Mercurial > p > roundup > code

annotate roundup/cgi/client.py @ 5934:db9bd45d50ad

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Refactor jwt auth into authenticate_bearer_token() method on Client The json web token authentication was buried inside determine user. Refactored to put this authenticate_bearer_token method so it can (hopefully) be overriden by an instance.
author John Rouillard <rouilj@ieee.org>
date Sat, 19 Oct 2019 16:35:08 -0400
parents b40059d7036f
children 1b50c2c5619a
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1 """WWW request handler (also used in the stand-alone server).
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2 """
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
3 __docformat__ = 'restructuredtext'
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
4
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
5 import logging
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
6 logger = logging.getLogger('roundup')
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
7
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
8 import base64, binascii, cgi, codecs, mimetypes, os
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
9 import quopri, re, stat, sys, time
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
10 import socket, errno, hashlib
4980
13f8f88ad984 Replace rfc822 imports with email package (issue2550870)
John Kristensen <john@jerrykan.com>
parents: 4979
diff changeset
11 import email.utils
4543
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
12 from traceback import format_exc
2233
3d9bb1a052d1 fix random seeding for forking server
Richard Jones <richard@users.sourceforge.net>
parents: 2230
diff changeset
13
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5475
diff changeset
14 import roundup.anypy.random_ as random_
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5475
diff changeset
15 if not random_.is_weak:
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
16 logger.debug("Importing good random generator")
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5475
diff changeset
17 else:
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
18 logger.warning("**SystemRandom not available. Using poor random generator")
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
19
4638
1ebc5f16aeda Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4623
diff changeset
20 try:
1ebc5f16aeda Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4623
diff changeset
21 from OpenSSL.SSL import SysCallError
1ebc5f16aeda Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4623
diff changeset
22 except ImportError:
5429
daa19de102a2 Python 3 preparation: make fallback SysCallError an actual exception class.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5422
diff changeset
23 class SysCallError(Exception):
daa19de102a2 Python 3 preparation: make fallback SysCallError an actual exception class.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5422
diff changeset
24 pass
4638
1ebc5f16aeda Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4623
diff changeset
25
5837
883c9e90b403 Fix problem with cgi.escape being depricated a different way. This way
John Rouillard <rouilj@ieee.org>
parents: 5804
diff changeset
26 from roundup.anypy.html import html_escape
5802
0e6d45413e88 catching last couple of cgi.escape references.
John Rouillard <rouilj@ieee.org>
parents: 5775
diff changeset
27
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 1987
diff changeset
28 from roundup import roundupdb, date, hyperdb, password
2557
ff02e9851592 translator object must be Roundup Translation Service...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2514
diff changeset
29 from roundup.cgi import templating, cgitb, TranslationService
5073
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
30 from roundup.cgi import actions
5218
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
31 from roundup.exceptions import LoginError, Reject, RejectRaw, \
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
32 Unauthorised, UsageError
5073
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
33 from roundup.cgi.exceptions import (
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
34 FormError, NotFound, NotModified, Redirect, SendFile, SendStaticFile,
5079
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
35 DetectorError, SeriousError)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 1987
diff changeset
36 from roundup.cgi.form_parser import FormParser
5493
725266c03eab updated mailgw to no longer use mimetools based on jerrykan's patch
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5488
diff changeset
37 from roundup.mailer import Mailer, MessageSendError
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
38 from roundup.cgi import accept_language
4079
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
39 from roundup import xmlrpc
5556
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
40 from roundup import rest
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
41
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
42 from roundup.anypy.cookie_ import CookieError, BaseCookie, SimpleCookie, \
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
43 get_cookie_date
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
44 from roundup.anypy import http_
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
45 from roundup.anypy import urllib_
5408
e46ce04d5bbc Python 3 preparation: update xmlrpclib / SimpleXMLRPCServer imports.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5395
diff changeset
46 from roundup.anypy import xmlrpc_
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
47
5422
a0ed8d5d744f Python 3 preparation: update email module names.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5417
diff changeset
48 from email.mime.base import MIMEBase
a0ed8d5d744f Python 3 preparation: update email module names.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5417
diff changeset
49 from email.mime.text import MIMEText
a0ed8d5d744f Python 3 preparation: update email module names.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5417
diff changeset
50 from email.mime.multipart import MIMEMultipart
4979
f1a2bd1dea77 issue2550877: Writing headers with the email module will use continuation_ws = ' ' now for python 2.5 and 2.6 when importing anypy.email_.
Bernhard Reiter <bernhard@intevation.de>
parents: 4962
diff changeset
51 import roundup.anypy.email_
4543
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
52
5613
0a8f0fddc2ae Support non-ASCII prefixes in instance config for finding static files (issue2551022).
Cédric Krier <cedric.krier@b2ck.com>
parents: 5608
diff changeset
53 from roundup.anypy.strings import s2b, b2s, uchr, is_us
5417
c749d6795bc2 Python 3 preparation: unichr.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5408
diff changeset
54
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
55 def initialiseSecurity(security):
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
56 '''Create some Permissions and Roles on the security object
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
57
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
58 This function is directly invoked by security.Security.__init__()
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
59 as a part of the Security object instantiation.
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
60 '''
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
61 p = security.addPermission(name="Web Access",
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
62 description="User may access the web interface")
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
63 security.addPermissionToRole('Admin', p)
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
64
5879
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
65 p = security.addPermission(name="Rest Access",
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
66 description="User may access the rest interface")
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
67 security.addPermissionToRole('Admin', p)
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
68
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
69 p = security.addPermission(name="Xmlrpc Access",
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
70 description="User may access the xmlrpc interface")
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
71 security.addPermissionToRole('Admin', p)
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
72
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
73 # doing Role stuff through the web - make sure Admin can
3276
3124e578db02 Email fixes:
Richard Jones <richard@users.sourceforge.net>
parents: 3069
diff changeset
74 # TODO: deprecate this and use a property-based control
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
75 p = security.addPermission(name="Web Roles",
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
76 description="User may manipulate user Roles through the web")
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
77 security.addPermissionToRole('Admin', p)
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
78
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
79 def add_message(msg_list, msg, escape=True):
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
80 if escape:
5804
8f50e00532e7 html.escape(string, quote=...) sets quote to True not False by
John Rouillard <rouilj@ieee.org>
parents: 5802
diff changeset
81 msg = html_escape(msg, quote=False).replace('\n', '<br />\n')
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
82 else:
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
83 msg = msg.replace('\n', '<br />\n')
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
84 msg_list.append (msg)
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
85 return msg_list # for unittests
3916
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
86
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
87 default_err_msg = ''"""<html><head><title>An error has occurred</title></head>
3554
5e70726a86dd fixed schema migration problem when Class keys were removed
Richard Jones <richard@users.sourceforge.net>
parents: 3551
diff changeset
88 <body><h1>An error has occurred</h1>
3551
3c70ab03c917 translate error message shown instead of tracebacks, add page title
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3548
diff changeset
89 <p>A problem was encountered processing your request.
