Mercurial > p > roundup > code
annotate roundup/cgi/wsgi_handler.py @ 5664:5579fa034f9e
Fix fix XSS issue in wsgi and cgi when handing url not found/404. issue2551035
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Fri, 22 Mar 2019 18:16:11 -0400 |
| parents | dccf9b7e5ee4 |
| children | 1a835db41674 |
| rev | line source |
|---|---|
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1 # WSGI interface for Roundup Issue Tracker |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2 # |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
3 # This module is free software, you may redistribute it |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
4 # and/or modify under the same terms as Python. |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
5 # |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
6 |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
7 import os |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
8 import cgi |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
9 import weakref |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
10 |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
11 import roundup.instance |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
12 from roundup.cgi import TranslationService |
|
5409
277e91bf7936
Python 3 preparation: update BaseHTTPServer imports.
Joseph Myers <jsm@polyomino.org.uk>
parents:
5378
diff
changeset
|
13 from roundup.anypy import http_ |
|
5609
dccf9b7e5ee4
Fix CSV export with WSGI and Python 3 (issue2551019).
Tom Ekberg <tekberg@uw.edu>
parents:
5539
diff
changeset
|
14 from roundup.anypy.strings import s2b, bs2b |
|
5409
277e91bf7936
Python 3 preparation: update BaseHTTPServer imports.
Joseph Myers <jsm@polyomino.org.uk>
parents:
5378
diff
changeset
|
15 BaseHTTPRequestHandler = http_.server.BaseHTTPRequestHandler |
|
277e91bf7936
Python 3 preparation: update BaseHTTPServer imports.
Joseph Myers <jsm@polyomino.org.uk>
parents:
5378
diff
changeset
|
16 DEFAULT_ERROR_MESSAGE = http_.server.DEFAULT_ERROR_MESSAGE |
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
17 |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
18 |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
19 class Writer(object): |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
20 '''Perform a start_response if need be when we start writing.''' |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
21 def __init__(self, request): |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
22 self.request = request #weakref.ref(request) |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
23 def write(self, data): |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
24 f = self.request.get_wfile() |
|
5609
dccf9b7e5ee4
Fix CSV export with WSGI and Python 3 (issue2551019).
Tom Ekberg <tekberg@uw.edu>
parents:
5539
diff
changeset
|
25 self.write = lambda data: f(bs2b(data)) |
|
dccf9b7e5ee4
Fix CSV export with WSGI and Python 3 (issue2551019).
Tom Ekberg <tekberg@uw.edu>
parents:
5539
diff
changeset
|
26 return self.write(data) |
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
27 |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
28 class RequestDispatcher(object): |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
29 def __init__(self, home, debug=False, timing=False, lang=None): |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
30 assert os.path.isdir(home), '%r is not a directory'%(home,) |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
31 self.home = home |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
32 self.debug = debug |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
33 self.timing = timing |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
34 if lang: |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
35 self.translator = TranslationService.get_translation(lang, |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
36 tracker_home=home) |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
37 else: |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
38 self.translator = None |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
39 |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
40 def __call__(self, environ, start_response): |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
41 """Initialize with `apache.Request` object""" |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
42 self.environ = environ |
|
3990
0728808fdf5c
make WSGI threadsafe
Richard Jones <richard@users.sourceforge.net>
parents:
3736
diff
changeset
|
43 request = RequestDispatcher(self.home, self.debug, self.timing) |
|
0728808fdf5c
make WSGI threadsafe
Richard Jones <richard@users.sourceforge.net>
parents:
3736
diff
changeset
|
44 request.__start_response = start_response |
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
45 |
|
3990
0728808fdf5c
make WSGI threadsafe
Richard Jones <richard@users.sourceforge.net>
parents:
3736
diff
changeset
|
46 request.wfile = Writer(request) |
|
0728808fdf5c
make WSGI threadsafe
Richard Jones <richard@users.sourceforge.net>
parents:
3736
diff
changeset
|
47 request.__wfile = None |
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
48 |
|
4292
859ab007829f
Handle OPTIONS http request method in wsgi handler, fixes issue2550587.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3990
diff
changeset
|
49 if environ ['REQUEST_METHOD'] == 'OPTIONS': |
|
859ab007829f
Handle OPTIONS http request method in wsgi handler, fixes issue2550587.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3990
diff
changeset
|
50 code = 501 |
|
859ab007829f
Handle OPTIONS http request method in wsgi handler, fixes issue2550587.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3990
diff
changeset
|
51 message, explain = BaseHTTPRequestHandler.responses[code] |
|
859ab007829f
Handle OPTIONS http request method in wsgi handler, fixes issue2550587.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3990
diff
changeset
|
52 request.start_response([('Content-Type', 'text/html'), |
|
859ab007829f
Handle OPTIONS http request method in wsgi handler, fixes issue2550587.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3990
diff
changeset
|
53 ('Connection', 'close')], code) |
|
5539
3a07c57d72bb
Handle string-to-bytes conversions for Python 3 for wsgi_handler.
