |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1765 # Grammar productions of the form "#rule" indicate a |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1766 # comma-separated list of elements matching "rule". LWS |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1767 # is then removed from each element, and empty elements |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1768 # removed. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1769 |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1770 # Split at commas. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1771 elements = content.split(",") |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1772 # Remove linear whitespace at either end of the string. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1773 elements = [self.http_strip(e) for e in elements] |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1774 # Remove any now-empty elements. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1775 return [e for e in elements if e] |
|
4648
e645820e8556
Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents:
4640
diff
changeset
|
1776 |
|
4064
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1777 def handle_range_header(self, length, etag): |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1778 """Handle the 'Range' and 'If-Range' headers. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1779 |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1780 'length' -- the length of the content available for the |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1781 resource. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1782 |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1783 'etag' -- the entity tag for this resources. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1784 |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1785 returns -- If the request headers (including 'Range' and |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1786 'If-Range') indicate that only a portion of the entity should |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1787 be returned, then the return value is a pair '(offfset, |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1788 length)' indicating the first byte and number of bytes of the |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1789 content that should be returned to the client. In addition, |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1790 this method will set 'self.response_code' to indicate Partial |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1791 Content. In all other cases, the return value is 'None'. If |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1792 appropriate, 'self.response_code' will be |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1793 set to indicate 'REQUESTED_RANGE_NOT_SATISFIABLE'. In that |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1794 case, the caller should not send any data to the client.""" |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1795 |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1796 # RFC 2616 14.35: Range |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1797 # |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1798 # See if the Range header is present. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1799 ranges_specifier = self.env.get("HTTP_RANGE") |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1800 if ranges_specifier is None: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1801 return None |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1802 # RFC 2616 14.27: If-Range |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1803 # |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1804 # Check to see if there is an If-Range header. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1805 # Because the specification says: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1806 # |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1807 # The If-Range header ... MUST be ignored if the request |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1808 # does not include a Range header, we check for If-Range |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1809 # after checking for Range. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1810 if_range = self.env.get("HTTP_IF_RANGE") |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1811 if if_range: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1812 # The grammar for the If-Range header is: |
|
4648
e645820e8556
Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents:
4640
diff
changeset
|
1813 # |
|
4064
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1814 # If-Range = "If-Range" ":" ( entity-tag | HTTP-date ) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1815 # entity-tag = [ weak ] opaque-tag |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1816 # weak = "W/" |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1817 # opaque-tag = quoted-string |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1818 # |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1819 # We only support strong entity tags. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1820 if_range = self.http_strip(if_range) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1821 if (not if_range.startswith('"') |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1822 or not if_range.endswith('"')): |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1823 return None |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1824 # If the condition doesn't match the entity tag, then we |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1825 # must send the client the entire file. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1826 if if_range != etag: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1827 return |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1828 # The grammar for the Range header value is: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1829 # |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1830 # ranges-specifier = byte-ranges-specifier |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1831 # byte-ranges-specifier = bytes-unit "=" byte-range-set |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1832 # byte-range-set = 1#( byte-range-spec | suffix-byte-range-spec ) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1833 # byte-range-spec = first-byte-pos "-" [last-byte-pos] |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1834 # first-byte-pos = 1*DIGIT |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1835 # last-byte-pos = 1*DIGIT |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1836 # suffix-byte-range-spec = "-" suffix-length |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1837 # suffix-length = 1*DIGIT |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1838 # |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1839 # Look for the "=" separating the units from the range set. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1840 specs = ranges_specifier.split("=", 1) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1841 if len(specs) != 2: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1842 return None |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1843 # Check that the bytes-unit is in fact "bytes". If it is not, |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1844 # we do not know how to process this range. