Mercurial > p > roundup > code

annotate roundup/cgi/client.py @ 5656:d26d2590cd8c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Implement different workaround for https://bugs.python.org/issue27777 suggested by jsm/Joseph Myers. Subclass cgi.FieldStorage into BinaryFieldStorage and use that class rather then monkey patching cgi.FieldStorage.make_file. This should eliminate race conditions issues inherent with the prior way I tried to do it by flipping the class method back and forth at runtime. Also import new class into rest_common.py and use it in place of old mechanism.
author John Rouillard <rouilj@ieee.org>
date Tue, 19 Mar 2019 21:58:49 -0400
parents 207e0f5d551c
children 7e1b2a723253
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1 """WWW request handler (also used in the stand-alone server).
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2 """
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
3 __docformat__ = 'restructuredtext'
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
4
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
5 import logging
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
6 logger = logging.getLogger('roundup')
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
7
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
8 import base64, binascii, cgi, codecs, mimetypes, os
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
9 import quopri, re, stat, sys, time
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
10 import socket, errno, hashlib
4980
13f8f88ad984 Replace rfc822 imports with email package (issue2550870)
John Kristensen <john@jerrykan.com>
parents: 4979
diff changeset
11 import email.utils
4543
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
12 from traceback import format_exc
2233
3d9bb1a052d1 fix random seeding for forking server
Richard Jones <richard@users.sourceforge.net>
parents: 2230
diff changeset
13
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5475
diff changeset
14 import roundup.anypy.random_ as random_
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5475
diff changeset
15 if not random_.is_weak:
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
16 logger.debug("Importing good random generator")
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5475
diff changeset
17 else:
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
18 logger.warning("**SystemRandom not available. Using poor random generator")
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
19
4638
1ebc5f16aeda Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4623
diff changeset
20 try:
1ebc5f16aeda Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4623
diff changeset
21 from OpenSSL.SSL import SysCallError
1ebc5f16aeda Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4623
diff changeset
22 except ImportError:
5429
daa19de102a2 Python 3 preparation: make fallback SysCallError an actual exception class.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5422
diff changeset
23 class SysCallError(Exception):
daa19de102a2 Python 3 preparation: make fallback SysCallError an actual exception class.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5422
diff changeset
24 pass
4638
1ebc5f16aeda Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4623
diff changeset
25
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 1987
diff changeset
26 from roundup import roundupdb, date, hyperdb, password
2557
ff02e9851592 translator object must be Roundup Translation Service...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2514
diff changeset
27 from roundup.cgi import templating, cgitb, TranslationService
5073
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
28 from roundup.cgi import actions
5218
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
29 from roundup.exceptions import LoginError, Reject, RejectRaw, \
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
30 Unauthorised, UsageError
5073
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
31 from roundup.cgi.exceptions import (
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
32 FormError, NotFound, NotModified, Redirect, SendFile, SendStaticFile,
5079
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
33 DetectorError, SeriousError)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 1987
diff changeset
34 from roundup.cgi.form_parser import FormParser
5493
725266c03eab updated mailgw to no longer use mimetools based on jerrykan's patch
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5488
diff changeset
35 from roundup.mailer import Mailer, MessageSendError
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
36 from roundup.cgi import accept_language
4079
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
37 from roundup import xmlrpc
5556
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
38 from roundup import rest
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
39
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
40 from roundup.anypy.cookie_ import CookieError, BaseCookie, SimpleCookie, \
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
41 get_cookie_date
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
42 from roundup.anypy import http_
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
43 from roundup.anypy import urllib_
5408
e46ce04d5bbc Python 3 preparation: update xmlrpclib / SimpleXMLRPCServer imports.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5395
diff changeset
44 from roundup.anypy import xmlrpc_
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
45
5422
a0ed8d5d744f Python 3 preparation: update email module names.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5417
diff changeset
46 from email.mime.base import MIMEBase
a0ed8d5d744f Python 3 preparation: update email module names.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5417
diff changeset
47 from email.mime.text import MIMEText
a0ed8d5d744f Python 3 preparation: update email module names.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5417
diff changeset
48 from email.mime.multipart import MIMEMultipart
4979
f1a2bd1dea77 issue2550877: Writing headers with the email module will use continuation_ws = ' ' now for python 2.5 and 2.6 when importing anypy.email_.
Bernhard Reiter <bernhard@intevation.de>
parents: 4962
diff changeset
49 import roundup.anypy.email_
4543
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
50
5613
0a8f0fddc2ae Support non-ASCII prefixes in instance config for finding static files (issue2551022).
Cédric Krier <cedric.krier@b2ck.com>
parents: 5608
diff changeset
51 from roundup.anypy.strings import s2b, b2s, uchr, is_us
5417
c749d6795bc2 Python 3 preparation: unichr.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5408
diff changeset
52
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
53 def initialiseSecurity(security):
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
54 '''Create some Permissions and Roles on the security object
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
55
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
56 This function is directly invoked by security.Security.__init__()
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
57 as a part of the Security object instantiation.
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
58 '''
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
59 p = security.addPermission(name="Web Access",
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
60 description="User may access the web interface")
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
61 security.addPermissionToRole('Admin', p)
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
62
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
63 # doing Role stuff through the web - make sure Admin can
3276
3124e578db02 Email fixes:
Richard Jones <richard@users.sourceforge.net>
parents: 3069
diff changeset
64 # TODO: deprecate this and use a property-based control
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
65 p = security.addPermission(name="Web Roles",
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
66 description="User may manipulate user Roles through the web")
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
67 security.addPermissionToRole('Admin', p)
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
68
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
69 def add_message(msg_list, msg, escape=True):
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
70 if escape:
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
71 msg = cgi.escape(msg).replace('\n', '<br />\n')
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
72 else:
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
73 msg = msg.replace('\n', '<br />\n')
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
74 msg_list.append (msg)
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
75 return msg_list # for unittests
3916
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
76
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
77 default_err_msg = ''"""<html><head><title>An error has occurred</title></head>
3554
5e70726a86dd fixed schema migration problem when Class keys were removed
Richard Jones <richard@users.sourceforge.net>
parents: 3551
diff changeset
78 <body><h1>An error has occurred</h1>
3551
3c70ab03c917 translate error message shown instead of tracebacks, add page title
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3548
diff changeset
79 <p>A problem was encountered processing your request.
3c70ab03c917 translate error message shown instead of tracebacks, add page title
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3548
diff changeset
80 The tracker maintainers have been notified of the problem.</p>
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
81 </body></html>"""
3548
61d48244e7a8 login may now be for a single session
Richard Jones <richard@users.sourceforge.net>
parents: 3494
diff changeset
82
5356
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
83 def seed_pseudorandom():
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
84 '''A function to seed the default pseudorandom random number generator
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
85 which is used to (at minimum):
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
86 * generate part of email message-id
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
87 * generate OTK for password reset
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
88 * generate the temp recovery password
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
89
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
90 This function limits the scope of the 'import random' call
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
91 as the random identifier is used throughout the code and
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
92 can refer to SystemRandom.
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
93 '''
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
94 import random
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
95 random.seed()
3916
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
96
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
97 class LiberalCookie(SimpleCookie):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
98 """ Python's SimpleCookie throws an exception if the cookie uses invalid
3916
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
99 syntax. Other applications on the same server may have done precisely
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
100 this, preventing roundup from working through no fault of roundup.
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
101 Numerous other python apps have run into the same problem:
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
102
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
103 trac: http://trac.edgewall.org/ticket/2256
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
104 mailman: http://bugs.python.org/issue472646
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
105
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
106 This particular implementation comes from trac's solution to the
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
107 problem. Unfortunately it requires some hackery in SimpleCookie's
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
108 internals to provide a more liberal __set method.
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
109 """
3916
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
110 def load(self, rawdata, ignore_parse_errors=True):
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
111 if ignore_parse_errors:
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
112 self.bad_cookies = []
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
113 self._BaseCookie__set = self._loose_set
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
114 SimpleCookie.load(self, rawdata)
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
115 if ignore_parse_errors:
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
116 self._BaseCookie__set = self._strict_set
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
117 for key in self.bad_cookies:
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
118 del self[key]
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
119
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
120 _strict_set = BaseCookie._BaseCookie__set
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
121
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
122 def _loose_set(self, key, real_value, coded_value):
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
123 try:
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
124 self._strict_set(key, real_value, coded_value)
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
125 except CookieError:
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
126 self.bad_cookies.append(key)
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
127 dict.__setitem__(self, key, None)
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
128
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
129
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
130 class Session:
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
131 """
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
132 Needs DB to be already opened by client
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
133
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
134 Session attributes at instantiation:
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
135
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
136 - "client" - reference to client for add_cookie function
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
137 - "session_db" - session DB manager
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
138 - "cookie_name" - name of the cookie with session id
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
139 - "_sid" - session id for current user
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
140 - "_data" - session data cache
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
141
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
142 session = Session(client)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
143 session.set(name=value)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
144 value = session.get(name)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
145
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
146 session.destroy() # delete current session
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
147 session.clean_up() # clean up session table
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
148
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
149 session.update(set_cookie=True, expire=3600*24*365)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
150 # refresh session expiration time, setting persistent
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
151 # cookie if needed to last for 'expire' seconds
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
152
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
153 """
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
154
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
155 def __init__(self, client):
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
156 self._data = {}
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
157 self._sid = None
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
158
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
159 self.client = client
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
160 self.session_db = client.db.getSessionManager()
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
161
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
162 # parse cookies for session id
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
163 self.cookie_name = 'roundup_session_%s' % \
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
164 re.sub('[^a-zA-Z]', '', client.instance.config.TRACKER_NAME)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
165 cookies = LiberalCookie(client.env.get('HTTP_COOKIE', ''))
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
166 if self.cookie_name in cookies:
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
167 if not self.session_db.exists(cookies[self.cookie_name].value):
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
168 self._sid = None
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
169 # remove old cookie
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
170 self.client.add_cookie(self.cookie_name, None)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
171 else:
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
172 self._sid = cookies[self.cookie_name].value
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
173 self._data = self.session_db.getall(self._sid)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
174
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
175 def _gen_sid(self):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
176 """ generate a unique session key """
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
177 while 1:
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5475
diff changeset
178 s = b2s(binascii.b2a_base64(random_.token_bytes(32)).strip())
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
179 if not self.session_db.exists(s):
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
180 break
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
181
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
182 # clean up the base64
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
183 if s[-1] == '=':
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
184 if s[-2] == '=':
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
185 s = s[:-2]
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
186 else:
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
187 s = s[:-1]
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
188 return s
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
189
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
190 def clean_up(self):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
191 """Remove expired sessions"""
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
192 self.session_db.clean()
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
193
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
194 def destroy(self):
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
195 self.client.add_cookie(self.cookie_name, None)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
196 self._data = {}
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
197 self.session_db.destroy(self._sid)
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
198 self.session_db.commit()
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
199
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
200 def get(self, name, default=None):
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
201 return self._data.get(name, default)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
202
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
203 def set(self, **kwargs):
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
204 self._data.update(kwargs)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
205 if not self._sid:
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
206 self._sid = self._gen_sid()
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
207 self.session_db.set(self._sid, **self._data)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
208 # add session cookie
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
209 self.update(set_cookie=True)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
210
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
211 # XXX added when patching 1.4.4 for backward compatibility
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
212 # XXX remove
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
213 self.client.session = self._sid
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
214 else:
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
215 self.session_db.set(self._sid, **self._data)
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
216 self.session_db.commit()
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
217
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
218 def update(self, set_cookie=False, expire=None):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
219 """ update timestamp in db to avoid expiration
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
220
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
221 if 'set_cookie' is True, set cookie with 'expire' seconds lifetime
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
222 if 'expire' is None - session will be closed with the browser
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
223
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
224 XXX the session can be purged within a week even if a cookie
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
225 lifetime is longer
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
226 """
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
227 self.session_db.updateTimestamp(self._sid)
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
228 self.session_db.commit()
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
229
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
230 if set_cookie:
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
231 self.client.add_cookie(self.cookie_name, self._sid, expire=expire)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
232
5656
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
233 class BinaryFieldStorage(cgi.FieldStorage):
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
234 '''This class works around the bug https://bugs.python.org/issue27777.
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
235
5656
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
236 cgi.FieldStorage must save all data as binary/bytes. This is
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
237 needed for handling json and xml data blobs under python
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
238 3. Under python 2, str and binary are interchangable, not so
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
239 under 3.
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
240 '''
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
241 def make_file(self, mode=None):
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
242 ''' work around https://bugs.python.org/issue27777 '''
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
243 import tempfile
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
244 return tempfile.TemporaryFile("wb+")
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
245
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
246 class Client:
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
247 """Instantiate to handle one CGI request.
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
248
1244
8dd4f736370b merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents: 1236
diff changeset
249 See inner_main for request processing.
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
250
1244
8dd4f736370b merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents: 1236
diff changeset
251 Client attributes at instantiation:
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
252
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
253 - "path" is the PATH_INFO inside the instance (with no leading '/')
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
254 - "base" is the base URL for the instance
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
255 - "form" is the cgi form, an instance of FieldStorage from the standard
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
256 cgi module
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
257 - "additional_headers" is a dictionary of additional HTTP headers that
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
258 should be sent to the client
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
259 - "response_code" is the HTTP response code to send to the client
2557
ff02e9851592 translator object must be Roundup Translation Service...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2514
diff changeset
260 - "translator" is TranslationService instance
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
261 - "client-nonce" is a unique value for this client connection. Can be
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
262 used as a nonce for CSP headers and to sign javascript code
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
263 presented to the browser. This is different from the CSRF nonces
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
264 and can not be used for anti-csrf measures.
1244
8dd4f736370b merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents: 1236
diff changeset
265
8dd4f736370b merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents: 1236
diff changeset
266 During the processing of a request, the following attributes are used:
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
267
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
268 - "db"
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
269 - "_error_message" holds a list of error messages
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
270 - "_ok_message" holds a list of OK messages
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
271 - "session" is deprecated in favor of session_api (XXX remove)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
272 - "session_api" is the interface to store data in session
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
273 - "user" is the current user's name
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
274 - "userid" is the current user's id
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
275 - "template" is the current :template context
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
276 - "classname" is the current class context name
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
277 - "nodeid" is the current context item id
1244
8dd4f736370b merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents: 1236
diff changeset
278
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
279 Note: _error_message and _ok_message should not be modified
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
280 directly, use add_ok_message and add_error_message, these, by
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
281 default, escape the message added to avoid XSS security issues.
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
282
1244
8dd4f736370b merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents: 1236
diff changeset
283 User Identification:
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
284 Users that are absent in session data are anonymous and are logged
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
285 in as that user. This typically gives them all Permissions assigned
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
286 to the Anonymous Role.
1244
8dd4f736370b merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents: 1236
diff changeset
287
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
288 Every user is assigned a session. "session_api" is the interface
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
289 to work with session data.
1420
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
290
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
291 Special form variables:
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
292 Note that in various places throughout this code, special form
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
293 variables of the form :<name> are used. The colon (":") part may
1436
2f6647cf5345 bugger, dropping support for "+" special char
Richard Jones <richard@users.sourceforge.net>
parents: 1435
diff changeset
294 actually be one of either ":" or "@".
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
295 """
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
296
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
297 # charset used for data storage and form templates
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
298 # Note: must be in lower case for comparisons!
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
299 # XXX take this from instance.config?