3c70ab03c917 translate error message shown instead of tracebacks, add page title
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3548
diff changeset
90 The tracker maintainers have been notified of the problem.</p>
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
91 </body></html>"""
3548
61d48244e7a8 login may now be for a single session
Richard Jones <richard@users.sourceforge.net>
parents: 3494
diff changeset
92
5356
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
93 def seed_pseudorandom():
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
94 '''A function to seed the default pseudorandom random number generator
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
95 which is used to (at minimum):
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
96 * generate part of email message-id
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
97 * generate OTK for password reset
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
98 * generate the temp recovery password
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
99
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
100 This function limits the scope of the 'import random' call
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
101 as the random identifier is used throughout the code and
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
102 can refer to SystemRandom.
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
103 '''
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
104 import random
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
105 random.seed()
3916
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
106
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
107 class LiberalCookie(SimpleCookie):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
108 """ Python's SimpleCookie throws an exception if the cookie uses invalid
3916
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
109 syntax. Other applications on the same server may have done precisely
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
110 this, preventing roundup from working through no fault of roundup.
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
111 Numerous other python apps have run into the same problem:
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
112
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
113 trac: http://trac.edgewall.org/ticket/2256
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
114 mailman: http://bugs.python.org/issue472646
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
115
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
116 This particular implementation comes from trac's solution to the
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
117 problem. Unfortunately it requires some hackery in SimpleCookie's
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
118 internals to provide a more liberal __set method.
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
119 """
3916
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
120 def load(self, rawdata, ignore_parse_errors=True):
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
121 if ignore_parse_errors:
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
122 self.bad_cookies = []
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
123 self._BaseCookie__set = self._loose_set
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
124 SimpleCookie.load(self, rawdata)
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
125 if ignore_parse_errors:
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
126 self._BaseCookie__set = self._strict_set
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
127 for key in self.bad_cookies:
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
128 del self[key]
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
129
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
130 _strict_set = BaseCookie._BaseCookie__set
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
131
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
132 def _loose_set(self, key, real_value, coded_value):
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
133 try:
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
134 self._strict_set(key, real_value, coded_value)
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
135 except CookieError:
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
136 self.bad_cookies.append(key)
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
137 dict.__setitem__(self, key, None)
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
138
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
139
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
140 class Session:
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
141 """
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
142 Needs DB to be already opened by client
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
143
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
144 Session attributes at instantiation:
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
145
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
146 - "client" - reference to client for add_cookie function
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
147 - "session_db" - session DB manager
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
148 - "cookie_name" - name of the cookie with session id
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
149 - "_sid" - session id for current user
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
150 - "_data" - session data cache
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
151
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
152 session = Session(client)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
153 session.set(name=value)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
154 value = session.get(name)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
155
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
156 session.destroy() # delete current session
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
157 session.clean_up() # clean up session table
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
158
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
159 session.update(set_cookie=True, expire=3600*24*365)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
160 # refresh session expiration time, setting persistent
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
161 # cookie if needed to last for 'expire' seconds
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
162
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
163 """
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
164
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
165 def __init__(self, client):
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
166 self._data = {}
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
167 self._sid = None
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
168
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
169 self.client = client
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
170 self.session_db = client.db.getSessionManager()
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
171
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
172 # parse cookies for session id
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
173 self.cookie_name = 'roundup_session_%s' % \
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
174 re.sub('[^a-zA-Z]', '', client.instance.config.TRACKER_NAME)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
175 cookies = LiberalCookie(client.env.get('HTTP_COOKIE', ''))
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
176 if self.cookie_name in cookies:
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
177 if not self.session_db.exists(cookies[self.cookie_name].value):
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
178 self._sid = None
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
179 # remove old cookie
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
180 self.client.add_cookie(self.cookie_name, None)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
181 else:
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
182 self._sid = cookies[self.cookie_name].value
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
183 self._data = self.session_db.getall(self._sid)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
184
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
185 def _gen_sid(self):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
186 """ generate a unique session key """
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
187 while 1:
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5475
diff changeset
188 s = b2s(binascii.b2a_base64(random_.token_bytes(32)).strip())
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
189 if not self.session_db.exists(s):
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
190 break
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
191
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
192 # clean up the base64
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
193 if s[-1] == '=':
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
194 if s[-2] == '=':
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
195 s = s[:-2]
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
196 else:
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
197 s = s[:-1]
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
198 return s
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
199
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
200 def clean_up(self):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
201 """Remove expired sessions"""
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
202 self.session_db.clean()
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
203
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
204 def destroy(self):
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
205 self.client.add_cookie(self.cookie_name, None)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
206 self._data = {}
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
207 self.session_db.destroy(self._sid)
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
208 self.session_db.commit()
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
209
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
210 def get(self, name, default=None):
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
211 return self._data.get(name, default)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
212
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
213 def set(self, **kwargs):
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
214 self._data.update(kwargs)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
215 if not self._sid:
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
216 self._sid = self._gen_sid()
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
217 self.session_db.set(self._sid, **self._data)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
218 # add session cookie
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
219 self.update(set_cookie=True)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
220
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
221 # XXX added when patching 1.4.4 for backward compatibility
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
222 # XXX remove
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
223 self.client.session = self._sid
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
224 else:
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
225 self.session_db.set(self._sid, **self._data)
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
226 self.session_db.commit()
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
227
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
228 def update(self, set_cookie=False, expire=None):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
229 """ update timestamp in db to avoid expiration
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
230
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
231 if 'set_cookie' is True, set cookie with 'expire' seconds lifetime
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
232 if 'expire' is None - session will be closed with the browser
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
233
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
234 XXX the session can be purged within a week even if a cookie
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
235 lifetime is longer
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
236 """
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
237 self.session_db.updateTimestamp(self._sid)
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
238 self.session_db.commit()
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
239
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
240 if set_cookie:
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
241 self.client.add_cookie(self.cookie_name, self._sid, expire=expire)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
242
5775
17e110426ad7 issue2551046: Attempts to attach file or create large message fail
John Rouillard <rouilj@ieee.org>
parents: 5696
diff changeset
243 # import from object as well so it's a new style object and I can use super()
17e110426ad7 issue2551046: Attempts to attach file or create large message fail
John Rouillard <rouilj@ieee.org>
parents: 5696
diff changeset
244 class BinaryFieldStorage(cgi.FieldStorage, object):
5656
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
245 '''This class works around the bug https://bugs.python.org/issue27777.
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
246
5656
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
247 cgi.FieldStorage must save all data as binary/bytes. This is
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
248 needed for handling json and xml data blobs under python
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
249 3. Under python 2, str and binary are interchangable, not so
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
250 under 3.