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1845 bytes_unit = self.http_strip(specs[0]) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1846 if bytes_unit != "bytes": |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1847 return None |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1848 # Seperate the range-set into range-specs. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1849 byte_range_set = self.http_strip(specs[1]) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1850 byte_range_specs = self.http_split(byte_range_set) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1851 # We only handle exactly one range at this time. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1852 if len(byte_range_specs) != 1: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1853 return None |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1854 # Parse the spec. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1855 byte_range_spec = byte_range_specs[0] |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1856 pos = byte_range_spec.split("-", 1) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1857 if len(pos) != 2: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1858 return None |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1859 # Get the first and last bytes. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1860 first = self.http_strip(pos[0]) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1861 last = self.http_strip(pos[1]) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1862 # We do not handle suffix ranges. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1863 if not first: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1864 return None |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1865 # Convert the first and last positions to integers. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1866 try: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1867 first = int(first) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1868 if last: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1869 last = int(last) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1870 else: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1871 last = length - 1 |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1872 except: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1873 # The positions could not be parsed as integers. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1874 return None |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1875 # Check that the range makes sense. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1876 if (first < 0 or last < 0 or last < first): |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1877 return None |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1878 if last >= length: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1879 # RFC 2616 10.4.17: 416 Requested Range Not Satisfiable |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1880 # |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1881 # If there is an If-Range header, RFC 2616 says that we |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1882 # should just ignore the invalid Range header. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1883 if if_range: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1884 return None |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1885 # Return code 416 with a Content-Range header giving the |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1886 # allowable range. |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1887 self.response_code = http_.client.REQUESTED_RANGE_NOT_SATISFIABLE |
|
4064
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1888 self.setHeader("Content-Range", "bytes */%d" % length) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1889 return None |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1890 # RFC 2616 10.2.7: 206 Partial Content |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1891 # |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1892 # Tell the client that we are honoring the Range request by |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1893 # indicating that we are providing partial content. |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1894 self.response_code = http_.client.PARTIAL_CONTENT |
|
4064
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1895 # RFC 2616 14.16: Content-Range |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1896 # |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1897 # Tell the client what data we are providing. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1898 # |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1899 # content-range-spec = byte-content-range-spec |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1900 # byte-content-range-spec = bytes-unit SP |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1901 # byte-range-resp-spec "/" |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1902 # ( instance-length | "*" ) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1903 # byte-range-resp-spec = (first-byte-pos "-" last-byte-pos) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1904 # | "*" |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1905 # instance-length = 1 * DIGIT |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1906 self.setHeader("Content-Range", |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1907 "bytes %d-%d/%d" % (first, last, length)) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1908 return (first, last - first + 1) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1909 |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1910 def write_file(self, filename): |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
1911 """Send the contents of 'filename' to the user.""" |
|
4064
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1912 |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1913 # Determine the length of the file. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1914 stat_info = os.stat(filename) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1915 length = stat_info[stat.ST_SIZE] |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1916 # Assume we will return the entire file. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1917 offset = 0 |
|
4648
e645820e8556
Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents:
4640
diff
changeset
|
1918 # If the headers have not already been finalized, |
|
4064