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
300 STORAGE_CHARSET = 'utf-8'
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
301
1421
90bb11eb40dc oops, forgot the templating :)
Richard Jones <richard@users.sourceforge.net>
parents: 1420
diff changeset
302 #
1420
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
303 # special form variables
1421
90bb11eb40dc oops, forgot the templating :)
Richard Jones <richard@users.sourceforge.net>
parents: 1420
diff changeset
304 #
1436
2f6647cf5345 bugger, dropping support for "+" special char
Richard Jones <richard@users.sourceforge.net>
parents: 1435
diff changeset
305 FV_TEMPLATE = re.compile(r'[@:]template')
2f6647cf5345 bugger, dropping support for "+" special char
Richard Jones <richard@users.sourceforge.net>
parents: 1435
diff changeset
306 FV_OK_MESSAGE = re.compile(r'[@:]ok_message')
2f6647cf5345 bugger, dropping support for "+" special char
Richard Jones <richard@users.sourceforge.net>
parents: 1435
diff changeset
307 FV_ERROR_MESSAGE = re.compile(r'[@:]error_message')
1421
90bb11eb40dc oops, forgot the templating :)
Richard Jones <richard@users.sourceforge.net>
parents: 1420
diff changeset
308
90bb11eb40dc oops, forgot the templating :)
Richard Jones <richard@users.sourceforge.net>
parents: 1420
diff changeset
309 # Note: index page stuff doesn't appear here:
90bb11eb40dc oops, forgot the templating :)
Richard Jones <richard@users.sourceforge.net>
parents: 1420
diff changeset
310 # columns, sort, sortdir, filter, group, groupdir, search_text,
90bb11eb40dc oops, forgot the templating :)
Richard Jones <richard@users.sourceforge.net>
parents: 1420
diff changeset
311 # pagesize, startwith
1420
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
312
3760
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
313 # list of network error codes that shouldn't be reported to tracker admin
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
314 # (error descriptions from FreeBSD intro(2))
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
315 IGNORE_NET_ERRORS = (
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
316 # A write on a pipe, socket or FIFO for which there is
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
317 # no process to read the data.
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
318 errno.EPIPE,
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
319 # A connection was forcibly closed by a peer.
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
320 # This normally results from a loss of the connection
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
321 # on the remote socket due to a timeout or a reboot.
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
322 errno.ECONNRESET,
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
323 # Software caused connection abort. A connection abort
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
324 # was caused internal to your host machine.
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
325 errno.ECONNABORTED,
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
326 # A connect or send request failed because the connected party
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
327 # did not properly respond after a period of time.
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
328 errno.ETIMEDOUT,
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
329 )
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
330
2467
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
331 def __init__(self, instance, request, env, form=None, translator=None):
5356
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
332 # re-seed the random number generator. Is this is an instance of
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
333 # random.SystemRandom it has no effect.
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5475
diff changeset
334 random_.seed()
5356
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
335 # So we also seed the pseudorandom random source obtained from
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
336 # import random
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
337 # to make sure that every forked copy of the client will return
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
338 # new random numbers.
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
339 seed_pseudorandom()
2230
ca2664e095be disable forking server when os.fork() not available [SF#938586]
Richard Jones <richard@users.sourceforge.net>
parents: 2183
diff changeset
340 self.start = time.time()
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
341 self.instance = instance
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
342 self.request = request
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
343 self.env = env
2467
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
344 self.setTranslator(translator)
1799
071ea6fc803f Extracted duplicated mail-sending code...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 1798
diff changeset
345 self.mailer = Mailer(instance.config)
5166
232c74973a56 issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
346 # If True the form contents wins over the database contents when
232c74973a56 issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
347 # rendering html properties. This is set when an error occurs so
232c74973a56 issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
348 # that we don't lose submitted form contents.
232c74973a56 issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
349 self.form_wins = False
1004
5f12d3259f31 logout works better now
Richard Jones <richard@users.sourceforge.net>
parents: 1003
diff changeset
350
1157
26c8cb2162d7 fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents: 1153
diff changeset
351 # save off the path
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
352 self.path = env['PATH_INFO']
1004
5f12d3259f31 logout works better now
Richard Jones <richard@users.sourceforge.net>
parents: 1003
diff changeset
353
1398
b3e1e9ab0500 fixed cookie path to use TRACKER_WEB [SF#667020]
Richard Jones <richard@users.sourceforge.net>
parents: 1393
diff changeset
354 # this is the base URL for this tracker
1157
26c8cb2162d7 fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents: 1153
diff changeset
355 self.base = self.instance.config.TRACKER_WEB
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
356
4586
b21bb66de6ff Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4578
diff changeset
357 # should cookies be secure?
b21bb66de6ff Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4578
diff changeset
358 self.secure = self.base.startswith ('https')
b21bb66de6ff Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4578
diff changeset
359
2183
ac24a9c74cca be paranoid about TRACKER_WEB
Richard Jones <richard@users.sourceforge.net>
parents: 2137
diff changeset
360 # check the tracker_we setting
ac24a9c74cca be paranoid about TRACKER_WEB
Richard Jones <richard@users.sourceforge.net>
parents: 2137
diff changeset
361 if not self.base.endswith('/'):
ac24a9c74cca be paranoid about TRACKER_WEB
Richard Jones <richard@users.sourceforge.net>
parents: 2137
diff changeset
362 self.base = self.base + '/'
ac24a9c74cca be paranoid about TRACKER_WEB
Richard Jones <richard@users.sourceforge.net>
parents: 2137
diff changeset
363
1398
b3e1e9ab0500 fixed cookie path to use TRACKER_WEB [SF#667020]
Richard Jones <richard@users.sourceforge.net>
parents: 1393
diff changeset
364 # this is the "cookie path" for this tracker (ie. the path part of
b3e1e9ab0500 fixed cookie path to use TRACKER_WEB [SF#667020]
Richard Jones <richard@users.sourceforge.net>
parents: 1393
diff changeset
365 # the "base" url)
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
366 self.cookie_path = urllib_.urlparse(self.base)[2]
2946
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
367 # cookies to set in http responce
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
368 # {(path, name): (value, expire)}
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
369 self._cookies = {}
1398
b3e1e9ab0500 fixed cookie path to use TRACKER_WEB [SF#667020]
Richard Jones <richard@users.sourceforge.net>
parents: 1393
diff changeset
370
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
371 # define a unique nonce. Can be used for Content Security Policy
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
372 # nonces for scripts.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
373 self.client_nonce = self._gen_nonce()
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
374
1157
26c8cb2162d7 fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents: 1153
diff changeset
375 # see if we need to re-parse the environment for the form (eg Zope)
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
376 if form is None:
5608
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
377 # cgi.FieldStorage doesn't special case OPTIONS, DELETE or
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
378 # PATCH verbs. They are processed like POST. So FieldStorage
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
379 # hangs on these verbs trying to read posted data that
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
380 # will never arrive.
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
381 # If not defined, set CONTENT_LENGTH to 0 so it doesn't
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
382 # hang reading the data.
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
383 if self.env['REQUEST_METHOD'] in ['OPTIONS', 'DELETE', 'PATCH']:
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
384 if 'CONTENT_LENGTH' not in self.env:
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
385 self.env['CONTENT_LENGTH'] = 0
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
386 logger.debug("Setting CONTENT_LENGTH to 0 for method: %s",
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
387 self.env['REQUEST_METHOD'])
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
388
5653
ba67e397f063 Fix string/bytes issues under python 3.
John Rouillard <rouilj@ieee.org>
parents: 5624
diff changeset
389 # cgi.FieldStorage must save all data as
5656
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
390 # binary/bytes. Subclass BinaryFieldStorage does this.
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
391 # It's a workaround for a bug in cgi.FieldStorage. See class
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
392 # def for details.
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
393 self.form = BinaryFieldStorage(fp=request.rfile, environ=env)
5554
a06a88ed38ae Fake a list property to prevent "Error: not indexable".
martin.v.loewis <martin.v.loewis>
parents: 5549
diff changeset
394 # In some case (e.g. content-type application/xml), cgi
a06a88ed38ae Fake a list property to prevent "Error: not indexable".
martin.v.loewis <martin.v.loewis>
parents: 5549
diff changeset
395 # will not parse anything. Fake a list property in this case
a06a88ed38ae Fake a list property to prevent "Error: not indexable".
martin.v.loewis <martin.v.loewis>
parents: 5549
diff changeset
396 if self.form.list is None:
a06a88ed38ae Fake a list property to prevent "Error: not indexable".
martin.v.loewis <martin.v.loewis>
parents: 5549
diff changeset
397 self.form.list = []
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
398 else:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
399 self.form = form
1157
26c8cb2162d7 fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents: 1153
diff changeset
400
26c8cb2162d7 fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents: 1153
diff changeset
401 # turn debugging on/off
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
402 try:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
403 self.debug = int(env.get("ROUNDUP_DEBUG", 0))
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
404 except ValueError:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
405 # someone gave us a non-int debug level, turn it off
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
406 self.debug = 0
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
407
1157
26c8cb2162d7 fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents: 1153
diff changeset
408 # flag to indicate that the HTTP headers have been sent
26c8cb2162d7 fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents: 1153
diff changeset
409 self.headers_done = 0
26c8cb2162d7 fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents: 1153
diff changeset
410
1120
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
411 # additional headers to send with the request - must be registered
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
412 # before the first write
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
413 self.additional_headers = {}
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
414 self.response_code = 200
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
415
2947
e611be5ee6c4 initialize self.charset early to enable html output for tracebacks...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2946
diff changeset
416 # default character set
e611be5ee6c4 initialize self.charset early to enable html output for tracebacks...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2946
diff changeset
417 self.charset = self.STORAGE_CHARSET
e611be5ee6c4 initialize self.charset early to enable html output for tracebacks...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2946
diff changeset
418
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
419 # parse cookies (used for charset lookups)
3916
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
420 # use our own LiberalCookie to handle bad apps on the same
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
421 # server that have set cookies that are out of spec
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
422 self.cookie = LiberalCookie(self.env.get('HTTP_COOKIE', ''))
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
423
2928
81c99c857b57 applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2923
diff changeset
424 self.user = None
81c99c857b57 applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2923
diff changeset
425 self.userid = None
2948
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
426 self.nodeid = None
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
427 self.classname = None
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
428 self.template = None
2928
81c99c857b57 applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2923
diff changeset
429
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
430 def _gen_nonce(self):
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
431 """ generate a unique nonce """
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5475
diff changeset
432 n = b2s(base64.b32encode(random_.token_bytes(40)))
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
433 return n
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
434
2467
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
435 def setTranslator(self, translator=None):
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
436 """Replace the translation engine
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
437
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
438 'translator'
2557
ff02e9851592 translator object must be Roundup Translation Service...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2514
diff changeset
439 is TranslationService instance.
ff02e9851592 translator object must be Roundup Translation Service...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2514
diff changeset
440 It must define methods 'translate' (TAL-compatible i18n),
ff02e9851592 translator object must be Roundup Translation Service...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2514
diff changeset
441 'gettext' and 'ngettext' (gettext-compatible i18n).
2467
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
442
2557
ff02e9851592 translator object must be Roundup Translation Service...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2514
diff changeset
443 If omitted, create default TranslationService.
2467
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
444 """
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
445 if translator is None:
2808
18c28d22b3b5 pass tracker home directory to get_translation()
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2800
diff changeset
446 translator = TranslationService.get_translation(
2923
29563959c026 language defaults to config option TRACKER_LANGUAGE
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2906
diff changeset
447 language=self.instance.config["TRACKER_LANGUAGE"],
2808
18c28d22b3b5 pass tracker home directory to get_translation()
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2800
diff changeset
448 tracker_home=self.instance.config["TRACKER_HOME"])
2467
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
449 self.translator = translator
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
450 self._ = self.gettext = translator.gettext
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
451 self.ngettext = translator.ngettext
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
452
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
453 def main(self):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
454 """ Wrap the real main in a try/finally so we always close off the db.
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
455 """
5603
79da1ca2f94b Make xmlrpc and rest APIs configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5568
diff changeset
456 xmlrpc_enabled = self.instance.config.WEB_ENABLE_XMLRPC
79da1ca2f94b Make xmlrpc and rest APIs configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5568
diff changeset
457 rest_enabled = self.instance.config.WEB_ENABLE_REST
1133
36ec30d286ea Cleaned up CHANGES/TODO
Richard Jones <richard@users.sourceforge.net>
parents: 1130
diff changeset
458 try:
5603
79da1ca2f94b Make xmlrpc and rest APIs configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5568
diff changeset
459 if xmlrpc_enabled and self.path == 'xmlrpc':
4079
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
460 self.handle_xmlrpc()
5603
79da1ca2f94b Make xmlrpc and rest APIs configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5568
diff changeset
461 elif rest_enabled and (self.path == 'rest' or
79da1ca2f94b Make xmlrpc and rest APIs configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5568
diff changeset
462 self.path[:5] == 'rest/'):
5556
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
463 self.handle_rest()
4079
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
464 else:
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
465 self.inner_main()
1133
36ec30d286ea Cleaned up CHANGES/TODO
Richard Jones <richard@users.sourceforge.net>
parents: 1130
diff changeset
466 finally:
36ec30d286ea Cleaned up CHANGES/TODO
Richard Jones <richard@users.sourceforge.net>
parents: 1130
diff changeset
467 if hasattr(self, 'db'):
36ec30d286ea Cleaned up CHANGES/TODO
Richard Jones <richard@users.sourceforge.net>
parents: 1130
diff changeset
468 self.db.close()
4079
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
469
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
470
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
471 def handle_xmlrpc(self):
4919
24209344b507 Link /xmlrpc to docs if accessed with browser
anatoly techtonik <techtonik@gmail.com>
parents: 4903
diff changeset
472 if self.env.get('CONTENT_TYPE') != 'text/xml':
5437
a1971da1c5da Python 3 preparation: send bytes to socket in cgi/client.py.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5430
diff changeset
0fb04e717de0 fix encoding in handle_xmlrpc
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5441
diff changeset
475 b"XML-RPC interface</a>.")
4919
24209344b507 Link /xmlrpc to docs if accessed with browser
anatoly techtonik <techtonik@gmail.com>
parents: 4903
diff changeset
476 return
4079
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
477
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
478 # Pull the raw XML out of the form. The "value" attribute
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
479 # will be the raw content of the POST request.
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
480 assert self.form.file
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
481 input = self.form.value
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
482 # So that the rest of Roundup can query the form in the
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
483 # usual way, we create an empty list of fields.
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
484 self.form.list = []
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
485
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
486 # Set the charset and language, since other parts of
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
487 # Roundup may depend upon that.
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
488 self.determine_charset()
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
489 self.determine_language()
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
490 # Open the database as the correct user.
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
491 self.determine_user()
4327
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
492 self.check_anonymous_access()
4079
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
493
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
494 try:
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
495 # coverting from function returning true/false to
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
496 # raising exceptions
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
497 # Call csrf with xmlrpc checks enabled.
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
498 # It will return True if everything is ok,
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
499 # raises exception on check failure.
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
500 csrf_ok = self.handle_csrf(xmlrpc=True)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
501 except (Unauthorised, UsageError) as msg:
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
502 # report exception back to server
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
503 exc_type, exc_value, exc_tb = sys.exc_info()
5408
e46ce04d5bbc Python 3 preparation: update xmlrpclib / SimpleXMLRPCServer imports.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5395
diff changeset
504 output = xmlrpc_.client.dumps(
e46ce04d5bbc Python 3 preparation: update xmlrpclib / SimpleXMLRPCServer imports.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5395
diff changeset
505 xmlrpc_.client.Fault(1, "%s:%s" % (exc_type, exc_value)),
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
506 allow_none=True)
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
507 csrf_ok = False # we had an error, failed check
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
508
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
509 if csrf_ok == True:
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
510 handler = xmlrpc.RoundupDispatcher(self.db,
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4079
diff changeset
511 self.instance.actions,
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4079
diff changeset
512 self.translator,
4079
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
513 allow_none=True)
5474
4c9192393cd9 encoding fixes
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5456
diff changeset
514 output = handler.dispatch(input)
4079
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
515
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
516 self.setHeader("Content-Type", "text/xml")
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
517 self.setHeader("Content-Length", str(len(output)))
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
518 self.write(output)
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
519
5556
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
520 def handle_rest(self):
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
521 # Set the charset and language
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
522 self.determine_charset()
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
523 self.determine_language()
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
524 # Open the database as the correct user.