Joseph Myers <jsm@polyomino.org.uk>
parents:
5409
diff
changeset
|
54 request.wfile.write(s2b(DEFAULT_ERROR_MESSAGE % locals())) |
|
4292
859ab007829f
Handle OPTIONS http request method in wsgi handler, fixes issue2550587.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3990
diff
changeset
|
55 return [] |
|
859ab007829f
Handle OPTIONS http request method in wsgi handler, fixes issue2550587.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3990
diff
changeset
|
56 |
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
57 tracker = roundup.instance.open(self.home, not self.debug) |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
58 |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
59 # need to strip the leading '/' |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
60 environ["PATH_INFO"] = environ["PATH_INFO"][1:] |
|
3990
0728808fdf5c
make WSGI threadsafe
Richard Jones <richard@users.sourceforge.net>
parents:
3736
diff
changeset
|
61 if request.timing: |
|
0728808fdf5c
make WSGI threadsafe
Richard Jones <richard@users.sourceforge.net>
parents:
3736
diff
changeset
|
62 environ["CGI_SHOW_TIMING"] = request.timing |
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
63 |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
64 form = cgi.FieldStorage(fp=environ['wsgi.input'], environ=environ) |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
65 |
|
3990
0728808fdf5c
make WSGI threadsafe
Richard Jones <richard@users.sourceforge.net>
parents:
3736
diff
changeset
|
66 client = tracker.Client(tracker, request, environ, form, |
|
0728808fdf5c
make WSGI threadsafe
Richard Jones <richard@users.sourceforge.net>
parents:
3736
diff
changeset
|
67 request.translator) |
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
68 try: |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
69 client.main() |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
70 except roundup.cgi.client.NotFound: |
|
3990
0728808fdf5c
make WSGI threadsafe
Richard Jones <richard@users.sourceforge.net>
parents:
3736
diff
changeset
|
71 request.start_response([('Content-Type', 'text/html')], 404) |
|
5664
5579fa034f9e
Fix fix XSS issue in wsgi and cgi when handing url not found/404. issue2551035
John Rouillard <rouilj@ieee.org>
parents:
5609
diff
changeset
|
72 request.wfile.write(s2b('Not found: %s'%cgi.escape(client.path))) |
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
73 |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
74 # all body data has been written using wfile |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
75 return [] |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
76 |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
77 def start_response(self, headers, response_code): |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
78 """Set HTTP response code""" |
|
4303
7aa72c31464d
Fix WSGI response code (thanks Peter Pöml)
Richard Jones <richard@users.sourceforge.net>
parents:
4292
diff
changeset
|
79 message, explain = BaseHTTPRequestHandler.responses[response_code] |
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
80 self.__wfile = self.__start_response('%d %s'%(response_code, |
|
4303
7aa72c31464d
Fix WSGI response code (thanks Peter Pöml)
Richard Jones <richard@users.sourceforge.net>
parents:
4292
diff
changeset
|
81 message), headers) |
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
82 |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
83 def get_wfile(self): |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
84 if self.__wfile is None: |
|
5378
35ea9b1efc14
Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents:
4303
diff
changeset
|
85 raise ValueError('start_response() not called') |
|
3736
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
86 return self.__wfile |
|
a2d22d0de0bc
WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
87 |