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
251 '''
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
252 def make_file(self, mode=None):
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
253 ''' work around https://bugs.python.org/issue27777 '''
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
254 import tempfile
5671
f60c44563c3a Adjust make_file override to use binary files only when needed.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5666
diff changeset
255 if self.length >= 0:
f60c44563c3a Adjust make_file override to use binary files only when needed.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5666
diff changeset
256 return tempfile.TemporaryFile("wb+")
5775
17e110426ad7 issue2551046: Attempts to attach file or create large message fail
John Rouillard <rouilj@ieee.org>
parents: 5696
diff changeset
257 return super(BinaryFieldStorage, self).make_file()
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
258
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
259 class Client:
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
260 """Instantiate to handle one CGI request.
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
261
1244
8dd4f736370b merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents: 1236
diff changeset
262 See inner_main for request processing.
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
263
1244
8dd4f736370b merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents: 1236
diff changeset
264 Client attributes at instantiation:
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
265
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
266 - "path" is the PATH_INFO inside the instance (with no leading '/')
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
267 - "base" is the base URL for the instance
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
268 - "form" is the cgi form, an instance of FieldStorage from the standard
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
269 cgi module
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
270 - "additional_headers" is a dictionary of additional HTTP headers that
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
271 should be sent to the client
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
272 - "response_code" is the HTTP response code to send to the client
2557
ff02e9851592 translator object must be Roundup Translation Service...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2514
diff changeset
273 - "translator" is TranslationService instance
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
274 - "client-nonce" is a unique value for this client connection. Can be
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
275 used as a nonce for CSP headers and to sign javascript code
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
276 presented to the browser. This is different from the CSRF nonces
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
277 and can not be used for anti-csrf measures.
1244
8dd4f736370b merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents: 1236
diff changeset
278
8dd4f736370b merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents: 1236
diff changeset
279 During the processing of a request, the following attributes are used:
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
280
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
281 - "db"
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
282 - "_error_message" holds a list of error messages
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
283 - "_ok_message" holds a list of OK messages
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
284 - "session" is deprecated in favor of session_api (XXX remove)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
285 - "session_api" is the interface to store data in session
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
286 - "user" is the current user's name
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
287 - "userid" is the current user's id
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
288 - "template" is the current :template context
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
289 - "classname" is the current class context name
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
290 - "nodeid" is the current context item id
1244
8dd4f736370b merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents: 1236
diff changeset
291
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
292 Note: _error_message and _ok_message should not be modified
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
293 directly, use add_ok_message and add_error_message, these, by
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
294 default, escape the message added to avoid XSS security issues.
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
295
1244
8dd4f736370b merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents: 1236
diff changeset
296 User Identification:
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
297 Users that are absent in session data are anonymous and are logged
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
298 in as that user. This typically gives them all Permissions assigned
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
299 to the Anonymous Role.
1244
8dd4f736370b merge from maintenance branch
Richard Jones <richard@users.sourceforge.net>
parents: 1236
diff changeset
300
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
301 Every user is assigned a session. "session_api" is the interface
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
302 to work with session data.
1420
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
303
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
304 Special form variables:
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
305 Note that in various places throughout this code, special form
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
306 variables of the form :<name> are used. The colon (":") part may
1436
2f6647cf5345 bugger, dropping support for "+" special char
Richard Jones <richard@users.sourceforge.net>
parents: 1435
diff changeset
307 actually be one of either ":" or "@".
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
308 """
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
309
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
310 # charset used for data storage and form templates
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
311 # Note: must be in lower case for comparisons!
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
312 # XXX take this from instance.config?
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
313 STORAGE_CHARSET = 'utf-8'
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
314
1421
90bb11eb40dc oops, forgot the templating :)
Richard Jones <richard@users.sourceforge.net>
parents: 1420
diff changeset
315 #
1420
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
316 # special form variables
1421
90bb11eb40dc oops, forgot the templating :)
Richard Jones <richard@users.sourceforge.net>
parents: 1420
diff changeset
317 #
1436
2f6647cf5345 bugger, dropping support for "+" special char
Richard Jones <richard@users.sourceforge.net>
parents: 1435
diff changeset
318 FV_TEMPLATE = re.compile(r'[@:]template')
2f6647cf5345 bugger, dropping support for "+" special char
Richard Jones <richard@users.sourceforge.net>
parents: 1435
diff changeset
319 FV_OK_MESSAGE = re.compile(r'[@:]ok_message')
2f6647cf5345 bugger, dropping support for "+" special char
Richard Jones <richard@users.sourceforge.net>
parents: 1435
diff changeset
320 FV_ERROR_MESSAGE = re.compile(r'[@:]error_message')
1421
90bb11eb40dc oops, forgot the templating :)
Richard Jones <richard@users.sourceforge.net>
parents: 1420
diff changeset
321
90bb11eb40dc oops, forgot the templating :)
Richard Jones <richard@users.sourceforge.net>
parents: 1420
diff changeset
322 # Note: index page stuff doesn't appear here:
90bb11eb40dc oops, forgot the templating :)
Richard Jones <richard@users.sourceforge.net>
parents: 1420
diff changeset
323 # columns, sort, sortdir, filter, group, groupdir, search_text,
90bb11eb40dc oops, forgot the templating :)
Richard Jones <richard@users.sourceforge.net>
parents: 1420
diff changeset
324 # pagesize, startwith
1420
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
325
3760
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
326 # list of network error codes that shouldn't be reported to tracker admin
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
327 # (error descriptions from FreeBSD intro(2))
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
328 IGNORE_NET_ERRORS = (
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
329 # A write on a pipe, socket or FIFO for which there is
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
330 # no process to read the data.
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
331 errno.EPIPE,
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
332 # A connection was forcibly closed by a peer.
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
333 # This normally results from a loss of the connection
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
334 # on the remote socket due to a timeout or a reboot.
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
335 errno.ECONNRESET,
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
336 # Software caused connection abort. A connection abort
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
337 # was caused internal to your host machine.
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
338 errno.ECONNABORTED,
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
339 # A connect or send request failed because the connected party
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
340 # did not properly respond after a period of time.
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
341 errno.ETIMEDOUT,
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
342 )
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
343
2467
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
344 def __init__(self, instance, request, env, form=None, translator=None):
5356
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
345 # re-seed the random number generator. Is this is an instance of
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
346 # random.SystemRandom it has no effect.
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5475
diff changeset
347 random_.seed()
5356
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
348 # So we also seed the pseudorandom random source obtained from
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
349 # import random
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
350 # to make sure that every forked copy of the client will return
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
351 # new random numbers.