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
525 # TODO: add everything to RestfulDispatcher
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
526 self.determine_user()
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
527 self.check_anonymous_access()
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
528
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
529 # Call rest library to handle the request
5568
edab9daa8015 Make objects returned by REST follow the standard
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5562
diff changeset
530 handler = rest.RestfulInstance(self, self.db)
5562
70df783c4c0b Cleanup, fixed a bug with delete action
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5556
diff changeset
531 output = handler.dispatch(self.env['REQUEST_METHOD'], self.path,
70df783c4c0b Cleanup, fixed a bug with delete action
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5556
diff changeset
532 self.form)
5556
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
533
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
534 # self.setHeader("Content-Type", "text/xml")
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
535 self.setHeader("Content-Length", str(len(output)))
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
536 self.write(output)
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
537
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
538 def add_ok_message(self, msg, escape=True):
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
539 add_message(self._ok_message, msg, escape)
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
540
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
541 def add_error_message(self, msg, escape=True):
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
542 add_message(self._error_message, msg, escape)
5166
232c74973a56 issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
543 # Want to interpret form values when rendering when an error
232c74973a56 issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
544 # occurred:
232c74973a56 issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
545 self.form_wins = True
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
546
1133
36ec30d286ea Cleaned up CHANGES/TODO
Richard Jones <richard@users.sourceforge.net>
parents: 1130
diff changeset
547 def inner_main(self):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
548 """Process a request.
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
549
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
550 The most common requests are handled like so:
1054
3d8ea16347aa more explanatory docstring
Richard Jones <richard@users.sourceforge.net>
parents: 1053
diff changeset
551
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
552 1. look for charset and language preferences, set up user locale
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
553 see determine_charset, determine_language
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
554 2. figure out who we are, defaulting to the "anonymous" user
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
555 see determine_user
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
556 3. figure out what the request is for - the context
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
557 see determine_context
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
558 4. handle any requested action (item edit, search, ...)
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
559 see handle_action
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
560 5. render a template, resulting in HTML output
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
561
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
562 In some situations, exceptions occur:
1054
3d8ea16347aa more explanatory docstring
Richard Jones <richard@users.sourceforge.net>
parents: 1053
diff changeset
563
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
564 - HTTP Redirect (generally raised by an action)
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
565 - SendFile (generally raised by determine_context)
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
566 serve up a FileClass "content" property
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
567 - SendStaticFile (generally raised by determine_context)
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
568 serve up a file from the tracker "html" directory
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
569 - Unauthorised (generally raised by an action)
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
570 the action is cancelled, the request is rendered and an error
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
571 message is displayed indicating that permission was not
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
572 granted for the action to take place
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
573 - templating.Unauthorised (templating action not permitted)
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
574 raised by an attempted rendering of a template when the user
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
575 doesn't have permission
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
576 - NotFound (raised wherever it needs to be)
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
577 percolates up to the CGI interface that called the client
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
578 """
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
579 self._ok_message = []
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
580 self._error_message = []
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
581 try:
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
582 self.determine_charset()
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
583 self.determine_language()
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
584
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
585 try:
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
586 # make sure we're identified (even anonymously)
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
587 self.determine_user()
2938
463902a0fbbb determine user before context:
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2937
diff changeset
588
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
589 # figure out the context and desired content template
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
590 self.determine_context()
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
591
4326
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
592 # if we've made it this far the context is to a bit of
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
593 # Roundup's real web interface (not a file being served up)
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
594 # so do the Anonymous Web Acess check now
4327
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
595 self.check_anonymous_access()
4326
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
596
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
597 # check for a valid csrf token identifying the right user
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
598 csrf_ok = True
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
599 try:
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
600 # coverting from function returning true/false to
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
601 # raising exceptions
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
602 csrf_ok = self.handle_csrf()
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
603 except (UsageError, Unauthorised) as msg:
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
604 csrf_ok = False
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
605 self.form_wins = True
5475
da22ff1c3501 use .args for exception information
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5474
diff changeset
606 self._error_message = msg.args
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
607
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
608 if csrf_ok:
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
609 # csrf checks pass. Run actions etc.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
610 # possibly handle a form submit action (may change
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
611 # self.classname and self.template, and may also
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
612 # append error/ok_messages)
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
613 html = self.handle_action()
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
614 else:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
615 html = None
1697
c9f67f2f7ba7 don't open the database for static files
Richard Jones <richard@users.sourceforge.net>
parents: 1692
diff changeset
616
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
617 if html:
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
618 self.write_html(html)
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
619 return
2045
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
620
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
621 # now render the page
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
622 # we don't want clients caching our dynamic pages
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
623 self.additional_headers['Cache-Control'] = 'no-cache'
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
624 # Pragma: no-cache makes Mozilla and its ilk
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
625 # double-load all pages!!
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
626 # self.additional_headers['Pragma'] = 'no-cache'
1579
07a6b8587bc2 removed Pragma: no-cache...
Richard Jones <richard@users.sourceforge.net>
parents: 1562
diff changeset
627
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
628 # pages with messages added expire right now
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
629 # simple views may be cached for a small amount of time
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
630 # TODO? make page expire time configurable
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
631 # <rj> always expire pages, as IE just doesn't seem to do the
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
632 # right thing here :(
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
633 date = time.time() - 1
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
634 #if self._error_message or self._ok_message:
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
635 # date = time.time() - 1
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
636 #else:
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
637 # date = time.time() + 5
4980
13f8f88ad984 Replace rfc822 imports with email package (issue2550870)
John Kristensen <john@jerrykan.com>
parents: 4979
diff changeset
638 self.additional_headers['Expires'] = \
13f8f88ad984 Replace rfc822 imports with email package (issue2550870)
John Kristensen <john@jerrykan.com>
parents: 4979
diff changeset
639 email.utils.formatdate(date, usegmt=True)
1552
68ef6deefcf1 cgi fixes
Richard Jones <richard@users.sourceforge.net>
parents: 1538
diff changeset
640
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
641 # render the content
3896
fca0365521fc ignore client shutdown exceptions when sending responses
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3867
diff changeset
642 self.write_html(self.renderContext())
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
643 except SendFile as designator:
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
644 # The call to serve_file may result in an Unauthorised
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
645 # exception or a NotModified exception. Those
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
646 # exceptions will be handled by the outermost set of
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
647 # exception handlers.
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
648 self.serve_file(designator)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
649 except SendStaticFile as file:
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
650 self.serve_static_file(str(file))
3896
fca0365521fc ignore client shutdown exceptions when sending responses
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3867
diff changeset
651 except IOError:
3900
182ba3207899 wrap comment to less than 75 chars
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3898
diff changeset
652 # IOErrors here are due to the client disconnecting before
4638
1ebc5f16aeda Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4623
diff changeset
653 # receiving the reply.
1ebc5f16aeda Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4623
diff changeset
654 pass
1ebc5f16aeda Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4623
diff changeset
655 except SysCallError:
1ebc5f16aeda Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4623
diff changeset
656 # OpenSSL.SSL.SysCallError is similar to IOError above
3896
fca0365521fc ignore client shutdown exceptions when sending responses
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3867
diff changeset
657 pass
2230
ca2664e095be disable forking server when os.fork() not available [SF#938586]
Richard Jones <richard@users.sourceforge.net>
parents: 2183
diff changeset
658
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
659 except SeriousError as message:
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
660 self.write_html(str(message))
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
661 except Redirect as url:
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
662 # let's redirect - if the url isn't None, then we need to do
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
663 # the headers, otherwise the headers have been set before the
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
664 # exception was raised
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
665 if url:
3736
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
666 self.additional_headers['Location'] = str(url)
1120
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
667 self.response_code = 302
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
668 self.write_html('Redirecting to <a href="%s">%s</a>'%(url, url))
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
669 except LoginError as message:
4265
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
670 # The user tried to log in, but did not provide a valid
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
671 # username and password. If we support HTTP
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
672 # authorization, send back a response that will cause the
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
673 # browser to prompt the user again.
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
674 if self.instance.config.WEB_HTTP_AUTH:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
675 self.response_code = http_.client.UNAUTHORIZED
4265
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
676 realm = self.instance.config.TRACKER_NAME
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
677 self.setHeader("WWW-Authenticate",
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
678 "Basic realm=\"%s\"" % realm)
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
679 else:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
680 self.response_code = http_.client.FORBIDDEN
4898
850551a1568b Fix issue2550843 (AttributeError: 'Unauthorised' object has no attribute 'replace')
Thomas Arendsen Hein <thomas@intevation.de>
parents: 4880
diff changeset
681 self.renderFrontPage(str(message))
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
682 except Unauthorised as message:
1977
f96592a7c357 changes to support the new templating Unauthorised exception.
Richard Jones <richard@users.sourceforge.net>
parents: 1973
diff changeset
683 # users may always see the front page
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
684 self.response_code = 403
4898
850551a1568b Fix issue2550843 (AttributeError: 'Unauthorised' object has no attribute 'replace')
Thomas Arendsen Hein <thomas@intevation.de>
parents: 4880
diff changeset
685 self.renderFrontPage(str(message))
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
686 except NotModified:
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
687 # send the 304 response
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
688 self.response_code = 304
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
689 self.header()
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
690 except NotFound as e:
5165
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
691 if self.response_code == 400:
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
692 # We can't find a parameter (e.g. property name
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
693 # incorrect). Tell the user what was raised.
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
694 # Do not change to the 404 template since the
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
695 # base url is valid just query args are not.
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
696 # copy the page format from SeriousError _str_ exception.
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
697 error_page = """
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
698 <html><head><title>Roundup issue tracker: An error has occurred</title>
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
699 <link rel="stylesheet" type="text/css" href="@@file/style.css">
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
700 </head>
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
701 <body class="body" marginwidth="0" marginheight="0">
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
702 <p class="error-message">%s</p>
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
703 </body></html>
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
704 """
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
705 self.write_html(error_page%str(e))
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
706 else:
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
707 self.response_code = 404
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
708 self.template = '404'
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
709 try:
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
710 cl = self.db.getclass(self.classname)
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
711 self.write_html(self.renderContext())
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
712 except KeyError:
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
713 # we can't map the URL to a class we know about
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
714 # reraise the NotFound and let roundup_server
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
715 # handle it
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
716 raise NotFound(e)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
717 except FormError as e:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
718 self.add_error_message(self._('Form Error: ') + str(e))
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
719 self.write_html(self.renderContext())
4640
70b1cb9034c3 Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4638
diff changeset
720 except IOError:
70b1cb9034c3 Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4638
diff changeset
721 # IOErrors here are due to the client disconnecting before
70b1cb9034c3 Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4638
diff changeset
722 # receiving the reply.
70b1cb9034c3 Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4638
diff changeset
723 # may happen during write_html and serve_file, too.
70b1cb9034c3 Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4638
diff changeset
724 pass
70b1cb9034c3 Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4638
diff changeset
725 except SysCallError:
70b1cb9034c3 Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4638
diff changeset
726 # OpenSSL.SSL.SysCallError is similar to IOError above
70b1cb9034c3 Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4638
diff changeset
727 # may happen during write_html and serve_file, too.
70b1cb9034c3 Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4638
diff changeset
728 pass
5079
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
729 except DetectorError as e:
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
730 if not self.instance.config.WEB_DEBUG:
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
731 # run when we are not in debug mode, so errors
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
732 # go to admin too.
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
733 self.send_error_to_admin(e.subject, e.html, e.txt)
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
734 self.write_html(e.html)
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
735 else:
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
736 # in debug mode, only write error to screen.
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
737 self.write_html(e.html)
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
738 except:
4264
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
739 # Something has gone badly wrong. Therefore, we should
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
740 # make sure that the response code indicates failure.
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
741 if self.response_code == http_.client.OK:
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
742 self.response_code = http_.client.INTERNAL_SERVER_ERROR
4264
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
743 # Help the administrator work out what went wrong.
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
744 html = ("<h1>Traceback</h1>"
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
745 + cgitb.html(i18n=self.translator)
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
746 + ("<h1>Environment Variables</h1><table>%s</table>"
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
747 % cgitb.niceDict("", self.env)))
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
748 if not self.instance.config.WEB_DEBUG:
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
749 exc_info = sys.exc_info()
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
750 subject = "Error: %s" % exc_info[1]
4543
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
751 self.send_error_to_admin(subject, html, format_exc())
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
752 self.write_html(self._(default_err_msg))
3548
61d48244e7a8 login may now be for a single session
Richard Jones <richard@users.sourceforge.net>
parents: 3494
diff changeset
753 else:
4264
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
754 self.write_html(html)
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
755
1372
3931614b1cce cleaning old unused sessions only once per hour, not on every cgi request
Andrey Lebedev <kedder@users.sourceforge.net>
parents: 1358
diff changeset
756 def clean_sessions(self):
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
757 """Deprecated
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
758 XXX remove
1937
4c850112895b Some reformatting and fixing docstrings for emacs.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 1936
diff changeset
759 """
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
760 self.clean_up()
1372
3931614b1cce cleaning old unused sessions only once per hour, not on every cgi request
Andrey Lebedev <kedder@users.sourceforge.net>
parents: 1358
diff changeset
761
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
762 def clean_up(self):
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
763 """Remove expired sessions and One Time Keys.
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
764
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
765 Do it only once an hour.
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
766 """
1372
3931614b1cce cleaning old unused sessions only once per hour, not on every cgi request
Andrey Lebedev <kedder@users.sourceforge.net>
parents: 1358
diff changeset
767 hour = 60*60
3931614b1cce cleaning old unused sessions only once per hour, not on every cgi request
Andrey Lebedev <kedder@users.sourceforge.net>
parents: 1358
diff changeset
768 now = time.time()
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
769
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
770 # XXX: hack - use OTK table to store last_clean time information
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
771 # 'last_clean' string is used instead of otk key
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
772 otks = self.db.getOTKManager()
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
773 last_clean = otks.get('last_clean', 'last_use', 0)
2046
f913b6beac35 document and make easier the actions-returning-content idiom
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
774 if now - last_clean < hour:
f913b6beac35 document and make easier the actions-returning-content idiom
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
775 return
f913b6beac35 document and make easier the actions-returning-content idiom
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
776
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
777 self.session_api.clean_up()
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
778 otks.clean()
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
779 otks.set('last_clean', last_use=now)
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
780 otks.commit()
1372
3931614b1cce cleaning old unused sessions only once per hour, not on every cgi request
Andrey Lebedev <kedder@users.sourceforge.net>
parents: 1358
diff changeset
781
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
782 def determine_charset(self):
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
783 """Look for client charset in the form parameters or browser cookie.