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1919 if not self.headers_done: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1920 # RFC 2616 14.19: ETag |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1921 # |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1922 # Compute the entity tag, in a format similar to that |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1923 # used by Apache. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1924 etag = '"%x-%x-%x"' % (stat_info[stat.ST_INO], |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1925 length, |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1926 stat_info[stat.ST_MTIME]) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1927 self.setHeader("ETag", etag) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1928 # RFC 2616 14.5: Accept-Ranges |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1929 # |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1930 # Let the client know that we will accept range requests. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1931 self.setHeader("Accept-Ranges", "bytes") |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1932 # RFC 2616 14.35: Range |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1933 # |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1934 # If there is a Range header, we may be able to avoid |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1935 # sending the entire file. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1936 content_range = self.handle_range_header(length, etag) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1937 if content_range: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1938 offset, length = content_range |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1939 # RFC 2616 14.13: Content-Length |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1940 # |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1941 # Tell the client how much data we are providing. |
| 4145 | 1942 self.setHeader("Content-Length", str(length)) |
|
4064
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1943 # Send the HTTP header. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1944 self.header() |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1945 # If the client doesn't actually want the body, or if we are |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1946 # indicating an invalid range. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1947 if (self.env['REQUEST_METHOD'] == 'HEAD' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1948 or self.response_code == http_.client.REQUESTED_RANGE_NOT_SATISFIABLE): |
|
4064
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1949 return |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1950 # Use the optimized "sendfile" operation, if possible. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1951 if hasattr(self.request, "sendfile"): |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1952 self._socket_op(self.request.sendfile, filename, offset, length) |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1953 return |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1954 # Fallback to the "write" operation. |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1955 f = open(filename, 'rb') |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1956 try: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1957 if offset: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1958 f.seek(offset) |
| 4077 | 1959 content = f.read(length) |
|
4064
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1960 finally: |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1961 f.close() |
|
662cd78df973
Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents:
4047
diff
changeset
|
1962 self.write(content) |
|
4047
e70643990e9c
Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents:
4046
diff
changeset
|
1963 |
|
2046
f913b6beac35
document and make easier the actions-returning-content idiom
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
1964 def setHeader(self, header, value): |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
1965 """Override a header to be returned to the user's browser. |
|
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
1966 """ |
|
2046
f913b6beac35
document and make easier the actions-returning-content idiom
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
1967 self.additional_headers[header] = value |
|
f913b6beac35
document and make easier the actions-returning-content idiom
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
1968 |
|
1120
c26471971d18
Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents:
1103
diff
changeset
|
1969 def header(self, headers=None, response=None): |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
1970 """Put up the appropriate header. |
|
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
1971 """ |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1972 if headers is None: |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
1973 headers = {'Content-Type':'text/html; charset=utf-8'} |
|
1120
c26471971d18
Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents:
1103
diff
changeset
|
1974 if response is None: |
|
c26471971d18
Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents:
1103
diff
changeset
|
1975 response = self.response_code |
|
1130
89bd02ffe4af
tell clients/caches not to cache our dynamic bits
Richard Jones <richard@users.sourceforge.net>
parents:
1129
diff
changeset
|
1976 |
|
89bd02ffe4af
tell clients/caches not to cache our dynamic bits
Richard Jones <richard@users.sourceforge.net>
parents:
1129
diff
changeset
|
1977 # update with additional info |
|
1120
c26471971d18
Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents:
1103
diff
changeset
|
1978 headers.update(self.additional_headers) |
|
1130
89bd02ffe4af
tell clients/caches not to cache our dynamic bits
Richard Jones <richard@users.sourceforge.net>
parents:
1129
diff
changeset
|
1979 |
|
2279
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
1980 if headers.get('Content-Type', 'text/html') == 'text/html': |
|
297e46e22e04
implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2248
diff
changeset
|
1981 headers['Content-Type'] = 'text/html; charset=utf-8' |
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
3687
diff
changeset
|
1982 |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1983 headers = list(headers.items()) |
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
3687
diff
changeset
|
1984 |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1985 for ((path, name), (value, expire)) in self._cookies.iteritems(): |
|
3548
61d48244e7a8
login may now be for a single session
Richard Jones <richard@users.sourceforge.net>
parents:
3494
diff
changeset
|
1986 cookie = "%s=%s; Path=%s;"%(name, value, path) |
|
61d48244e7a8
login may now be for a single session
Richard Jones <richard@users.sourceforge.net>
parents:
3494
diff
changeset
|
1987 if expire is not None: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4344
diff
changeset
|
1988 cookie += " expires=%s;"%get_cookie_date(expire) |
|
4586
b21bb66de6ff
Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4578
diff
changeset
|
1989 # mark as secure if https, see issue2550689 |
|
b21bb66de6ff
Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4578
diff
changeset
|
1990 if self.secure: |
|
b21bb66de6ff
Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4578
diff
changeset
|
1991 cookie += " secure;" |
|
5212
d4cc71beb102
Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents:
5211
diff
changeset
|
1992 ssc = self.db.config['WEB_SAMESITE_COOKIE_SETTING'] |
|
d4cc71beb102
Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents:
5211
diff
changeset
|