91954be46a66 A real fix for the problem where:
John Rouillard <rouilj@ieee.org>
parents: 5350
diff changeset
352 seed_pseudorandom()
2230
ca2664e095be disable forking server when os.fork() not available [SF#938586]
Richard Jones <richard@users.sourceforge.net>
parents: 2183
diff changeset
353 self.start = time.time()
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
354 self.instance = instance
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
355 self.request = request
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
356 self.env = env
2467
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
357 self.setTranslator(translator)
1799
071ea6fc803f Extracted duplicated mail-sending code...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 1798
diff changeset
358 self.mailer = Mailer(instance.config)
5166
232c74973a56 issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
359 # If True the form contents wins over the database contents when
232c74973a56 issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
360 # rendering html properties. This is set when an error occurs so
232c74973a56 issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
361 # that we don't lose submitted form contents.
232c74973a56 issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
362 self.form_wins = False
1004
5f12d3259f31 logout works better now
Richard Jones <richard@users.sourceforge.net>
parents: 1003
diff changeset
363
1157
26c8cb2162d7 fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents: 1153
diff changeset
364 # save off the path
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
365 self.path = env['PATH_INFO']
1004
5f12d3259f31 logout works better now
Richard Jones <richard@users.sourceforge.net>
parents: 1003
diff changeset
366
1398
b3e1e9ab0500 fixed cookie path to use TRACKER_WEB [SF#667020]
Richard Jones <richard@users.sourceforge.net>
parents: 1393
diff changeset
367 # this is the base URL for this tracker
1157
26c8cb2162d7 fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents: 1153
diff changeset
368 self.base = self.instance.config.TRACKER_WEB
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
369
4586
b21bb66de6ff Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4578
diff changeset
370 # should cookies be secure?
b21bb66de6ff Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4578
diff changeset
371 self.secure = self.base.startswith ('https')
b21bb66de6ff Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4578
diff changeset
372
2183
ac24a9c74cca be paranoid about TRACKER_WEB
Richard Jones <richard@users.sourceforge.net>
parents: 2137
diff changeset
373 # check the tracker_we setting
ac24a9c74cca be paranoid about TRACKER_WEB
Richard Jones <richard@users.sourceforge.net>
parents: 2137
diff changeset
374 if not self.base.endswith('/'):
ac24a9c74cca be paranoid about TRACKER_WEB
Richard Jones <richard@users.sourceforge.net>
parents: 2137
diff changeset
375 self.base = self.base + '/'
ac24a9c74cca be paranoid about TRACKER_WEB
Richard Jones <richard@users.sourceforge.net>
parents: 2137
diff changeset
376
1398
b3e1e9ab0500 fixed cookie path to use TRACKER_WEB [SF#667020]
Richard Jones <richard@users.sourceforge.net>
parents: 1393
diff changeset
377 # this is the "cookie path" for this tracker (ie. the path part of
b3e1e9ab0500 fixed cookie path to use TRACKER_WEB [SF#667020]
Richard Jones <richard@users.sourceforge.net>
parents: 1393
diff changeset
378 # the "base" url)
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
379 self.cookie_path = urllib_.urlparse(self.base)[2]
2946
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
380 # cookies to set in http responce
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
381 # {(path, name): (value, expire)}
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
382 self._cookies = {}
1398
b3e1e9ab0500 fixed cookie path to use TRACKER_WEB [SF#667020]
Richard Jones <richard@users.sourceforge.net>
parents: 1393
diff changeset
383
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
384 # define a unique nonce. Can be used for Content Security Policy
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
385 # nonces for scripts.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
386 self.client_nonce = self._gen_nonce()
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
387
1157
26c8cb2162d7 fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents: 1153
diff changeset
388 # see if we need to re-parse the environment for the form (eg Zope)
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
389 if form is None:
5608
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
390 # cgi.FieldStorage doesn't special case OPTIONS, DELETE or
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
391 # PATCH verbs. They are processed like POST. So FieldStorage
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
392 # hangs on these verbs trying to read posted data that
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
393 # will never arrive.
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
394 # If not defined, set CONTENT_LENGTH to 0 so it doesn't
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
395 # hang reading the data.
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
396 if self.env['REQUEST_METHOD'] in ['OPTIONS', 'DELETE', 'PATCH']:
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
397 if 'CONTENT_LENGTH' not in self.env:
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
398 self.env['CONTENT_LENGTH'] = 0
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
399 logger.debug("Setting CONTENT_LENGTH to 0 for method: %s",
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
400 self.env['REQUEST_METHOD'])
5df309febe49 Path to support OPTIONS verb when using rest interface via
John Rouillard <rouilj@ieee.org>
parents: 5603
diff changeset
401
5653
ba67e397f063 Fix string/bytes issues under python 3.
John Rouillard <rouilj@ieee.org>
parents: 5624
diff changeset
402 # cgi.FieldStorage must save all data as
5656
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
403 # binary/bytes. Subclass BinaryFieldStorage does this.
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
404 # It's a workaround for a bug in cgi.FieldStorage. See class
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
405 # def for details.
d26d2590cd8c Implement different workaround for https://bugs.python.org/issue27777
John Rouillard <rouilj@ieee.org>
parents: 5655
diff changeset
406 self.form = BinaryFieldStorage(fp=request.rfile, environ=env)
5554
a06a88ed38ae Fake a list property to prevent "Error: not indexable".
martin.v.loewis <martin.v.loewis>
parents: 5549
diff changeset
407 # In some case (e.g. content-type application/xml), cgi
a06a88ed38ae Fake a list property to prevent "Error: not indexable".
martin.v.loewis <martin.v.loewis>
parents: 5549
diff changeset
408 # will not parse anything. Fake a list property in this case
a06a88ed38ae Fake a list property to prevent "Error: not indexable".
martin.v.loewis <martin.v.loewis>
parents: 5549
diff changeset
409 if self.form.list is None:
a06a88ed38ae Fake a list property to prevent "Error: not indexable".