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
784
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
785 If no charset requested by client, use storage charset (utf-8).
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
786
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
787 If the charset is found, and differs from the storage charset,
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
788 recode all form fields of type 'text/plain'
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
789 """
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
790 # look for client charset
2946
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
791 charset_parameter = 0
4799
b474adb17fda Fix case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4781
diff changeset
792 # Python 2.6 form may raise a TypeError if list in form is None
b474adb17fda Fix case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4781
diff changeset
793 charset = None
4800
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
794 try:
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
795 charset = self.form['@charset'].value
2946
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
796 if charset.lower() == "none":
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
797 charset = ""
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
798 charset_parameter = 1
4799
b474adb17fda Fix case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4781
diff changeset
799 except (KeyError, TypeError):
b474adb17fda Fix case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4781
diff changeset
800 pass
b474adb17fda Fix case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4781
diff changeset
801 if charset is None and 'roundup_charset' in self.cookie:
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
802 charset = self.cookie['roundup_charset'].value
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
803 if charset:
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
804 # make sure the charset is recognized
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
805 try:
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
806 codecs.lookup(charset)
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
807 except LookupError:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
808 self.add_error_message(self._('Unrecognized charset: %r')
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
809 % charset)
2946
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
810 charset_parameter = 0
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
811 else:
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
812 self.charset = charset.lower()
2946
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
813 # If we've got a character set in request parameters,
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
814 # set the browser cookie to keep the preference.
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
815 # This is done after codecs.lookup to make sure
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
816 # that we aren't keeping a wrong value.
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
817 if charset_parameter:
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
818 self.add_cookie('roundup_charset', charset)
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
819
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
820 # if client charset is different from the storage charset,
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
821 # recode form fields
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
822 # XXX this requires FieldStorage from Python library.
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
823 # mod_python FieldStorage is not supported!
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
824 if self.charset != self.STORAGE_CHARSET:
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
825 decoder = codecs.getdecoder(self.charset)
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
826 encoder = codecs.getencoder(self.STORAGE_CHARSET)
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
827 re_charref = re.compile('&#([0-9]+|x[0-9a-f]+);', re.IGNORECASE)
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
828 def _decode_charref(matchobj):
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
829 num = matchobj.group(1)
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
830 if num[0].lower() == 'x':
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
831 uc = int(num[1:], 16)
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
832 else:
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
833 uc = int(num)
5417
c749d6795bc2 Python 3 preparation: unichr.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5408
diff changeset
834 return uchr(uc)
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
835
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
836 for field_name in self.form:
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
837 field = self.form[field_name]
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
838 if (field.type == 'text/plain') and not field.filename:
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
839 try:
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
840 value = decoder(field.value)[0]
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
841 except UnicodeError:
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
842 continue
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
843 value = re_charref.sub(_decode_charref, value)
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
844 field.value = encoder(value)[0]
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
845
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
846 def determine_language(self):
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
847 """Determine the language"""
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
848 # look for language parameter
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
849 # then for language cookie
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
850 # last for the Accept-Language header
4800
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
851 # Python 2.6 form may raise a TypeError if list in form is None
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
852 language = None
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
853 try:
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
854 language = self.form["@language"].value
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
855 if language.lower() == "none":
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
856 language = ""
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
857 self.add_cookie("roundup_language", language)
4800
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
858 except (KeyError, TypeError):
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
859 pass
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
860 if language is None:
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
861 if "roundup_language" in self.cookie:
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
862 language = self.cookie["roundup_language"].value
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
863 elif self.instance.config["WEB_USE_BROWSER_LANGUAGE"]:
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
864 hal = self.env.get('HTTP_ACCEPT_LANGUAGE')
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
865 language = accept_language.parse(hal)
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
866 else:
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
867 language = ""
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
868
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
869 self.language = language
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
870 if language:
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
871 self.setTranslator(TranslationService.get_translation(
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
872 language,
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
873 tracker_home=self.instance.config["TRACKER_HOME"]))
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
874
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
875 def determine_user(self):
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
876 """Determine who the user is"""
1724
bc4f0aec594e oops, we really do need a database
Richard Jones <richard@users.sourceforge.net>
parents: 1719
diff changeset
877 self.opendb('admin')
bc4f0aec594e oops, we really do need a database
Richard Jones <richard@users.sourceforge.net>
parents: 1719
diff changeset
878
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
879 # get session data from db
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
880 # XXX: rename
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
881 self.session_api = Session(self)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
882
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
883 # take the opportunity to cleanup expired sessions and otks
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
884 self.clean_up()
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
885
3453
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
886 user = None
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
887 # first up, try http authorization if enabled
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
888 if self.instance.config['WEB_HTTP_AUTH']:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
889 if 'REMOTE_USER' in self.env:
3453
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
890 # we have external auth (e.g. by Apache)
3356
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
891 user = self.env['REMOTE_USER']
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
892 elif self.env.get('HTTP_AUTHORIZATION', ''):
3453
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
893 # try handling Basic Auth ourselves
3356
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
894 auth = self.env['HTTP_AUTHORIZATION']
5549
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
895 try:
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
896 scheme, challenge = auth.split(' ', 1)
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
897 except ValueError:
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
898 # Invalid header.
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
899 scheme = ''
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
900 challenge = ''
3356
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
901 if scheme.lower() == 'basic':
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
902 try:
5474
4c9192393cd9 encoding fixes
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5456
diff changeset
903 decoded = b2s(base64.b64decode(challenge))
3356
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
904 except TypeError:
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
905 # invalid challenge
5474
4c9192393cd9 encoding fixes
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5456
diff changeset
906 decoded = ''
5549
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
907 try:
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
908 username, password = decoded.split(':', 1)
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
909 except ValueError:
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
910 # Invalid challenge.
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
911 username = ''
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
912 password = ''
3356
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
913 try:
4669
d7ac6c7bc371 Fix basic authentication.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4649
diff changeset
914 # Current user may not be None, otherwise
d7ac6c7bc371 Fix basic authentication.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4649
diff changeset
915 # instatiation of the login action will fail.
d7ac6c7bc371 Fix basic authentication.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4649
diff changeset
916 # So we set the user to anonymous first.
d7ac6c7bc371 Fix basic authentication.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4649
diff changeset
917 self.make_user_anonymous()
3356
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
918 login = self.get_action_class('login')(self)
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
919 login.verifyLogin(username, password)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
920 except LoginError as err:
3356
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
921 self.make_user_anonymous()
4265
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
922 raise
3356
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
923 user = username
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
924 # try to seed with something harder to guess than
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
925 # just the time. If random is SystemRandom,
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
926 # this is a no-op.
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5475
diff changeset
927 random_.seed("%s%s"%(password,time.time()))
2928
81c99c857b57 applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2923
diff changeset
928
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
929 # if user was not set by http authorization, try session lookup
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
930 if not user:
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
931 user = self.session_api.get('user')
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
932 if user:
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
933 # update session lifetime datestamp
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
934 self.session_api.update()
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
935
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
936 # if no user name set by http authorization or session lookup
3453
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
937 # the user is anonymous
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
938 if not user:
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
939 user = 'anonymous'
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
940
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
941 # sanity check on the user still being valid,
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
942 # getting the userid at the same time
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
943 try:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
944 self.userid = self.db.user.lookup(user)
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
945 except (KeyError, TypeError):
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
946 user = 'anonymous'
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
947
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
948 # make sure the anonymous user is valid if we're using it
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
949 if user == 'anonymous':
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
950 self.make_user_anonymous()
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
951 else:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
952 self.user = user
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
953
1003
f89b8d32291b Hack hack hack...
Richard Jones <richard@users.sourceforge.net>
parents: 1002
diff changeset
954 # reopen the database as the correct user
f89b8d32291b Hack hack hack...
Richard Jones <richard@users.sourceforge.net>
parents: 1002
diff changeset
955 self.opendb(self.user)
f89b8d32291b Hack hack hack...
Richard Jones <richard@users.sourceforge.net>
parents: 1002
diff changeset
956
4327
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
957 def check_anonymous_access(self):
4326
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
958 """Check that the Anonymous user is actually allowed to use the web
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
959 interface and short-circuit all further processing if they're not.
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
960 """
4327
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
961 # allow Anonymous to use the "login" and "register" actions (noting
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
962 # that "register" has its own "Register" permission check)
4367
fa5587802af9 Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
963
4802
e1ffab417c28 Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4801
diff changeset
964 action = ''
e1ffab417c28 Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4801
diff changeset
965 try:
e1ffab417c28 Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4801
diff changeset
966 if ':action' in self.form:
e1ffab417c28 Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4801
diff changeset
967 action = self.form[':action']
e1ffab417c28 Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4801
diff changeset
968 elif '@action' in self.form:
e1ffab417c28 Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4801
diff changeset
969 action = self.form['@action']
e1ffab417c28 Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4801
diff changeset
970 except TypeError:
e1ffab417c28 Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4801
diff changeset
971 pass
4367
fa5587802af9 Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
972 if isinstance(action, list):
fa5587802af9 Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
973 raise SeriousError('broken form: multiple @action values submitted')
4384
b0d812e10549 fix actions check for < Python2.6
Richard Jones <richard@users.sourceforge.net>
parents: 4380
diff changeset
974 elif action != '':
4367
fa5587802af9 Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
975 action = action.value.lower()
4327
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
976 if action in ('login', 'register'):
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
977 return
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
978
4329
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4327
diff changeset
979 # allow Anonymous to view the "user" "register" template if they're
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4327
diff changeset
980 # allowed to register
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4327
diff changeset
981 if (self.db.security.hasPermission('Register', self.userid, 'user')
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4327
diff changeset
982 and self.classname == 'user' and self.template == 'register'):
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4327
diff changeset
983 return
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4327
diff changeset
984
4327
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
985 # otherwise for everything else
4326
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
986 if self.user == 'anonymous':
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
987 if not self.db.security.hasPermission('Web Access', self.userid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
988 raise Unauthorised(self._("Anonymous users are not "
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
989 "allowed to use the web interface"))
4326
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
990
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
991
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
992 def handle_csrf(self, xmlrpc=False):
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
993 '''Handle csrf token lookup and validate current user and session
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
994
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
995 This implements (or tries to implement) the
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
996 Session-Dependent Nonce from
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
997 https://seclab.stanford.edu/websec/csrf/csrf.pdf.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
998
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
999 Changing this to an HMAC(sessionid,secret) will
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1000 remove the need for saving a fair amount of
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1001 state on the server (one nonce per form per
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1002 page). If you have multiple forms/page this can
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1003 lead to abandoned csrf tokens that have to time
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1004 out and get cleaned up.But you lose per form
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1005 tokens which may be an advantage. Also the HMAC
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1006 is constant for the session, so provides more
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1007 occasions for it to be exposed.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1008
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1009 This only runs on post (or put and delete for
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1010 future use). Nobody should be changing data
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1011 with a get.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1012
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1013 A session token lifetime is settable in
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1014 config.ini. A future enhancement to the
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1015 creation routines should allow for the requester
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1016 of the token to set the lifetime.t
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1017
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1018 The unique session key and user id is stored
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1019 with the token. The token is valid if the stored
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1020 values match the current client's userid and
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1021 session.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1022
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1023 If a user logs out, the csrf keys are
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1024 invalidated since no other connection should
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1025 have the same session id.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1026
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1027 At least to start I am reporting anti-csrf to
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1028 the user. If it's an attacker who can see the
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1029 site, they can see the @csrf fields and can
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1030 probably figure out that he needs to supply
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1031 valid headers. Or they can just read this code
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1032 8-). So hiding it doesn't seem to help but it
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1033 does arguably show the enforcement settings, but
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1034 given the newness of this code notifying the
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1035 user and having them notify the admins for
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1036 debugging seems to be an advantage.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1037
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1038 '''
5210
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1039 # Create the otks handle here as we need it almost immediately.
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1040 # If this is perf issue, set to None here and check below
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1041 # once all header checks have passed if it needs to be opened.
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1042 otks=self.db.getOTKManager()
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1043
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1044 # Assume: never allow changes via GET
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1045 if self.env['REQUEST_METHOD'] not in ['POST', 'PUT', 'DELETE']:
5210
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1046 if "@csrf" in self.form:
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1047 # We have a nonce being used with a method it should
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1048 # not be. If the nonce exists, report to admin so they
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1049 # can fix the nonce leakage and destroy it. (nonces
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1050 # used in a get are more exposed than those used in a
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1051 # post.) Note, I don't attempt to validate here since
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1052 # existence here is the sign of a failure. If nonce
5210
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1053 # exists try to report the referer header to try to
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1054 # find where this comes from so it can be fixed. If
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1055 # nonce doesn't exist just ignore it. Maybe we should
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1056 # report, but somebody could spam us with a ton of
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1057 # invalid keys and fill up the logs.
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1058 if 'HTTP_REFERER' in self.env:
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1059 referer = self.env['HTTP_REFERER']
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1060 else:
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1061 referer = self._("Referer header not available.")
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1062 key=self.form['@csrf'].value
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1063 if otks.exists(key):
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1064 logger.error(
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1065 self._("csrf key used with wrong method from: %s"),
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1066 referer)
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1067 otks.destroy(key)
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
1068 otks.commit()
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1069 # do return here. Keys have been obsoleted.
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1070 # we didn't do a expire cycle of session keys,
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1071 # but that's ok.
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1072 return True
5210
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1073
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1074 config=self.instance.config
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1075 current_user=self.db.getuid()
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1076
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1077 # List HTTP headers we check. Note that the xmlrpc header is
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1078 # missing. Its enforcement is different (yes/required are the
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1079 # same for example) so we don't include here.
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1080 header_names = [
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1081 "ORIGIN",
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1082 "REFERER",
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1083 "X-FORWARDED-HOST",
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1084 "HOST"
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1085 ]
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1086
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1087 header_pass = 0 # count of passing header checks
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1088
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1089 # If required headers are missing, raise an error
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1090 for header in header_names:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1091 if (config["WEB_CSRF_ENFORCE_HEADER_%s"%header] == 'required'
5624
b3618882f906 issue2551023: Fix CSRF headers for use with wsgi and cgi. The
John Rouillard <rouilj@ieee.org>
parents: 5615
diff changeset
1092 and "HTTP_%s" % header.replace('-', '_') not in self.env):
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1093 logger.error(self._("csrf header %s required but missing for user%s."), header, current_user)
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1094 raise Unauthorised(self._("Missing header: %s")%header)
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1095
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1096 # self.base always matches: ^https?://hostname
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1097 enforce=config['WEB_CSRF_ENFORCE_HEADER_REFERER']
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1098 if 'HTTP_REFERER' in self.env and enforce != "no":
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1099 referer = self.env['HTTP_REFERER']
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1100 # self.base always has trailing /
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1101 foundat = referer.find(self.base)
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1102 if foundat != 0:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1103 if enforce in ('required', 'yes'):
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1104 logger.error(self._("csrf Referer header check failed for user%s. Value=%s"), current_user, referer)
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1105 raise Unauthorised(self._("Invalid Referer %s, %s")%(referer,self.base))
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1106 elif enforce == 'logfailure':
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1107 logger.warning(self._("csrf Referer header check failed for user%s. Value=%s"), current_user, referer)
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1108 else:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1109 header_pass += 1
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1110
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1111 # if you change these make sure to consider what
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1112 # happens if header variable exists but is empty.