1993 if ssc != "None": |
|
d4cc71beb102
Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents:
5211
diff
changeset
|
1994 cookie += " SameSite=%s;"%ssc |
|
4586
b21bb66de6ff
Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4578
diff
changeset
|
1995 # prevent theft of session cookie, see issue2550689 |
|
b21bb66de6ff
Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4578
diff
changeset
|
1996 cookie += " HttpOnly;" |
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
3687
diff
changeset
|
1997 headers.append(('Set-Cookie', cookie)) |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
3687
diff
changeset
|
1998 |
|
3760
b8f52d030f1a
ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3736
diff
changeset
|
1999 self._socket_op(self.request.start_response, headers, response) |
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
3687
diff
changeset
|
2000 |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2001 self.headers_done = 1 |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2002 if self.debug: |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2003 self.headers_sent = headers |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2004 |
|
2946
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2005 def add_cookie(self, name, value, expire=86400*365, path=None): |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2006 """Set a cookie value to be sent in HTTP headers |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2007 |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2008 Parameters: |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2009 name: |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2010 cookie name |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2011 value: |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2012 cookie value |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2013 expire: |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2014 cookie expiration time (seconds). |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2015 If value is empty (meaning "delete cookie"), |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2016 expiration time is forced in the past |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2017 and this argument is ignored. |
|
3548
61d48244e7a8
login may now be for a single session
Richard Jones <richard@users.sourceforge.net>
parents:
3494
diff
changeset
|
2018 If None, the cookie will expire at end-of-session. |
|
2946
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2019 If omitted, the cookie will be kept for a year. |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2020 path: |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2021 cookie path (optional) |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2022 |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2023 """ |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2024 if path is None: |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2025 path = self.cookie_path |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2026 if not value: |
|
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2027 expire = -1 |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3916
diff
changeset
|
2028 self._cookies[(path, name)] = (value, expire) |
|
2946
661028d24cd2
support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2942
diff
changeset
|
2029 |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2030 def make_user_anonymous(self): |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
2031 """ Make us anonymous |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2032 |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2033 This method used to handle non-existence of the 'anonymous' |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2034 user, but that user is mandatory now. |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
2035 """ |
|
985
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2036 self.userid = self.db.user.lookup('anonymous') |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2037 self.user = 'anonymous' |
|
55ab0c5b49f9
New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2038 |
|
1801
9f9d35f3d8f7
Change the message asking for confirmation of registration...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
1799
diff
changeset
|
2039 def standard_message(self, to, subject, body, author=None): |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
2040 """Send a standard email message from Roundup. |
|
2248
cd7e6d6288c6
fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents:
2246
diff
changeset
|
2041 |
|
cd7e6d6288c6
fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents:
2246
diff
changeset
|
2042 "to" - recipients list |
|
cd7e6d6288c6
fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents:
2246
diff
changeset
|
2043 "subject" - Subject |
|
cd7e6d6288c6
fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents:
2246
diff
changeset
|
2044 "body" - Message |
|
cd7e6d6288c6
fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents:
2246
diff
changeset
|
2045 "author" - (name, address) tuple or None for admin email |
|
cd7e6d6288c6
fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents:
2246
diff
changeset
|
2046 |
|
cd7e6d6288c6
fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents:
2246
diff
changeset
|
2047 Arguments are passed to the Mailer.standard_message code. |
|
4065
1e28d58c6d1c
Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents:
4064
diff
changeset
|
2048 """ |
|
1799
071ea6fc803f
Extracted duplicated mail-sending code...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
1798
diff
changeset
|
2049 try: |
|
1801
9f9d35f3d8f7
Change the message asking for confirmation of registration...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
1799
diff
changeset
|
2050 self.mailer.standard_message(to, subject, body, author) |
|
1802
fe9d122f1bb1
Fix misnamed exception clause.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
1801
diff
changeset
|
2051 except MessageSendError, e: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4851
diff
changeset
|
2052 self.add_error_message(str(e)) |
|
2248
cd7e6d6288c6
fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents:
2246
diff
changeset
|
2053 return 0 |
|
cd7e6d6288c6
fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents:
2246
diff
changeset
|
2054 return 1 |
|
1467
378081f066cc
registration is now a two-step process with confirmation from the
Richard Jones <richard@users.sourceforge.net>
parents:
1456
diff
changeset
|
2055 |
|
2107
b7404a96b58a
minor pre-release / test fixes
Richard Jones <richard@users.sourceforge.net>
parents:
2082
diff
changeset
|
2056 def parsePropsFromForm(self, create=0): |
|
2010
1b11ffd8015e
forward-porting of fixed edit action / parsePropsFromForm...
Richard Jones <richard@users.sourceforge.net>
parents:
2005
diff
changeset
|
2057 return FormParser(self).parse(create=create) |
|
1b11ffd8015e
forward-porting of fixed edit action / parsePropsFromForm...
Richard Jones <richard@users.sourceforge.net>
parents:
2005
diff
changeset
|
2058 |
|
2799
9605965569b0
disallow caching of pages with error and/or ok messages.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2724
diff
changeset
|
2059 # vim: set et sts=4 sw=4 : |