martin.v.loewis <martin.v.loewis>
parents: 5549
diff changeset
410 self.form.list = []
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
411 else:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
412 self.form = form
1157
26c8cb2162d7 fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents: 1153
diff changeset
413
26c8cb2162d7 fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents: 1153
diff changeset
414 # turn debugging on/off
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
415 try:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
416 self.debug = int(env.get("ROUNDUP_DEBUG", 0))
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
417 except ValueError:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
418 # someone gave us a non-int debug level, turn it off
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
419 self.debug = 0
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
420
1157
26c8cb2162d7 fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents: 1153
diff changeset
421 # flag to indicate that the HTTP headers have been sent
26c8cb2162d7 fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents: 1153
diff changeset
422 self.headers_done = 0
26c8cb2162d7 fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents: 1153
diff changeset
423
1120
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
424 # additional headers to send with the request - must be registered
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
425 # before the first write
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
426 self.additional_headers = {}
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
427 self.response_code = 200
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
428
2947
e611be5ee6c4 initialize self.charset early to enable html output for tracebacks...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2946
diff changeset
429 # default character set
e611be5ee6c4 initialize self.charset early to enable html output for tracebacks...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2946
diff changeset
430 self.charset = self.STORAGE_CHARSET
e611be5ee6c4 initialize self.charset early to enable html output for tracebacks...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2946
diff changeset
431
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
432 # parse cookies (used for charset lookups)
3916
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
433 # use our own LiberalCookie to handle bad apps on the same
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
434 # server that have set cookies that are out of spec
57ad3e2c2545 handle bad cookies
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3900
diff changeset
435 self.cookie = LiberalCookie(self.env.get('HTTP_COOKIE', ''))
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
436
2928
81c99c857b57 applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2923
diff changeset
437 self.user = None
81c99c857b57 applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2923
diff changeset
438 self.userid = None
2948
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
439 self.nodeid = None
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
440 self.classname = None
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
441 self.template = None
2928
81c99c857b57 applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2923
diff changeset
442
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
443 def _gen_nonce(self):
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
444 """ generate a unique nonce """
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5475
diff changeset
445 n = b2s(base64.b32encode(random_.token_bytes(40)))
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
446 return n
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
447
2467
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
448 def setTranslator(self, translator=None):
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
449 """Replace the translation engine
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
450
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
451 'translator'
2557
ff02e9851592 translator object must be Roundup Translation Service...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2514
diff changeset
452 is TranslationService instance.
ff02e9851592 translator object must be Roundup Translation Service...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2514
diff changeset
453 It must define methods 'translate' (TAL-compatible i18n),
ff02e9851592 translator object must be Roundup Translation Service...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2514
diff changeset
454 'gettext' and 'ngettext' (gettext-compatible i18n).
2467
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
455
2557
ff02e9851592 translator object must be Roundup Translation Service...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2514
diff changeset
456 If omitted, create default TranslationService.
2467
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
457 """
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
458 if translator is None:
2808
18c28d22b3b5 pass tracker home directory to get_translation()
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2800
diff changeset
459 translator = TranslationService.get_translation(
2923
29563959c026 language defaults to config option TRACKER_LANGUAGE
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2906
diff changeset
460 language=self.instance.config["TRACKER_LANGUAGE"],
2808
18c28d22b3b5 pass tracker home directory to get_translation()
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2800
diff changeset
461 tracker_home=self.instance.config["TRACKER_HOME"])
2467
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
462 self.translator = translator
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
463 self._ = self.gettext = translator.gettext
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
464 self.ngettext = translator.ngettext
76ead526113d client instances may be used as translation engines.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2366
diff changeset
465
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
466 def main(self):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
467 """ Wrap the real main in a try/finally so we always close off the db.
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
468 """
5924
b40059d7036f issue2550925 strip HTTP_PROXY environment variable
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
469
b40059d7036f issue2550925 strip HTTP_PROXY environment variable
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
470 # strip HTTP_PROXY issue2550925 in case
b40059d7036f issue2550925 strip HTTP_PROXY environment variable
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
471 # PROXY header is set.
b40059d7036f issue2550925 strip HTTP_PROXY environment variable
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
472 if 'HTTP_PROXY' in self.env:
b40059d7036f issue2550925 strip HTTP_PROXY environment variable
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
473 del(self.env['HTTP_PROXY'])
b40059d7036f issue2550925 strip HTTP_PROXY environment variable
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
474 if 'HTTP_PROXY' in os.environ:
b40059d7036f issue2550925 strip HTTP_PROXY environment variable
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
475 del(os.environ['HTTP_PROXY'])
b40059d7036f issue2550925 strip HTTP_PROXY environment variable
John Rouillard <rouilj@ieee.org>
parents: 5881
diff changeset
476
5603
79da1ca2f94b Make xmlrpc and rest APIs configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5568
diff changeset
477 xmlrpc_enabled = self.instance.config.WEB_ENABLE_XMLRPC
79da1ca2f94b Make xmlrpc and rest APIs configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5568
diff changeset
478 rest_enabled = self.instance.config.WEB_ENABLE_REST
1133
36ec30d286ea Cleaned up CHANGES/TODO
Richard Jones <richard@users.sourceforge.net>
parents: 1130
diff changeset
479 try:
5603
79da1ca2f94b Make xmlrpc and rest APIs configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5568
diff changeset
480 if xmlrpc_enabled and self.path == 'xmlrpc':
4079
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
481 self.handle_xmlrpc()
5603
79da1ca2f94b Make xmlrpc and rest APIs configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5568
diff changeset
482 elif rest_enabled and (self.path == 'rest' or
79da1ca2f94b Make xmlrpc and rest APIs configurable
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5568
diff changeset
483 self.path[:5] == 'rest/'):
5556
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
484 self.handle_rest()
4079
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
485 else:
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
486 self.inner_main()
1133
36ec30d286ea Cleaned up CHANGES/TODO
Richard Jones <richard@users.sourceforge.net>
parents: 1130
diff changeset
487 finally:
36ec30d286ea Cleaned up CHANGES/TODO
Richard Jones <richard@users.sourceforge.net>
parents: 1130
diff changeset
488 if hasattr(self, 'db'):
36ec30d286ea Cleaned up CHANGES/TODO
Richard Jones <richard@users.sourceforge.net>
parents: 1130
diff changeset
489 self.db.close()
4079
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
490
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
491
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
492 def handle_xmlrpc(self):
4919
24209344b507 Link /xmlrpc to docs if accessed with browser
anatoly techtonik <techtonik@gmail.com>
parents: 4903
diff changeset
493 if self.env.get('CONTENT_TYPE') != 'text/xml':
5437
a1971da1c5da Python 3 preparation: send bytes to socket in cgi/client.py.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5430
diff changeset
0fb04e717de0 fix encoding in handle_xmlrpc
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5441
diff changeset
496 b"XML-RPC interface</a>.")
4919
24209344b507 Link /xmlrpc to docs if accessed with browser
anatoly techtonik <techtonik@gmail.com>
parents: 4903
diff changeset
497 return
4079
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
498
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
499 # Pull the raw XML out of the form. The "value" attribute
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
500 # will be the raw content of the POST request.
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
501 assert self.form.file
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
502 input = self.form.value
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
503 # So that the rest of Roundup can query the form in the
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
504 # usual way, we create an empty list of fields.
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
505 self.form.list = []
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
506
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
507 # Set the charset and language, since other parts of
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
508 # Roundup may depend upon that.
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
509 self.determine_charset()
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
510 self.determine_language()
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
511 # Open the database as the correct user.