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1113 # self.base.find("") returns 0 for example not -1
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1114 enforce=config['WEB_CSRF_ENFORCE_HEADER_ORIGIN']
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1115 if 'HTTP_ORIGIN' in self.env and enforce != "no":
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1116 origin = self.env['HTTP_ORIGIN']
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1117 foundat = self.base.find(origin +'/')
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1118 if foundat != 0:
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1119 if enforce in ('required', 'yes'):
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1120 logger.error(self._("csrf Origin header check failed for user%s. Value=%s"), current_user, origin)
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1121 raise Unauthorised(self._("Invalid Origin %s"%origin))
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1122 elif enforce == 'logfailure':
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1123 logger.warning(self._("csrf Origin header check failed for user%s. Value=%s"), current_user, origin)
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1124 else:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1125 header_pass += 1
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1126
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1127 enforce=config['WEB_CSRF_ENFORCE_HEADER_X-FORWARDED-HOST']
5624
b3618882f906 issue2551023: Fix CSRF headers for use with wsgi and cgi. The
John Rouillard <rouilj@ieee.org>
parents: 5615
diff changeset
1128 if 'HTTP_X_FORWARDED_HOST' in self.env:
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1129 if enforce != "no":
5624
b3618882f906 issue2551023: Fix CSRF headers for use with wsgi and cgi. The
John Rouillard <rouilj@ieee.org>
parents: 5615
diff changeset
1130 host = self.env['HTTP_X_FORWARDED_HOST']
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1131 foundat = self.base.find('://' + host + '/')
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1132 # 4 means self.base has http:/ prefix, 5 means https:/ prefix
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1133 if foundat not in [4, 5]:
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1134 if enforce in ('required', 'yes'):
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1135 logger.error(self._("csrf X-FORWARDED-HOST header check failed for user%s. Value=%s"), current_user, host)
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1136 raise Unauthorised(self._("Invalid X-FORWARDED-HOST %s")%host)
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1137 elif enforce == 'logfailure':
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1138 logger.warning(self._("csrf X-FORWARDED-HOST header check failed for user%s. Value=%s"), current_user, host)
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1139 else:
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1140 header_pass += 1
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1141 else:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1142 # https://seclab.stanford.edu/websec/csrf/csrf.pdf
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1143 # recommends checking HTTP HOST header as well.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1144 # If there is an X-FORWARDED-HOST header, check
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1145 # that only. The proxy setting X-F-H has probably set
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1146 # the host header to a local hostname that is
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1147 # internal name of system not name supplied by user.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1148 enforce=config['WEB_CSRF_ENFORCE_HEADER_HOST']
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1149 if 'HTTP_HOST' in self.env and enforce != "no":
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1150 host = self.env['HTTP_HOST']
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1151 foundat = self.base.find('://' + host + '/')
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1152 # 4 means http:// prefix, 5 means https:// prefix
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1153 if foundat not in [4, 5]:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1154 if enforce in ('required', 'yes'):
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1155 logger.error(self._("csrf HOST header check failed for user%s. Value=%s"), current_user, host)
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1156 raise Unauthorised(self._("Invalid HOST %s")%host)
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1157 elif enforce == 'logfailure':
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1158 logger.warning(self._("csrf HOST header check failed for user%s. Value=%s"), current_user, host)
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1159 else:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1160 header_pass += 1
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1161
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1162 enforce=config['WEB_CSRF_HEADER_MIN_COUNT']
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1163 if header_pass < enforce:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1164 logger.error(self._("Csrf: unable to verify sufficient headers"))
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1165 raise UsageError(self._("Unable to verify sufficient headers"))
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1166
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1167 enforce=config['WEB_CSRF_ENFORCE_HEADER_X-REQUESTED-WITH']
5218
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
1168 if xmlrpc:
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
1169 if enforce in ['required', 'yes']:
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
1170 # if we get here we have usually passed at least one
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
1171 # header check. We check for presence of this custom
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
1172 # header for xmlrpc calls only.
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
1173 # E.G. X-Requested-With: XMLHttpRequest
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
1174 # Note we do not use CSRF nonces for xmlrpc requests.
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
1175 #
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
1176 # see: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers
5624
b3618882f906 issue2551023: Fix CSRF headers for use with wsgi and cgi. The
John Rouillard <rouilj@ieee.org>
parents: 5615
diff changeset
1177 if 'HTTP_X_REQUESTED_WITH' not in self.env:
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1178 logger.error(self._("csrf X-REQUESTED-WITH xmlrpc required header check failed for user%s."), current_user)
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1179 raise UsageError(self._("Required Header Missing"))
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1180
5211
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1181 # Expire old csrf tokens now so we don't use them. These will
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1182 # be committed after the otks.destroy below. Note that the
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1183 # self.clean_up run as part of determine_user() will run only
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1184 # once an hour. If we have short lived (e.g. 5 minute) keys
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1185 # they will live too long if we depend on clean_up. So we do
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1186 # our own.
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1187 otks.clean()
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1188
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1189 if xmlrpc:
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1190 # Save removal of expired keys from database.
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
1191 otks.commit()
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1192 # Return from here since we have done housekeeping
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1193 # and don't use csrf tokens for xmlrpc.
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1194 return True
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1195
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1196 # process @csrf tokens past this point.
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1197 key=None
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1198 nonce_user = None
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1199 nonce_session = None
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1200
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1201 if '@csrf' in self.form:
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1202 key=self.form['@csrf'].value
5210
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1203
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1204 nonce_user = otks.get(key, 'uid', default=None)
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1205 nonce_session = otks.get(key, 'sid', default=None)
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1206 # The key has been used or compromised.
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1207 # Delete it to prevent replay.
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1208 otks.destroy(key)
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1209
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1210 # commit the deletion/expiration of all keys
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
1211 otks.commit()
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1212
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1213 enforce=config['WEB_CSRF_ENFORCE_TOKEN']
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1214 if key is None: # we do not have an @csrf token
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1215 if enforce == 'required':
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1216 logger.error(self._("Required csrf field missing for user%s"), current_user)
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1217 raise UsageError(self._("Csrf token is missing."))
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1218 elif enforce == 'logfailure':
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1219 # FIXME include url
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1220 logger.warning(self._("csrf field not supplied by user%s"), current_user)
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1221 else:
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1222 # enforce is either yes or no. Both permit change if token is
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1223 # missing
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1224 return True
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1225
5211
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1226 current_session = self.session_api._sid
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1227
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1228 '''
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1229 # I think now that LogoutAction redirects to
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1230 # self.base ([tracker] web parameter in config.ini),
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1231 # this code is not needed. However I am keeping it
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1232 # around in case it has to come back to life.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1233 # Delete if this is still around in 3/2018.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1234 # rouilj 3/2017.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1235 #
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1236 # Note using this code may cause a CSRF Login vulnerability.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1237 # Handle the case where user logs out and tries to
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1238 # log in again in same window.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1239 # The csrf token for the login button is associated
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1240 # with the prior login, so it will not validate.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1241 #
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1242 # To bypass error, Verify that nonce_user != user and that
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1243 # user is '2' (anonymous) and there is no current
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1244 # session key. Validate that the csrf exists
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1245 # in the db and nonce_user and nonce_session are not None.
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1246 # Also validate that the action is Login.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1247 # Lastly requre at least one csrf header check to pass.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1248 # If all of those work process the login.
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1249 if current_user != nonce_user and \
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1250 current_user == '2' and \
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1251 current_session is None and \
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1252 nonce_user is not None and \
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1253 nonce_session is not None and \
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1254 "@action" in self.form and \
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1255 self.form["@action"].value == "Login":
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1256 if header_pass > 0:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1257 otks.destroy(key)
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
1258 otks.commit()
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1259 return True
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1260 else:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1261 self.add_error_message("Reload window before logging in.")
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1262 '''
5210
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1263 # validate against user and session
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1264 if current_user != nonce_user:
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1265 if enforce in ('required', "yes"):
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1266 logger.error(
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1267 self._("Csrf mismatch user: current user %s != stored user %s, current session, stored session: %s,%s for key %s."),
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1268 current_user, nonce_user, current_session, nonce_session, key)
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1269 raise UsageError(self._("Invalid csrf token found: %s")%key)
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1270 elif enforce == 'logfailure':
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1271 logger.warning(
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1272 self._("logged only: Csrf mismatch user: current user %s != stored user %s, current session, stored session: %s,%s for key %s."),
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1273 current_user, nonce_user, current_session, nonce_session, key)
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1274 if current_session != nonce_session:
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1275 if enforce in ('required', "yes"):
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1276 logger.error(
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1277 self._("Csrf mismatch user: current session %s != stored session %s, current user/stored user is: %s for key %s."),
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1278 current_session, nonce_session, current_user, key)
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1279 raise UsageError(self._("Invalid csrf session found: %s")%key)
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1280 elif enforce == 'logfailure':
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1281 logger.warning(
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1282 self._("logged only: Csrf mismatch user: current session %s != stored session %s, current user/stored user is: %s for key %s."),
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1283 current_session, nonce_session, current_user, key)
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1284 # we are done and the change can occur.
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1285 return True
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1286
2940
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1287 def opendb(self, username):
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
1288 """Open the database and set the current user.
2940
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1289
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1290 Opens a database once. On subsequent calls only the user is set on
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1291 the database object the instance.optimize is set. If we are in
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1292 "Development Mode" (cf. roundup_server) then the database is always
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1293 re-opened.
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
1294 """
2940
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1295 # don't do anything if the db is open and the user has not changed
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1296 if hasattr(self, 'db') and self.db.isCurrentUser(username):
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1297 return
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1298
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1299 # open the database or only set the user
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1300 if not hasattr(self, 'db'):
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1301 self.db = self.instance.open(username)
4781
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents: 4740
diff changeset
1302 self.db.tx_Source = "web"
2940
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1303 else:
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1304 if self.instance.optimize:
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1305 self.db.setCurrentUser(username)
4781
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents: 4740
diff changeset
1306 self.db.tx_Source = "web"
2940
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1307 else:
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1308 self.db.close()
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1309 self.db = self.instance.open(username)
4781
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents: 4740
diff changeset
1310 self.db.tx_Source = "web"
4212
51a098592b78 Reopen session with database.
Stefan Seefeld <stefan@seefeld.name>
parents: 4145
diff changeset
1311 # The old session API refers to the closed database;
51a098592b78 Reopen session with database.
Stefan Seefeld <stefan@seefeld.name>
parents: 4145
diff changeset
1312 # we can no longer use it.
51a098592b78 Reopen session with database.
Stefan Seefeld <stefan@seefeld.name>
parents: 4145
diff changeset
1313 self.session_api = Session(self)
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
1314
2940
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1315
2829
aa1cb9df09c3 ignore leading zeroes in the ID part of a node designator
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2808
diff changeset
1316 def determine_context(self, dre=re.compile(r'([^\d]+)0*(\d+)')):
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1317 """Determine the context of this page from the URL:
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1318
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1319 The URL path after the instance identifier is examined. The path
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1320 is generally only one entry long.
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1321
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1322 - if there is no path, then we are in the "home" context.
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1323 - if the path is "_file", then the additional path entry
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1324 specifies the filename of a static file we're to serve up
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1325 from the instance "html" directory. Raises a SendStaticFile
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1326 exception.(*)
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1327 - if there is something in the path (eg "issue"), it identifies
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1328 the tracker class we're to display.
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1329 - if the path is an item designator (eg "issue123"), then we're
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1330 to display a specific item.
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1331 - if the path starts with an item designator and is longer than
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1332 one entry, then we're assumed to be handling an item of a
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1333 FileClass, and the extra path information gives the filename
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1334 that the client is going to label the download with (ie
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1335 "file123/image.png" is nicer to download than "file123"). This
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1336 raises a SendFile exception.(*)
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1337
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1338 Both of the "*" types of contexts stop before we bother to
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1339 determine the template we're going to use. That's because they
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1340 don't actually use templates.
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1341
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1342 The template used is specified by the :template CGI variable,
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1343 which defaults to:
1053
b28393def972 more explanatory docsting
Richard Jones <richard@users.sourceforge.net>
parents: 1051
diff changeset
1344
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1345 - only classname suplied: "index"
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1346 - full item designator supplied: "item"
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1347
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1348 We set:
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1349
1041
c28603c9f831 Class help and generic class editing done.
Richard Jones <richard@users.sourceforge.net>
parents: 1029
diff changeset
1350 self.classname - the class to display, can be None
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1351
1041
c28603c9f831 Class help and generic class editing done.
Richard Jones <richard@users.sourceforge.net>
parents: 1029
diff changeset
1352 self.template - the template to render the current context with
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1353
1041
c28603c9f831 Class help and generic class editing done.
Richard Jones <richard@users.sourceforge.net>
parents: 1029
diff changeset
1354 self.nodeid - the nodeid of the class we're displaying
1937
4c850112895b Some reformatting and fixing docstrings for emacs.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 1936
diff changeset
1355 """
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1356 # default the optional variables
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1357 self.classname = None
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1358 self.nodeid = None
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1359
1420
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1360 # see if a template or messages are specified
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1361 template_override = ok_message = error_message = None
4801
bff9e4145f70 Fix another instance of a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4800
diff changeset
1362 try:
bff9e4145f70 Fix another instance of a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4800
diff changeset
1363 keys = self.form.keys()
bff9e4145f70 Fix another instance of a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4800
diff changeset
1364 except TypeError:
bff9e4145f70 Fix another instance of a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4800
diff changeset
1365 keys = ()
bff9e4145f70 Fix another instance of a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4800
diff changeset
1366 for key in keys:
1420
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1367 if self.FV_TEMPLATE.match(key):
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1368 template_override = self.form[key].value
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1369 elif self.FV_OK_MESSAGE.match(key):
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1370 ok_message = self.form[key].value
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1371 elif self.FV_ERROR_MESSAGE.match(key):
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1372 error_message = self.form[key].value
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1373
1977
f96592a7c357 changes to support the new templating Unauthorised exception.
Richard Jones <richard@users.sourceforge.net>
parents: 1973
diff changeset
1374 # see if we were passed in a message
f96592a7c357 changes to support the new templating Unauthorised exception.
Richard Jones <richard@users.sourceforge.net>
parents: 1973
diff changeset
1375 if ok_message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1376 self.add_ok_message(ok_message)
1977
f96592a7c357 changes to support the new templating Unauthorised exception.
Richard Jones <richard@users.sourceforge.net>
parents: 1973
diff changeset
1377 if error_message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1378 self.add_error_message(error_message)
1977
f96592a7c357 changes to support the new templating Unauthorised exception.
Richard Jones <richard@users.sourceforge.net>
parents: 1973
diff changeset
1379
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1380 # determine the classname and possibly nodeid
1157
26c8cb2162d7 fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents: 1153
diff changeset
1381 path = self.path.split('/')
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1382 if not path or path[0] in ('', 'home', 'index'):
1420
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1383 if template_override is not None:
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1384 self.template = template_override
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1385 else:
1041
c28603c9f831 Class help and generic class editing done.
Richard Jones <richard@users.sourceforge.net>
parents: 1029
diff changeset
1386 self.template = ''
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1387 return
1911
f5c804379c85 fixed ZRoundup - mostly changes to classic template
Richard Jones <richard@users.sourceforge.net>
parents: 1905
diff changeset
1388 elif path[0] in ('_file', '@@file'):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1389 raise SendStaticFile(os.path.join(*path[1:]))
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1390 else:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1391 self.classname = path[0]
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1392 if len(path) > 1:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1393 # send the file identified by the designator in path[0]
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1394 raise SendFile(path[0])
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1395
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1396 # see if we got a designator
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1397 m = dre.match(self.classname)
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1398 if m:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1399 self.classname = m.group(1)
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1400 self.nodeid = m.group(2)
3494
5a56abcf1b22 catch bad classname in URL (related to [SF#1240541])
Richard Jones <richard@users.sourceforge.net>
parents: 3453
diff changeset
1401 try:
5a56abcf1b22 catch bad classname in URL (related to [SF#1240541])
Richard Jones <richard@users.sourceforge.net>
parents: 3453
diff changeset
1402 klass = self.db.getclass(self.classname)
5a56abcf1b22 catch bad classname in URL (related to [SF#1240541])
Richard Jones <richard@users.sourceforge.net>
parents: 3453
diff changeset
1403 except KeyError:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1404 raise NotFound('%s/%s'%(self.classname, self.nodeid))
5555
7b663b588292 Don't pass huge itemids into the backend.
martin.v.loewis <martin.v.loewis>
parents: 5554
diff changeset
1405 if int(self.nodeid) > 2**31:
7b663b588292 Don't pass huge itemids into the backend.
martin.v.loewis <martin.v.loewis>
parents: 5554
diff changeset
1406 # Postgres will complain with a ProgrammingError
7b663b588292 Don't pass huge itemids into the backend.
martin.v.loewis <martin.v.loewis>
parents: 5554
diff changeset
1407 # if we try to pass in numbers that are too large
5556
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
1408 raise NotFound('%s/%s'%(self.classname, self.nodeid))
3494
5a56abcf1b22 catch bad classname in URL (related to [SF#1240541])
Richard Jones <richard@users.sourceforge.net>
parents: 3453
diff changeset
1409 if not klass.hasnode(self.nodeid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1410 raise NotFound('%s/%s'%(self.classname, self.nodeid))
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1411 # with a designator, we default to item view
1041
c28603c9f831 Class help and generic class editing done.