5878
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
512 try:
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
513 self.determine_user()
5881
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
514 self.db.tx_Source = "xmlrpc"
5878
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
515 except LoginError as msg:
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
516 output = xmlrpc_.client.dumps(
5879
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
517 xmlrpc_.client.Fault(401, "%s" % msg),
5878
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
518 allow_none=True)
5879
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
519 self.setHeader("Content-Type", "text/xml")
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
520 self.setHeader("Content-Length", str(len(output)))
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
521 self.write(s2b(output))
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
522 return
5878
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
523
5879
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
524 if not self.db.security.hasPermission('Xmlrpc Access', self.userid):
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
525 output = xmlrpc_.client.dumps(
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
526 xmlrpc_.client.Fault(403, "Forbidden"),
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
527 allow_none=True)
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
528 self.setHeader("Content-Type", "text/xml")
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
529 self.setHeader("Content-Length", str(len(output)))
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
530 self.write(s2b(output))
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
531 return
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
532
4327
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
533 self.check_anonymous_access()
4079
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
534
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
535 try:
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
536 # coverting from function returning true/false to
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
537 # raising exceptions
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
538 # Call csrf with xmlrpc checks enabled.
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
539 # It will return True if everything is ok,
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
540 # raises exception on check failure.
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
541 csrf_ok = self.handle_csrf(xmlrpc=True)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
542 except (Unauthorised, UsageError) as msg:
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
543 # report exception back to server
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
544 exc_type, exc_value, exc_tb = sys.exc_info()
5408
e46ce04d5bbc Python 3 preparation: update xmlrpclib / SimpleXMLRPCServer imports.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5395
diff changeset
545 output = xmlrpc_.client.dumps(
e46ce04d5bbc Python 3 preparation: update xmlrpclib / SimpleXMLRPCServer imports.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5395
diff changeset
546 xmlrpc_.client.Fault(1, "%s:%s" % (exc_type, exc_value)),
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
547 allow_none=True)
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
548 csrf_ok = False # we had an error, failed check
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
549
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
550 if csrf_ok == True:
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
551 handler = xmlrpc.RoundupDispatcher(self.db,
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4079
diff changeset
552 self.instance.actions,
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4079
diff changeset
553 self.translator,
4079
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
554 allow_none=True)
5474
4c9192393cd9 encoding fixes
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5456
diff changeset
555 output = handler.dispatch(input)
4079
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
556
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
557 self.setHeader("Content-Type", "text/xml")
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
558 self.setHeader("Content-Length", str(len(output)))
edf526c91412 * Refactor XMLRPC interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4077
diff changeset
559 self.write(output)
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
560
5556
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
561 def handle_rest(self):
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
562 # Set the charset and language
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
563 self.determine_charset()
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
564 self.determine_language()
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
565 # Open the database as the correct user.
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
566 # TODO: add everything to RestfulDispatcher
5666
d660d1c1ba63 Handle LoginError in rest code. Stop standard "an error occurred check
John Rouillard <rouilj@ieee.org>
parents: 5657
diff changeset
567 try:
d660d1c1ba63 Handle LoginError in rest code. Stop standard "an error occurred check
John Rouillard <rouilj@ieee.org>
parents: 5657
diff changeset
568 self.determine_user()
5881
9938c40e03bc Add "rest" and "xmlrpc" values for database tx_Source property
John Rouillard <rouilj@ieee.org>
parents: 5879
diff changeset
569 self.db.tx_Source = "rest"
5666
d660d1c1ba63 Handle LoginError in rest code. Stop standard "an error occurred check
John Rouillard <rouilj@ieee.org>
parents: 5657
diff changeset
570 except LoginError as err:
d660d1c1ba63 Handle LoginError in rest code. Stop standard "an error occurred check
John Rouillard <rouilj@ieee.org>
parents: 5657
diff changeset
571 self.response_code = http_.client.UNAUTHORIZED
5878
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
572 output = s2b("Invalid Login - %s"%str(err))
5666
d660d1c1ba63 Handle LoginError in rest code. Stop standard "an error occurred check
John Rouillard <rouilj@ieee.org>
parents: 5657
diff changeset
573 self.setHeader("Content-Length", str(len(output)))
d660d1c1ba63 Handle LoginError in rest code. Stop standard "an error occurred check
John Rouillard <rouilj@ieee.org>
parents: 5657
diff changeset
574 self.setHeader("Content-Type", "text/plain")
d660d1c1ba63 Handle LoginError in rest code. Stop standard "an error occurred check
John Rouillard <rouilj@ieee.org>
parents: 5657
diff changeset
575 self.write(output)
d660d1c1ba63 Handle LoginError in rest code. Stop standard "an error occurred check
John Rouillard <rouilj@ieee.org>
parents: 5657
diff changeset
576 return
d660d1c1ba63 Handle LoginError in rest code. Stop standard "an error occurred check
John Rouillard <rouilj@ieee.org>
parents: 5657
diff changeset
577
5879
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
578 if not self.db.security.hasPermission('Rest Access', self.userid):
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
579 self.response_code = 403
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
580 self.write(s2b('{ "error": { "status": 403, "msg": "Forbidden." } }'))
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
581 return
94a7669677ae add permissions to control user of rest and xmlrpc API interfaces.
John Rouillard <rouilj@ieee.org>
parents: 5878
diff changeset
582
5556
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
583 self.check_anonymous_access()
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
584
5696
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
585 try:
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
586 # Call csrf with xmlrpc checks enabled.
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
587 # It will return True if everything is ok,
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
588 # raises exception on check failure.
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
589 csrf_ok = self.handle_csrf(xmlrpc=True)
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
590 except (Unauthorised, UsageError) as msg:
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
591 # report exception back to server
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
592 exc_type, exc_value, exc_tb = sys.exc_info()
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
593 # FIXME should return what the client requests
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
594 # via accept header.
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
595 output = s2b("%s: %s\n"%(exc_type, exc_value))
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
596 self.response_code = 400
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
597 self.setHeader("Content-Length", str(len(output)))
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
598 self.setHeader("Content-Type", "text/plain")
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
599 self.write(output)
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
600 csrf_ok = False # we had an error, failed check
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
601 return
5556
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
602
5696
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
603 # With the return above the if will never be false,
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
604 # Keeping the if so we can remove return to pass
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
605 # output though and format output according to accept
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
606 # header.
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
607 if csrf_ok == True:
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
608 # Call rest library to handle the request
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
609 handler = rest.RestfulInstance(self, self.db)
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
610 output = handler.dispatch(self.env['REQUEST_METHOD'],
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
611 self.path, self.form)
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
612
b67636bc87d0 Add CSRF protection to rest code path. Follow same model as for
John Rouillard <rouilj@ieee.org>
parents: 5671
diff changeset
613 # type header set by rest handler
5556
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
614 # self.setHeader("Content-Type", "text/xml")
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
615 self.setHeader("Content-Length", str(len(output)))
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
616 self.write(output)
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
617
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
618 def add_ok_message(self, msg, escape=True):
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
619 add_message(self._ok_message, msg, escape)
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
620
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
621 def add_error_message(self, msg, escape=True):
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
622 add_message(self._error_message, msg, escape)
5166
232c74973a56 issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
623 # Want to interpret form values when rendering when an error
232c74973a56 issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
624 # occurred:
232c74973a56 issue1408570: fix that form values are lost
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
625 self.form_wins = True
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
626
1133
36ec30d286ea Cleaned up CHANGES/TODO
Richard Jones <richard@users.sourceforge.net>
parents: 1130
diff changeset
627 def inner_main(self):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
628 """Process a request.
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
629
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
630 The most common requests are handled like so:
1054
3d8ea16347aa more explanatory docstring
Richard Jones <richard@users.sourceforge.net>
parents: 1053
diff changeset
631
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
632 1. look for charset and language preferences, set up user locale
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
633 see determine_charset, determine_language
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
634 2. figure out who we are, defaulting to the "anonymous" user
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
635 see determine_user
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
636 3. figure out what the request is for - the context
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
637 see determine_context
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
638 4. handle any requested action (item edit, search, ...)
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
639 see handle_action
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
640 5. render a template, resulting in HTML output
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
641
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
642 In some situations, exceptions occur:
1054
3d8ea16347aa more explanatory docstring
Richard Jones <richard@users.sourceforge.net>
parents: 1053
diff changeset
643
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
644 - HTTP Redirect (generally raised by an action)
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
645 - SendFile (generally raised by determine_context)
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
646 serve up a FileClass "content" property
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
647 - SendStaticFile (generally raised by determine_context)
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
648 serve up a file from the tracker "html" directory
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
649 - Unauthorised (generally raised by an action)
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
650 the action is cancelled, the request is rendered and an error
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
651 message is displayed indicating that permission was not
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
652 granted for the action to take place
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
653 - templating.Unauthorised (templating action not permitted)
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
654 raised by an attempted rendering of a template when the user
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
655 doesn't have permission
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
656 - NotFound (raised wherever it needs to be)
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
657 percolates up to the CGI interface that called the client
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
658 """
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
659 self._ok_message = []
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
660 self._error_message = []
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
661 try:
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
662 self.determine_charset()
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
663 self.determine_language()
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
664
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
665 try:
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
666 # make sure we're identified (even anonymously)
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
667 self.determine_user()
2938
463902a0fbbb determine user before context:
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2937
diff changeset
668
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
669 # figure out the context and desired content template
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
670 self.determine_context()
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
671
4326
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
672 # if we've made it this far the context is to a bit of
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
673 # Roundup's real web interface (not a file being served up)
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
674 # so do the Anonymous Web Acess check now
4327
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
675 self.check_anonymous_access()
4326
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
676
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
677 # check for a valid csrf token identifying the right user
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
678 csrf_ok = True
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
679 try:
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
680 # coverting from function returning true/false to
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
681 # raising exceptions
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
682 csrf_ok = self.handle_csrf()
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
683 except (UsageError, Unauthorised) as msg:
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
684 csrf_ok = False
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
685 self.form_wins = True
5475
da22ff1c3501 use .args for exception information
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5474
diff changeset
686 self._error_message = msg.args
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
687
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
688 if csrf_ok:
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
689 # csrf checks pass. Run actions etc.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
690 # possibly handle a form submit action (may change
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
691 # self.classname and self.template, and may also
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
692 # append error/ok_messages)
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
693 html = self.handle_action()
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
694 else:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
695 html = None
1697
c9f67f2f7ba7 don't open the database for static files
Richard Jones <richard@users.sourceforge.net>
parents: 1692
diff changeset
696
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
697 if html:
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
698 self.write_html(html)
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
699 return
2045
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
700
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
701 # now render the page
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
702 # we don't want clients caching our dynamic pages
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
703 self.additional_headers['Cache-Control'] = 'no-cache'
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
704 # Pragma: no-cache makes Mozilla and its ilk
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
705 # double-load all pages!!
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
706 # self.additional_headers['Pragma'] = 'no-cache'
1579
07a6b8587bc2 removed Pragma: no-cache...
Richard Jones <richard@users.sourceforge.net>
parents: 1562
diff changeset
707
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
708 # pages with messages added expire right now
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
709 # simple views may be cached for a small amount of time
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
710 # TODO? make page expire time configurable
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
711 # <rj> always expire pages, as IE just doesn't seem to do the
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
712 # right thing here :(
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
713 date = time.time() - 1
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
714 #if self._error_message or self._ok_message:
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
715 # date = time.time() - 1
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
716 #else:
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
717 # date = time.time() + 5
4980
13f8f88ad984 Replace rfc822 imports with email package (issue2550870)
John Kristensen <john@jerrykan.com>
parents: 4979
diff changeset
718 self.additional_headers['Expires'] = \
13f8f88ad984 Replace rfc822 imports with email package (issue2550870)
John Kristensen <john@jerrykan.com>
parents: 4979
diff changeset
719 email.utils.formatdate(date, usegmt=True)
1552
68ef6deefcf1 cgi fixes
Richard Jones <richard@users.sourceforge.net>
parents: 1538
diff changeset
720
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
721 # render the content
3896
fca0365521fc ignore client shutdown exceptions when sending responses
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3867
diff changeset
722 self.write_html(self.renderContext())
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
723 except SendFile as designator:
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
724 # The call to serve_file may result in an Unauthorised
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
725 # exception or a NotModified exception. Those
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
726 # exceptions will be handled by the outermost set of
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
727 # exception handlers.
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
728 self.serve_file(designator)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
729 except SendStaticFile as file:
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
730 self.serve_static_file(str(file))
3896
fca0365521fc ignore client shutdown exceptions when sending responses
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3867
diff changeset
731 except IOError:
3900
182ba3207899 wrap comment to less than 75 chars
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3898
diff changeset
732 # IOErrors here are due to the client disconnecting before
4638
1ebc5f16aeda Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4623
diff changeset
733 # receiving the reply.
1ebc5f16aeda Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4623
diff changeset
734 pass
1ebc5f16aeda Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4623
diff changeset
735 except SysCallError:
1ebc5f16aeda Ignore OpenSSL.SSL.SysCallError similar to IOError.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4623
diff changeset
736 # OpenSSL.SSL.SysCallError is similar to IOError above
3896
fca0365521fc ignore client shutdown exceptions when sending responses
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3867
diff changeset
737 pass
2230
ca2664e095be disable forking server when os.fork() not available [SF#938586]
Richard Jones <richard@users.sourceforge.net>
parents: 2183
diff changeset
738
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
739 except SeriousError as message:
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
740 self.write_html(str(message))
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
741 except Redirect as url:
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
742 # let's redirect - if the url isn't None, then we need to do
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
743 # the headers, otherwise the headers have been set before the
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
744 # exception was raised
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
745 if url:
3736
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
746 self.additional_headers['Location'] = str(url)
1120
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
747 self.response_code = 302
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
748 self.write_html('Redirecting to <a href="%s">%s</a>'%(url, url))
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
749 except LoginError as message:
4265
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
750 # The user tried to log in, but did not provide a valid
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
751 # username and password. If we support HTTP
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
752 # authorization, send back a response that will cause the
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
753 # browser to prompt the user again.