Richard Jones <richard@users.sourceforge.net>
parents: 1029
diff changeset
1412 self.template = 'item'
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1413 else:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1414 # with only a class, we default to index view
1041
c28603c9f831 Class help and generic class editing done.
Richard Jones <richard@users.sourceforge.net>
parents: 1029
diff changeset
1415 self.template = 'index'
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1416
1288
ad8de51d7cd5 handle "classname" URL path errors cleaner (generate a 404)
Richard Jones <richard@users.sourceforge.net>
parents: 1277
diff changeset
1417 # make sure the classname is valid
ad8de51d7cd5 handle "classname" URL path errors cleaner (generate a 404)
Richard Jones <richard@users.sourceforge.net>
parents: 1277
diff changeset
1418 try:
ad8de51d7cd5 handle "classname" URL path errors cleaner (generate a 404)
Richard Jones <richard@users.sourceforge.net>
parents: 1277
diff changeset
1419 self.db.getclass(self.classname)
ad8de51d7cd5 handle "classname" URL path errors cleaner (generate a 404)
Richard Jones <richard@users.sourceforge.net>
parents: 1277
diff changeset
1420 except KeyError:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1421 raise NotFound(self.classname)
1288
ad8de51d7cd5 handle "classname" URL path errors cleaner (generate a 404)
Richard Jones <richard@users.sourceforge.net>
parents: 1277
diff changeset
1422
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1423 # see if we have a template override
1420
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1424 if template_override is not None:
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1425 self.template = template_override
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1426
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1427 def serve_file(self, designator, dre=re.compile(r'([^\d]+)(\d+)')):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1428 """ Serve the file from the content property of the designated item.
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1429 """
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1430 m = dre.match(str(designator))
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1431 if not m:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1432 raise NotFound(str(designator))
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1433 classname, nodeid = m.group(1), m.group(2)
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1434
4263
bd000a1e9a57 Robustify web interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4224
diff changeset
1435 try:
bd000a1e9a57 Robustify web interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4224
diff changeset
1436 klass = self.db.getclass(classname)
bd000a1e9a57 Robustify web interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4224
diff changeset
1437 except KeyError:
bd000a1e9a57 Robustify web interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4224
diff changeset
1438 # The classname was not valid.
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1439 raise NotFound(str(designator))
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
1440
4326
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
1441 # perform the Anonymous user access check
4327
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
1442 self.check_anonymous_access()
1946
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1443
1967
d30cd44321f2 commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents: 1946
diff changeset
1444 # make sure we have the appropriate properties
d30cd44321f2 commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents: 1946
diff changeset
1445 props = klass.getprops()
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1446 if 'type' not in props:
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1447 raise NotFound(designator)
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1448 if 'content' not in props:
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1449 raise NotFound(designator)
1967
d30cd44321f2 commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents: 1946
diff changeset
1450
2870
795cdba40c05 enforce View Permission when serving file content [SF#1050470]
Richard Jones <richard@users.sourceforge.net>
parents: 2864
diff changeset
1451 # make sure we have permission
795cdba40c05 enforce View Permission when serving file content [SF#1050470]
Richard Jones <richard@users.sourceforge.net>
parents: 2864
diff changeset
1452 if not self.db.security.hasPermission('View', self.userid,
795cdba40c05 enforce View Permission when serving file content [SF#1050470]
Richard Jones <richard@users.sourceforge.net>
parents: 2864
diff changeset
1453 classname, 'content', nodeid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1454 raise Unauthorised(self._("You are not allowed to view "
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1455 "this file."))
2870
795cdba40c05 enforce View Permission when serving file content [SF#1050470]
Richard Jones <richard@users.sourceforge.net>
parents: 2864
diff changeset
1456
4962
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1457
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1458 # --- mime-type security
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1459 # mime type detection is performed in cgi.form_parser
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1460
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1461 # everything not here is served as 'application/octet-stream'
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1462 whitelist = [
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1463 'text/plain',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1464 'text/x-csrc', # .c
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1465 'text/x-chdr', # .h
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1466 'text/x-patch', # .patch and .diff
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1467 'text/x-python', # .py
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1468 'text/xml',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1469 'text/csv',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1470 'text/css',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1471 'application/pdf',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1472 'image/gif',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1473 'image/jpeg',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1474 'image/png',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1475 'image/webp',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1476 'audio/ogg',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1477 'video/webm',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1478 ]
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1479
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1480 if self.instance.config['WEB_ALLOW_HTML_FILE']:
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1481 whitelist.append('text/html')
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1482
4530
c1c395058dee issue2550715: IndexError when requesting non-existing file via http.
Bernhard Reiter <Bernhard.Reiter@intevation.de>
parents: 4523
diff changeset
1483 try:
c1c395058dee issue2550715: IndexError when requesting non-existing file via http.
Bernhard Reiter <Bernhard.Reiter@intevation.de>
parents: 4523
diff changeset
1484 mime_type = klass.get(nodeid, 'type')
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
1485 except IndexError as e:
4530
c1c395058dee issue2550715: IndexError when requesting non-existing file via http.
Bernhard Reiter <Bernhard.Reiter@intevation.de>
parents: 4523
diff changeset
1486 raise NotFound(e)
4291
b1772fdb09d0 Fix traceback on .../msgN/ url...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4265
diff changeset
1487 # Can happen for msg class:
b1772fdb09d0 Fix traceback on .../msgN/ url...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4265
diff changeset
1488 if not mime_type:
b1772fdb09d0 Fix traceback on .../msgN/ url...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4265
diff changeset
1489 mime_type = 'text/plain'
4047
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1490
4962
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1491 if mime_type not in whitelist:
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1492 mime_type = 'application/octet-stream'
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1493
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1494 # --/ mime-type security
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1495
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1496
4047
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1497 # If this object is a file (i.e., an instance of FileClass),
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1498 # see if we can find it in the filesystem. If so, we may be
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1499 # able to use the more-efficient request.sendfile method of
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1500 # sending the file. If not, just get the "content" property
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1501 # in the usual way, and use that.
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1502 content = None
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1503 filename = None
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1504 if isinstance(klass, hyperdb.FileClass):
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1505 try:
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1506 filename = self.db.filename(classname, nodeid)
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1507 except AttributeError:
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1508 # The database doesn't store files in the filesystem
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1509 # and therefore doesn't provide the "filename" method.
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1510 pass
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1511 except IOError:
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1512 # The file does not exist.
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1513 pass
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1514 if not filename:
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1515 content = klass.get(nodeid, 'content')
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
1516
1967
d30cd44321f2 commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents: 1946
diff changeset
1517 lmt = klass.get(nodeid, 'activity').timestamp()
1946
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1518
4047
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1519 self._serve_file(lmt, mime_type, content, filename)
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1520
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1521 def serve_static_file(self, file):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1522 """ Serve up the file named from the templates dir
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1523 """
2864
930e780c751f support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2853
diff changeset
1524 # figure the filename - try STATIC_FILES, then TEMPLATES dir
930e780c751f support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2853
diff changeset
1525 for dir_option in ('STATIC_FILES', 'TEMPLATES'):
930e780c751f support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2853
diff changeset
1526 prefix = self.instance.config[dir_option]
930e780c751f support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2853
diff changeset
1527 if not prefix:
930e780c751f support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2853
diff changeset
1528 continue
5613
0a8f0fddc2ae Support non-ASCII prefixes in instance config for finding static files (issue2551022).
Cédric Krier <cedric.krier@b2ck.com>
parents: 5608
diff changeset
1529 if is_us(prefix):
5231
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1530 # prefix can be a string or list depending on
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1531 # option. Make it a list to iterate over.
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1532 prefix = [ prefix ]
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1533
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1534 for p in prefix:
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1535 # if last element of STATIC_FILES ends with '/-',
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1536 # we failed to find the file and we should
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1537 # not look in TEMPLATES. So raise exception.
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1538 if dir_option == 'STATIC_FILES' and p[-2:] == '/-':
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1539 raise NotFound(file)
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1540
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1541 # ensure the load doesn't try to poke outside
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1542 # of the static files directory
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1543 p = os.path.normpath(p)
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1544 filename = os.path.normpath(os.path.join(p, file))
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1545 if os.path.isfile(filename) and filename.startswith(p):
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1546 break # inner loop over list of directories
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1547 else:
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1548 # reset filename to None as sentinel for use below.
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1549 filename = None
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1550
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1551 # break out of outer loop over options
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1552 if filename:
2864
930e780c751f support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2853
diff changeset
1553 break
5231
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1554
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1555 if filename is None: # we didn't find a filename
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1556 raise NotFound(file)
1946
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1557
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1558 # last-modified time
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1559 lmt = os.stat(filename)[stat.ST_MTIME]
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1560
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1561 # detemine meta-type
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1562 file = str(file)
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1563 mime_type = mimetypes.guess_type(file)[0]
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1564 if not mime_type:
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1565 if file.endswith('.css'):
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1566 mime_type = 'text/css'
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1567 else:
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1568 mime_type = 'text/plain'
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1569
4047
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1570 self._serve_file(lmt, mime_type, '', filename)
1946
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1571
4047
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1572 def _serve_file(self, lmt, mime_type, content=None, filename=None):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1573 """ guts of serve_file() and serve_static_file()
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1574 """
4047
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1575
3736
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
1576 # spit out headers
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
1577 self.additional_headers['Content-Type'] = mime_type
4980
13f8f88ad984 Replace rfc822 imports with email package (issue2550870)
John Kristensen <john@jerrykan.com>
parents: 4979
diff changeset
1578 self.additional_headers['Last-Modified'] = email.utils.formatdate(lmt)
3736
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
1579
1498
203f6a154b30 even better if-modified-since handling for cgi-bin
Andrey Lebedev <kedder@users.sourceforge.net>
parents: 1497
diff changeset
1580 ims = None
1469
79d8956de3f5 implemented last-modified and if-modified-since support
Richard Jones <richard@users.sourceforge.net>
parents: 1468
diff changeset
1581 # see if there's an if-modified-since...
3736
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
1582 # XXX see which interfaces set this
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
1583 #if hasattr(self.request, 'headers'):
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
1584 #ims = self.request.headers.getheader('if-modified-since')
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1585 if 'HTTP_IF_MODIFIED_SINCE' in self.env:
1497
2704d8438823 better if-modified-since handling for cgi-bin
Richard Jones <richard@users.sourceforge.net>
parents: 1477
diff changeset
1586 # cgi will put the header in the env var
1469
79d8956de3f5 implemented last-modified and if-modified-since support
Richard Jones <richard@users.sourceforge.net>
parents: 1468
diff changeset
1587 ims = self.env['HTTP_IF_MODIFIED_SINCE']
79d8956de3f5 implemented last-modified and if-modified-since support
Richard Jones <richard@users.sourceforge.net>
parents: 1468
diff changeset
1588 if ims:
4980
13f8f88ad984 Replace rfc822 imports with email package (issue2550870)
John Kristensen <john@jerrykan.com>
parents: 4979
diff changeset
1589 ims = email.utils.parsedate(ims)[:6]
3800
75d3896929bb really fix the last-modified code
Richard Jones <richard@users.sourceforge.net>
parents: 3796
diff changeset
1590 lmtt = time.gmtime(lmt)[:6]
1469
79d8956de3f5 implemented last-modified and if-modified-since support
Richard Jones <richard@users.sourceforge.net>
parents: 1468
diff changeset
1591 if lmtt <= ims:
79d8956de3f5 implemented last-modified and if-modified-since support
Richard Jones <richard@users.sourceforge.net>
parents: 1468
diff changeset
1592 raise NotModified
79d8956de3f5 implemented last-modified and if-modified-since support
Richard Jones <richard@users.sourceforge.net>
parents: 1468
diff changeset
1593
4047
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1594 if filename:
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1595 self.write_file(filename)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1596 else:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1597 self.additional_headers['Content-Length'] = str(len(content))
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1598 self.write(content)
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1599
4543
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1600 def send_error_to_admin(self, subject, html, txt):
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1601 """Send traceback information to admin via email.
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1602 We send both, the formatted html (with more information) and
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1603 the text version of the traceback. We use
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1604 multipart/alternative so the receiver can chose which version
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1605 to display.
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1606 """
4264
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
1607 to = [self.mailer.config.ADMIN_EMAIL]
4543
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1608 message = MIMEMultipart('alternative')
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1609 self.mailer.set_message_attributes(message, to, subject)
5518
db3a95f28b3c fixed typos in send_error_to_admin
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5493
diff changeset
1610 part = self.mailer.get_text_message('utf-8', 'html')
5493
725266c03eab updated mailgw to no longer use mimetools based on jerrykan's patch
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5488
diff changeset
1611 part.set_payload(html, part.get_charset())
4543
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1612 message.attach(part)
5518
db3a95f28b3c fixed typos in send_error_to_admin
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5493
diff changeset
1613 part = self.mailer.get_text_message()
db3a95f28b3c fixed typos in send_error_to_admin
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5493
diff changeset
1614 part.set_payload(txt, part.get_charset())
4543
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1615 message.attach(part)
4523
a03646a02f68 Fix issue2550691 where a Unix From-Header was sometimes inserted...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4384
diff changeset
1616 self.mailer.smtp_send(to, message.as_string())
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
1617
4265
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
1618 def renderFrontPage(self, message):
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
1619 """Return the front page of the tracker."""
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
1620
4265
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
1621 self.classname = self.nodeid = None
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
1622 self.template = ''
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1623 self.add_error_message(message)
4265
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
1624 self.write_html(self.renderContext())
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
1625
4740
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1626 def selectTemplate(self, name, view):
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1627 """ Choose existing template for the given combination of
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1628 classname (name parameter) and template request variable
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1629 (view parameter) and return its name.
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1630
5185
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1631 View can be a single template or two templates separated
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1632 by a vbar '|' character. If the Client object has a
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1633 non-empty _error_message attribute, the right hand
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1634 template (error template) will be used. If the
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1635 _error_message is empty, the left hand template (ok
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1636 template) will be used.
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1637
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1638 In most cases the name will be "classname.view", but
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1639 if "view" is None, then template name "classname" will
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1640 be returned.
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1641
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1642 If "classname.view" template doesn't exist, the
4740
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1643 "_generic.view" is used as a fallback.
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1644
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1645 [ ] cover with tests
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1646 """
5185
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1647
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1648 # determine if view is oktmpl|errortmpl. If so assign the
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1649 # right one to the view parameter. If we don't have alternate
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1650 # templates, just leave view alone.
5188
8768a95c9a4f Small fix. Make sure view is defined before trying to find('|') in it.
John Rouillard <rouilj@ieee.org>
parents: 5185
diff changeset
1651 if (view and view.find('|') != -1 ):
5185
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1652 # we have alternate templates, parse them apart.
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1653 (oktmpl, errortmpl) = view.split("|", 2)
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1654 if self._error_message:
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1655 # we have an error, use errortmpl
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1656 view = errortmpl
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1657 else:
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1658 # no error message recorded, use oktmpl
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1659 view = oktmpl
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1660
4739
94be76e04140 templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents: 4728
diff changeset
1661 loader = self.instance.templates
94be76e04140 templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents: 4728
diff changeset
1662
94be76e04140 templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents: 4728
diff changeset
1663 # if classname is not set, use "home" template
94be76e04140 templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents: 4728
diff changeset
1664 if name is None:
94be76e04140 templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents: 4728
diff changeset
1665 name = 'home'
94be76e04140 templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents: 4728
diff changeset
1666
4740
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1667 tplname = name
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1668 if view:
5154
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1669 # Support subdirectories for templates. Value is path/to/VIEW
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1670 # or just VIEW if the template is in the html directory of
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1671 # the tracker.
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1672 slash_loc = view.rfind("/")
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1673 if slash_loc == -1:
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1674 # try plain class.view
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1675 tplname = '%s.%s' % (name, view)
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1676 else:
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1677 # try path/class.view
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1678 tplname = '%s/%s.%s'%(
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1679 view[:slash_loc], name, view[slash_loc+1:])
4740
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1680
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1681 if loader.check(tplname):
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1682 return tplname
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1683
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1684 # rendering class/context with generic template for this view.
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1685 # with no view it's impossible to choose which generic template to use
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1686 if not view:
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1687 raise templating.NoTemplate('Template "%s" doesn\'t exist' % name)
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1688
5154
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1689 if slash_loc == -1:
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1690 generic = '_generic.%s' % view
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1691 else:
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1692 generic = '%s/_generic.%s' % (view[:slash_loc], view[slash_loc+1:])
4740
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1693 if loader.check(generic):
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1694 return generic
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1695
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1696 raise templating.NoTemplate('No template file exists for templating '
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1697 '"%s" with template "%s" (neither "%s" nor "%s")' % (name, view,
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1698 tplname, generic))
4739
94be76e04140 templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents: 4728
diff changeset
1699
1204
b862bbf2067a Replaced the content() callback ickiness with Page Template macro usage
Richard Jones <richard@users.sourceforge.net>
parents: 1196
diff changeset
1700 def renderContext(self):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1701 """ Return a PageTemplate for the named page
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1702 """
4740
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1703 tplname = self.selectTemplate(self.classname, self.template)
1204
b862bbf2067a Replaced the content() callback ickiness with Page Template macro usage
Richard Jones <richard@users.sourceforge.net>
parents: 1196
diff changeset
1704
1103
db787cef1385 handled some XXXs
Richard Jones <richard@users.sourceforge.net>
parents: 1096
diff changeset
1705 # catch errors so we can handle PT rendering errors more nicely
1204
b862bbf2067a Replaced the content() callback ickiness with Page Template macro usage
Richard Jones <richard@users.sourceforge.net>
parents: 1196
diff changeset
1706 args = {
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1707 'ok_message': self._ok_message,
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1708 'error_message': self._error_message
1204
b862bbf2067a Replaced the content() callback ickiness with Page Template macro usage
Richard Jones <richard@users.sourceforge.net>
parents: 1196
diff changeset
1709 }
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1710 try:
4740
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1711 pt = self.instance.templates.load(tplname)
1016
d6c13142e7b9 Keep a cache of compiled PageTemplates.
Richard Jones <richard@users.sourceforge.net>
parents: 1008
diff changeset
1712 # let the template render figure stuff out
1967
d30cd44321f2 commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents: 1946
diff changeset
1713 result = pt.render(self, None, None, **args)
d30cd44321f2 commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents: 1946
diff changeset
1714 self.additional_headers['Content-Type'] = pt.content_type
2942
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1715 if self.env.get('CGI_SHOW_TIMING', ''):
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1716 if self.env['CGI_SHOW_TIMING'].upper() == 'COMMENT':
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1717 timings = {'starttag': '<!-- ', 'endtag': ' -->'}
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1718 else:
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1719 timings = {'starttag': '<p>', 'endtag': '</p>'}
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1720 timings['seconds'] = time.time()-self.start
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1721 s = self._('%(starttag)sTime elapsed: %(seconds)fs%(endtag)s\n'
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1722 ) % timings
2237
f624fc20f8fe added capturing of stats
Richard Jones <richard@users.sourceforge.net>
parents: 2233
diff changeset
1723 if hasattr(self.db, 'stats'):
2942
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1724 timings.update(self.db.stats)
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1725 s += self._("%(starttag)sCache hits: %(cache_hits)d,"
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1726 " misses %(cache_misses)d."
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1727 " Loading items: %(get_items)f secs."
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1728 " Filtering: %(filtering)f secs."
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1729 "%(endtag)s\n") % timings
2237
f624fc20f8fe added capturing of stats
Richard Jones <richard@users.sourceforge.net>
parents: 2233
diff changeset
1730 s += '</body>'
2230
ca2664e095be disable forking server when os.fork() not available [SF#938586]
Richard Jones <richard@users.sourceforge.net>
parents: 2183
diff changeset
1731 result = result.replace('</body>', s)
1967
d30cd44321f2 commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents: 1946
diff changeset
1732 return result
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
1733 except templating.NoTemplate as message:
4380
11d9f3f98897 fix potential XSS hole
Richard Jones <richard@users.sourceforge.net>
parents: 4370
diff changeset
1734 return '<strong>%s</strong>'%cgi.escape(str(message))
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
1735 except templating.Unauthorised as message:
4380
11d9f3f98897 fix potential XSS hole
Richard Jones <richard@users.sourceforge.net>
parents: 4370
diff changeset
1736 raise Unauthorised(cgi.escape(str(message)))
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1737 except:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1738 # everything else
4045
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1739 if self.instance.config.WEB_DEBUG:
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1740 return cgitb.pt_html(i18n=self.translator)
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1741 exc_info = sys.exc_info()
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1742 try:
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1743 # If possible, send the HTML page template traceback
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1744 # to the administrator.
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1745 subject = "Templating Error: %s" % exc_info[1]
4543
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1746 self.send_error_to_admin(subject, cgitb.pt_html(), format_exc())
4045
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1747 # Now report the error to the user.
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1748 return self._(default_err_msg)
4045
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1749 except:
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1750 # Reraise the original exception. The user will
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1751 # receive an error message, and the adminstrator will
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1752 # receive a traceback, albeit with less information
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1753 # than the one we tried to generate above.
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1754 if sys.version_info[0] > 2:
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1755 raise exc_info[0](exc_info[1]).with_traceback(exc_info[2])
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1756 else:
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1757 exec('raise exc_info[0], exc_info[1], exc_info[2]')
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1758
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1759 # these are the actions that are available
2904
b1ad7add1a2c back out
Richard Jones <richard@users.sourceforge.net>
parents: 2903
diff changeset
1760 actions = (
5073
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1761 ('edit', actions.EditItemAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1762 ('editcsv', actions.EditCSVAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1763 ('new', actions.NewItemAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1764 ('register', actions.RegisterAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1765 ('confrego', actions.ConfRegoAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1766 ('passrst', actions.PassResetAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1767 ('login', actions.LoginAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1768 ('logout', actions.LogoutAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1769 ('search', actions.SearchAction),
5119
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5079
diff changeset
1770 ('restore', actions.RestoreAction),
5073
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1771 ('retire', actions.RetireAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1772 ('show', actions.ShowAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1773 ('export_csv', actions.ExportCSVAction),
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5608
diff changeset
1774 ('export_csv_id', actions.ExportCSVWithIdAction),
2904
b1ad7add1a2c back out
Richard Jones <richard@users.sourceforge.net>
parents: 2903
diff changeset
1775 )
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1776 def handle_action(self):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1777 """ Determine whether there should be an Action called.
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1778
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1779 The action is defined by the form variable :action which
1477
ed725179953d Added password reset facility for forgotten passwords.
Richard Jones <richard@users.sourceforge.net>
parents: 1472
diff changeset
1780 identifies the method on this object to call. The actions
2904
b1ad7add1a2c back out
Richard Jones <richard@users.sourceforge.net>
parents: 2903
diff changeset
1781 are defined in the "actions" sequence on this class.
2045
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1782
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1783 Actions may return a page (by default HTML) to return to the
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1784 user, bypassing the usual template rendering.
3388
0c66acaea802 present Reject exception messages to web users [SF#1237685]
Richard Jones <richard@users.sourceforge.net>
parents: 3356
diff changeset
1785
0c66acaea802 present Reject exception messages to web users [SF#1237685]
Richard Jones <richard@users.sourceforge.net>
parents: 3356
diff changeset
1786 We explicitly catch Reject and ValueError exceptions and
0c66acaea802 present Reject exception messages to web users [SF#1237685]
Richard Jones <richard@users.sourceforge.net>
parents: 3356
diff changeset
1787 present their messages to the user.
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1788 """
4804
bc4144417861 More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4802
diff changeset
1789 action = None
bc4144417861 More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4802
diff changeset
1790 try:
bc4144417861 More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4802
diff changeset
1791 if ':action' in self.form:
bc4144417861 More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4802
diff changeset
1792 action = self.form[':action']
bc4144417861 More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4802
diff changeset
1793 elif '@action' in self.form:
bc4144417861 More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4802
diff changeset
1794 action = self.form['@action']
bc4144417861 More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4802
diff changeset
1795 except TypeError:
bc4144417861 More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4802
diff changeset
1796 pass
bc4144417861 More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4802
diff changeset
1797 if action is None:
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1798 return None
2638
18e86941c950 Load up extensions in the tracker "extensions" directory.
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1799
4367
fa5587802af9 Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
1800 if isinstance(action, list):
fa5587802af9 Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
1801 raise SeriousError('broken form: multiple @action values submitted')
fa5587802af9 Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
1802 else:
fa5587802af9 Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
1803 action = action.value.lower()
fa5587802af9 Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
1804
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1805 try:
2948
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1806 action_klass = self.get_action_class(action)
2019
8fab5d394f22 Call actions in a different way so we won't hide any bad TypeErrors.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2018
diff changeset
1807
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1808 # call the mapped action
2019
8fab5d394f22 Call actions in a different way so we won't hide any bad TypeErrors.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2018
diff changeset
1809 if isinstance(action_klass, type('')):
8fab5d394f22 Call actions in a different way so we won't hide any bad TypeErrors.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2018
diff changeset
1810 # old way of specifying actions
2045
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1811 return getattr(self, action_klass)()
2019
8fab5d394f22 Call actions in a different way so we won't hide any bad TypeErrors.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2018
diff changeset
1812 else:
2045
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1813 return action_klass(self).execute()
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
1814 except (ValueError, Reject) as err:
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4980
diff changeset
1815 escape = not isinstance(err, RejectRaw)
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4980
diff changeset
1816 self.add_error_message(str(err), escape=escape)
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1817
2948
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1818 def get_action_class(self, action_name):
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1819 if (hasattr(self.instance, 'cgi_actions') and
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1820 action_name in self.instance.cgi_actions):
2948
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1821 # tracker-defined action
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1822 action_klass = self.instance.cgi_actions[action_name]
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1823 else:
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1824 # go with a default
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1825 for name, action_klass in self.actions:
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1826 if name == action_name:
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1827 break
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1828 else:
4578
941681fec1b0 issue2550711 Fix XSS vulnerability in @action parameter.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4574
diff changeset
1829 raise ValueError('No such action "%s"'%cgi.escape(action_name))
2948
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1830 return action_klass
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1831
3760
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1832 def _socket_op(self, call, *args, **kwargs):
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1833 """Execute socket-related operation, catch common network errors
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1834
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1835 Parameters:
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1836 call: a callable to execute
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1837 args, kwargs: call arguments
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1838
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1839 """
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1840 try:
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1841 call(*args, **kwargs)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
1842 except socket.error as err:
3807
c27aafab067d Band-aid over handling of netework errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3800
diff changeset
1843 err_errno = getattr (err, 'errno', None)
3808
36eb9e8faf30 Real handling of network errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3807
diff changeset
1844 if err_errno is None:
36eb9e8faf30 Real handling of network errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3807
diff changeset
1845 try:
36eb9e8faf30 Real handling of network errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3807
diff changeset
1846 err_errno = err[0]
36eb9e8faf30 Real handling of network errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3807
diff changeset
1847 except TypeError:
36eb9e8faf30 Real handling of network errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3807
diff changeset
1848 pass
3807
c27aafab067d Band-aid over handling of netework errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3800
diff changeset
1849 if err_errno not in self.IGNORE_NET_ERRORS:
3760
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1850 raise
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1851 except IOError:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1852 # Apache's mod_python will raise IOError -- without an
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1853 # accompanying errno -- when a write to the client fails.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1854 # A common case is that the client has closed the
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1855 # connection. There's no way to be certain that this is
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1856 # the situation that has occurred here, but that is the
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1857 # most likely case.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1858 pass
3760
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1859
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1860 def write(self, content):
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1861 if not self.headers_done:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1862 self.header()
2592
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2565
diff changeset
1863 if self.env['REQUEST_METHOD'] != 'HEAD':
3760
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1864 self._socket_op(self.request.wfile.write, content)
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1865
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
1866 def write_html(self, content):
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
1867 if not self.headers_done:
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
1868 # at this point, we are sure about Content-Type
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1869 if 'Content-Type' not in self.additional_headers:
3867
2563ddf71cd7 Enabled over-riding of content-type in web interface (thanks John Mitchell)
Richard Jones <richard@users.sourceforge.net>
parents: 3808
diff changeset
1870 self.additional_headers['Content-Type'] = \
2563ddf71cd7 Enabled over-riding of content-type in web interface (thanks John Mitchell)
Richard Jones <richard@users.sourceforge.net>
parents: 3808
diff changeset
1871 'text/html; charset=%s' % self.charset
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
1872 self.header()
2592
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2565
diff changeset
1873
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2565
diff changeset
1874 if self.env['REQUEST_METHOD'] == 'HEAD':
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2565
diff changeset
1875 # client doesn't care about content
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2565
diff changeset
1876 return
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2565
diff changeset
1877
5437
a1971da1c5da Python 3 preparation: send bytes to socket in cgi/client.py.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5430
diff changeset
1878 if sys.version_info[0] > 2:
5524
674ad58667b4 Support actions returning binary data with Python 3.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5518
diff changeset
1879 # An action setting appropriate headers for a non-HTML
674ad58667b4 Support actions returning binary data with Python 3.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5518
diff changeset
1880 # response may return a bytes object directly.
674ad58667b4 Support actions returning binary data with Python 3.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5518
diff changeset
1881 if not isinstance(content, bytes):
674ad58667b4 Support actions returning binary data with Python 3.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5518
diff changeset
1882 content = content.encode(self.charset, 'xmlcharrefreplace')
5437
a1971da1c5da Python 3 preparation: send bytes to socket in cgi/client.py.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5430
diff changeset
1883 elif self.charset != self.STORAGE_CHARSET:
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
1884 # recode output
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
1885 content = content.decode(self.STORAGE_CHARSET, 'replace')
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
1886 content = content.encode(self.charset, 'xmlcharrefreplace')
2592
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2565
diff changeset
1887
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2565
diff changeset
1888 # and write
3760
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1889 self._socket_op(self.request.wfile.write, content)
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
1890
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1891 def http_strip(self, content):
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1892 """Remove HTTP Linear White Space from 'content'.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1893
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1894 'content' -- A string.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1895
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1896 returns -- 'content', with all leading and trailing LWS
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1897 removed."""
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1898
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1899 # RFC 2616 2.2: Basic Rules
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1900 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1901 # LWS = [CRLF] 1*( SP | HT )
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1902 return content.strip(" \r\n\t")
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1903
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1904 def http_split(self, content):
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1905 """Split an HTTP list.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1906
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1907 'content' -- A string, giving a list of items.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1908
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1909 returns -- A sequence of strings, containing the elements of
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1910 the list."""
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1911
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1912 # RFC 2616 2.1: Augmented BNF
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1913 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1914 # Grammar productions of the form "#rule" indicate a
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1915 # comma-separated list of elements matching "rule". LWS
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1916 # is then removed from each element, and empty elements
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1917 # removed.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1918
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1919 # Split at commas.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1920 elements = content.split(",")
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1921 # Remove linear whitespace at either end of the string.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1922 elements = [self.http_strip(e) for e in elements]
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1923 # Remove any now-empty elements.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1924 return [e for e in elements if e]
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
1925
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1926 def handle_range_header(self, length, etag):
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1927 """Handle the 'Range' and 'If-Range' headers.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1928
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1929 'length' -- the length of the content available for the
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1930 resource.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1931
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1932 'etag' -- the entity tag for this resources.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1933
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1934 returns -- If the request headers (including 'Range' and
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1935 'If-Range') indicate that only a portion of the entity should
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1936 be returned, then the return value is a pair '(offfset,
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1937 length)' indicating the first byte and number of bytes of the
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1938 content that should be returned to the client. In addition,
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1939 this method will set 'self.response_code' to indicate Partial
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1940 Content. In all other cases, the return value is 'None'. If
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1941 appropriate, 'self.response_code' will be
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1942 set to indicate 'REQUESTED_RANGE_NOT_SATISFIABLE'. In that
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1943 case, the caller should not send any data to the client."""
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1944
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1945 # RFC 2616 14.35: Range
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1946 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1947 # See if the Range header is present.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1948 ranges_specifier = self.env.get("HTTP_RANGE")
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1949 if ranges_specifier is None:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1950 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1951 # RFC 2616 14.27: If-Range
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1952 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1953 # Check to see if there is an If-Range header.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1954 # Because the specification says:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1955 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1956 # The If-Range header ... MUST be ignored if the request
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1957 # does not include a Range header, we check for If-Range
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1958 # after checking for Range.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1959 if_range = self.env.get("HTTP_IF_RANGE")
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1960 if if_range:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1961 # The grammar for the If-Range header is:
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
1962 #
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1963 # If-Range = "If-Range" ":" ( entity-tag | HTTP-date )
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1964 # entity-tag = [ weak ] opaque-tag
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1965 # weak = "W/"
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1966 # opaque-tag = quoted-string
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1967 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1968 # We only support strong entity tags.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1969 if_range = self.http_strip(if_range)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1970 if (not if_range.startswith('"')
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1971 or not if_range.endswith('"')):
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1972 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1973 # If the condition doesn't match the entity tag, then we
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1974 # must send the client the entire file.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1975 if if_range != etag:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1976 return
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1977 # The grammar for the Range header value is:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1978 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1979 # ranges-specifier = byte-ranges-specifier
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1980 # byte-ranges-specifier = bytes-unit "=" byte-range-set
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1981 # byte-range-set = 1#( byte-range-spec | suffix-byte-range-spec )
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1982 # byte-range-spec = first-byte-pos "-" [last-byte-pos]
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1983 # first-byte-pos = 1*DIGIT
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1984 # last-byte-pos = 1*DIGIT
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1985 # suffix-byte-range-spec = "-" suffix-length
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1986 # suffix-length = 1*DIGIT
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1987 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1988 # Look for the "=" separating the units from the range set.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1989 specs = ranges_specifier.split("=", 1)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1990 if len(specs) != 2:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1991 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1992 # Check that the bytes-unit is in fact "bytes". If it is not,
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1993 # we do not know how to process this range.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1994 bytes_unit = self.http_strip(specs[0])
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1995 if bytes_unit != "bytes":
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1996 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1997 # Seperate the range-set into range-specs.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1998 byte_range_set = self.http_strip(specs[1])
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1999 byte_range_specs = self.http_split(byte_range_set)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2000 # We only handle exactly one range at this time.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2001 if len(byte_range_specs) != 1:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2002 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2003 # Parse the spec.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2004 byte_range_spec = byte_range_specs[0]
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2005 pos = byte_range_spec.split("-", 1)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2006 if len(pos) != 2:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2007 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2008 # Get the first and last bytes.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2009 first = self.http_strip(pos[0])
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2010 last = self.http_strip(pos[1])
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2011 # We do not handle suffix ranges.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2012 if not first:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2013 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2014 # Convert the first and last positions to integers.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2015 try:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2016 first = int(first)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2017 if last:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2018 last = int(last)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2019 else:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2020 last = length - 1
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2021 except:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2022 # The positions could not be parsed as integers.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2023 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2024 # Check that the range makes sense.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2025 if (first < 0 or last < 0 or last < first):
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2026 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2027 if last >= length:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2028 # RFC 2616 10.4.17: 416 Requested Range Not Satisfiable
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2029 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2030 # If there is an If-Range header, RFC 2616 says that we
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2031 # should just ignore the invalid Range header.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2032 if if_range:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2033 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2034 # Return code 416 with a Content-Range header giving the
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2035 # allowable range.
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
2036 self.response_code = http_.client.REQUESTED_RANGE_NOT_SATISFIABLE
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2037 self.setHeader("Content-Range", "bytes */%d" % length)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2038 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2039 # RFC 2616 10.2.7: 206 Partial Content
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2040 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2041 # Tell the client that we are honoring the Range request by
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2042 # indicating that we are providing partial content.
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
2043 self.response_code = http_.client.PARTIAL_CONTENT
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2044 # RFC 2616 14.16: Content-Range
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2045 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2046 # Tell the client what data we are providing.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2047 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2048 # content-range-spec = byte-content-range-spec
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2049 # byte-content-range-spec = bytes-unit SP
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2050 # byte-range-resp-spec "/"
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2051 # ( instance-length | "*" )
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2052 # byte-range-resp-spec = (first-byte-pos "-" last-byte-pos)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2053 # | "*"
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2054 # instance-length = 1 * DIGIT
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2055 self.setHeader("Content-Range",
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2056 "bytes %d-%d/%d" % (first, last, length))
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2057 return (first, last - first + 1)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2058
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2059 def write_file(self, filename):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
2060 """Send the contents of 'filename' to the user."""
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2061
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2062 # Determine the length of the file.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2063 stat_info = os.stat(filename)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2064 length = stat_info[stat.ST_SIZE]
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2065 # Assume we will return the entire file.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2066 offset = 0
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
2067 # If the headers have not already been finalized,
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2068 if not self.headers_done:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2069 # RFC 2616 14.19: ETag
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2070 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2071 # Compute the entity tag, in a format similar to that
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2072 # used by Apache.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2073 etag = '"%x-%x-%x"' % (stat_info[stat.ST_INO],
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2074 length,
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2075 stat_info[stat.ST_MTIME])
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2076 self.setHeader("ETag", etag)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2077 # RFC 2616 14.5: Accept-Ranges
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2078 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2079 # Let the client know that we will accept range requests.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2080 self.setHeader("Accept-Ranges", "bytes")
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2081 # RFC 2616 14.35: Range
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2082 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2083 # If there is a Range header, we may be able to avoid
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2084 # sending the entire file.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2085 content_range = self.handle_range_header(length, etag)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2086 if content_range:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2087 offset, length = content_range
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2088 # RFC 2616 14.13: Content-Length
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2089 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2090 # Tell the client how much data we are providing.
4145
c15fcee3d8a1 Fix issue2550552.
Stefan Seefeld <stefan@seefeld.name>
parents: 4114
diff changeset
2091 self.setHeader("Content-Length", str(length))
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2092 # Send the HTTP header.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2093 self.header()
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2094 # If the client doesn't actually want the body, or if we are
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2095 # indicating an invalid range.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2096 if (self.env['REQUEST_METHOD'] == 'HEAD'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
2097 or self.response_code == http_.client.REQUESTED_RANGE_NOT_SATISFIABLE):
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2098 return
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2099 # Use the optimized "sendfile" operation, if possible.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2100 if hasattr(self.request, "sendfile"):
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2101 self._socket_op(self.request.sendfile, filename, offset, length)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2102 return
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2103 # Fallback to the "write" operation.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2104 f = open(filename, 'rb')
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2105 try:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2106 if offset:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2107 f.seek(offset)
4077
7d19ed05baa6 Fix issue2550517
Stefan Seefeld <stefan@seefeld.name>
parents: 4065
diff changeset
2108 content = f.read(length)
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2109 finally:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2110 f.close()
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2111 self.write(content)
4047
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
2112
2046
f913b6beac35 document and make easier the actions-returning-content idiom
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
2113 def setHeader(self, header, value):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
2114 """Override a header to be returned to the user's browser.
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
2115 """
2046
f913b6beac35 document and make easier the actions-returning-content idiom
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
2116 self.additional_headers[header] = value
f913b6beac35 document and make easier the actions-returning-content idiom
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
2117
1120
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
2118 def header(self, headers=None, response=None):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
2119 """Put up the appropriate header.
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
2120 """
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2121 if headers is None:
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
2122 headers = {'Content-Type':'text/html; charset=utf-8'}
1120
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
2123 if response is None:
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
2124 response = self.response_code
1130
89bd02ffe4af tell clients/caches not to cache our dynamic bits
Richard Jones <richard@users.sourceforge.net>
parents: 1129
diff changeset
2125
89bd02ffe4af tell clients/caches not to cache our dynamic bits
Richard Jones <richard@users.sourceforge.net>
parents: 1129
diff changeset
2126 # update with additional info
1120
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
2127 headers.update(self.additional_headers)
1130
89bd02ffe4af tell clients/caches not to cache our dynamic bits
Richard Jones <richard@users.sourceforge.net>
parents: 1129
diff changeset
2128
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
2129 if headers.get('Content-Type', 'text/html') == 'text/html':
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
2130 headers['Content-Type'] = 'text/html; charset=utf-8'
3736
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
2131
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
2132 headers = list(headers.items())
3736
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
2133
5395
23b8e6067f7c Python 3 preparation: update calls to dict methods.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5378
diff changeset
2134 for ((path, name), (value, expire)) in self._cookies.items():
3548
61d48244e7a8 login may now be for a single session
Richard Jones <richard@users.sourceforge.net>
parents: 3494
diff changeset
2135 cookie = "%s=%s; Path=%s;"%(name, value, path)
61d48244e7a8 login may now be for a single session
Richard Jones <richard@users.sourceforge.net>
parents: 3494
diff changeset
2136 if expire is not None:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
2137 cookie += " expires=%s;"%get_cookie_date(expire)
4586
b21bb66de6ff Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4578
diff changeset
2138 # mark as secure if https, see issue2550689
b21bb66de6ff Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4578
diff changeset
2139 if self.secure:
b21bb66de6ff Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4578
diff changeset
2140 cookie += " secure;"
5212
d4cc71beb102 Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents: 5211
diff changeset
2141 ssc = self.db.config['WEB_SAMESITE_COOKIE_SETTING']
d4cc71beb102 Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents: 5211
diff changeset
2142 if ssc != "None":
d4cc71beb102 Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents: 5211
diff changeset
2143 cookie += " SameSite=%s;"%ssc
4586
b21bb66de6ff Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4578
diff changeset
2144 # prevent theft of session cookie, see issue2550689
b21bb66de6ff Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4578
diff changeset
2145 cookie += " HttpOnly;"
3736
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
2146 headers.append(('Set-Cookie', cookie))
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
2147
3760
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
2148 self._socket_op(self.request.start_response, headers, response)
3736
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
2149
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2150 self.headers_done = 1
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2151 if self.debug:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2152 self.headers_sent = headers
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2153
2946
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2154 def add_cookie(self, name, value, expire=86400*365, path=None):
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2155 """Set a cookie value to be sent in HTTP headers
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2156
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2157 Parameters:
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2158 name:
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2159 cookie name
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2160 value:
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2161 cookie value
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2162 expire:
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2163 cookie expiration time (seconds).
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2164 If value is empty (meaning "delete cookie"),
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2165 expiration time is forced in the past
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2166 and this argument is ignored.
3548
61d48244e7a8 login may now be for a single session
Richard Jones <richard@users.sourceforge.net>
parents: 3494
diff changeset
2167 If None, the cookie will expire at end-of-session.
2946
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2168 If omitted, the cookie will be kept for a year.
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2169 path:
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2170 cookie path (optional)
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2171
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2172 """
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2173 if path is None:
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2174 path = self.cookie_path
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2175 if not value:
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2176 expire = -1
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
2177 self._cookies[(path, name)] = (value, expire)
2946
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2178
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2179 def make_user_anonymous(self):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
2180 """ Make us anonymous
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2181
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2182 This method used to handle non-existence of the 'anonymous'
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2183 user, but that user is mandatory now.
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
2184 """
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2185 self.userid = self.db.user.lookup('anonymous')
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2186 self.user = 'anonymous'
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2187
1801
9f9d35f3d8f7 Change the message asking for confirmation of registration...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 1799
diff changeset
2188 def standard_message(self, to, subject, body, author=None):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
2189 """Send a standard email message from Roundup.
2248
cd7e6d6288c6 fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents: 2246
diff changeset
2190
cd7e6d6288c6 fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents: 2246
diff changeset
2191 "to" - recipients list
cd7e6d6288c6 fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents: 2246
diff changeset
2192 "subject" - Subject
cd7e6d6288c6 fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents: 2246
diff changeset
2193 "body" - Message
cd7e6d6288c6 fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents: 2246
diff changeset
2194 "author" - (name, address) tuple or None for admin email
cd7e6d6288c6 fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents: 2246
diff changeset
2195
cd7e6d6288c6 fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents: 2246
diff changeset
2196 Arguments are passed to the Mailer.standard_message code.
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
2197 """
1799
071ea6fc803f Extracted duplicated mail-sending code...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 1798
diff changeset
2198 try:
1801
9f9d35f3d8f7 Change the message asking for confirmation of registration...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 1799
diff changeset
2199 self.mailer.standard_message(to, subject, body, author)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
2200 except MessageSendError as e:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
2201 self.add_error_message(str(e))
2248
cd7e6d6288c6 fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents: 2246
diff changeset
2202 return 0
cd7e6d6288c6 fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents: 2246
diff changeset
2203 return 1
1467
378081f066cc registration is now a two-step process with confirmation from the
Richard Jones <richard@users.sourceforge.net>
parents: 1456
diff changeset
2204
2107
b7404a96b58a minor pre-release / test fixes
Richard Jones <richard@users.sourceforge.net>
parents: 2082
diff changeset
2205 def parsePropsFromForm(self, create=0):
2010
1b11ffd8015e forward-porting of fixed edit action / parsePropsFromForm...
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
2206 return FormParser(self).parse(create=create)
1b11ffd8015e forward-porting of fixed edit action / parsePropsFromForm...
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
2207
2799
9605965569b0 disallow caching of pages with error and/or ok messages.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2724
diff changeset
2208 # vim: set et sts=4 sw=4 :
Roundup Issue Tracker: http://roundup-tracker.org/