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
754 if self.instance.config.WEB_HTTP_AUTH:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
755 self.response_code = http_.client.UNAUTHORIZED
4265
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
756 realm = self.instance.config.TRACKER_NAME
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
757 self.setHeader("WWW-Authenticate",
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
758 "Basic realm=\"%s\"" % realm)
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
759 else:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
760 self.response_code = http_.client.FORBIDDEN
4898
850551a1568b Fix issue2550843 (AttributeError: 'Unauthorised' object has no attribute 'replace')
Thomas Arendsen Hein <thomas@intevation.de>
parents: 4880
diff changeset
761 self.renderFrontPage(str(message))
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
762 except Unauthorised as message:
1977
f96592a7c357 changes to support the new templating Unauthorised exception.
Richard Jones <richard@users.sourceforge.net>
parents: 1973
diff changeset
763 # users may always see the front page
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
764 self.response_code = 403
4898
850551a1568b Fix issue2550843 (AttributeError: 'Unauthorised' object has no attribute 'replace')
Thomas Arendsen Hein <thomas@intevation.de>
parents: 4880
diff changeset
765 self.renderFrontPage(str(message))
4109
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
766 except NotModified:
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
767 # send the 304 response
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
768 self.response_code = 304
3f3f44e3534c Address issue2550528.
Stefan Seefeld <stefan@seefeld.name>
parents: 4088
diff changeset
769 self.header()
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
770 except NotFound as e:
5165
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
771 if self.response_code == 400:
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
772 # We can't find a parameter (e.g. property name
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
773 # incorrect). Tell the user what was raised.
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
774 # Do not change to the 404 template since the
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
775 # base url is valid just query args are not.
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
776 # copy the page format from SeriousError _str_ exception.
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
777 error_page = """
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
778 <html><head><title>Roundup issue tracker: An error has occurred</title>
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
779 <link rel="stylesheet" type="text/css" href="@@file/style.css">
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
780 </head>
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
781 <body class="body" marginwidth="0" marginheight="0">
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
782 <p class="error-message">%s</p>
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
783 </body></html>
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
784 """
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
785 self.write_html(error_page%str(e))
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
786 else:
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
787 self.response_code = 404
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
788 self.template = '404'
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
789 try:
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
790 cl = self.db.getclass(self.classname)
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
791 self.write_html(self.renderContext())
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
792 except KeyError:
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
793 # we can't map the URL to a class we know about
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
794 # reraise the NotFound and let roundup_server
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
795 # handle it
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5154
diff changeset
796 raise NotFound(e)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
797 except FormError as e:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
798 self.add_error_message(self._('Form Error: ') + str(e))
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
799 self.write_html(self.renderContext())
4640
70b1cb9034c3 Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4638
diff changeset
800 except IOError:
70b1cb9034c3 Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4638
diff changeset
801 # IOErrors here are due to the client disconnecting before
70b1cb9034c3 Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4638
diff changeset
802 # receiving the reply.
70b1cb9034c3 Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4638
diff changeset
803 # may happen during write_html and serve_file, too.
70b1cb9034c3 Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4638
diff changeset
804 pass
70b1cb9034c3 Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4638
diff changeset
805 except SysCallError:
70b1cb9034c3 Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4638
diff changeset
806 # OpenSSL.SSL.SysCallError is similar to IOError above
70b1cb9034c3 Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4638
diff changeset
807 # may happen during write_html and serve_file, too.
70b1cb9034c3 Ignore IOError and SysCallError also in outer try/except.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4638
diff changeset
808 pass
5079
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
809 except DetectorError as e:
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
810 if not self.instance.config.WEB_DEBUG:
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
811 # run when we are not in debug mode, so errors
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
812 # go to admin too.
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
813 self.send_error_to_admin(e.subject, e.html, e.txt)
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
814 self.write_html(e.html)
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
815 else:
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
816 # in debug mode, only write error to screen.
65fef7858606 issue2550826 IOError in detector causes apache 'premature end of script headers' error
John Rouillard <rouilj@ieee.org>
parents: 5073
diff changeset
817 self.write_html(e.html)
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
818 except:
4264
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
819 # Something has gone badly wrong. Therefore, we should
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
820 # make sure that the response code indicates failure.
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
821 if self.response_code == http_.client.OK:
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
822 self.response_code = http_.client.INTERNAL_SERVER_ERROR
4264
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
823 # Help the administrator work out what went wrong.
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
824 html = ("<h1>Traceback</h1>"
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
825 + cgitb.html(i18n=self.translator)
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
826 + ("<h1>Environment Variables</h1><table>%s</table>"
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
827 % cgitb.niceDict("", self.env)))
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
828 if not self.instance.config.WEB_DEBUG:
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
829 exc_info = sys.exc_info()
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
830 subject = "Error: %s" % exc_info[1]
4543
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
831 self.send_error_to_admin(subject, html, format_exc())
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
832 self.write_html(self._(default_err_msg))
3548
61d48244e7a8 login may now be for a single session
Richard Jones <richard@users.sourceforge.net>
parents: 3494
diff changeset
833 else:
4264
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
834 self.write_html(html)
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
835
1372
3931614b1cce cleaning old unused sessions only once per hour, not on every cgi request
Andrey Lebedev <kedder@users.sourceforge.net>
parents: 1358
diff changeset
836 def clean_sessions(self):
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
837 """Deprecated
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
838 XXX remove
1937
4c850112895b Some reformatting and fixing docstrings for emacs.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 1936
diff changeset
839 """
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
840 self.clean_up()
1372
3931614b1cce cleaning old unused sessions only once per hour, not on every cgi request
Andrey Lebedev <kedder@users.sourceforge.net>
parents: 1358
diff changeset
841
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
842 def clean_up(self):
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
843 """Remove expired sessions and One Time Keys.
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
844
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
845 Do it only once an hour.
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
846 """
1372
3931614b1cce cleaning old unused sessions only once per hour, not on every cgi request
Andrey Lebedev <kedder@users.sourceforge.net>
parents: 1358
diff changeset
847 hour = 60*60
3931614b1cce cleaning old unused sessions only once per hour, not on every cgi request
Andrey Lebedev <kedder@users.sourceforge.net>
parents: 1358
diff changeset
848 now = time.time()
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
849
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
850 # XXX: hack - use OTK table to store last_clean time information
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
851 # 'last_clean' string is used instead of otk key
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
852 otks = self.db.getOTKManager()
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
853 last_clean = otks.get('last_clean', 'last_use', 0)
2046
f913b6beac35 document and make easier the actions-returning-content idiom
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
854 if now - last_clean < hour:
f913b6beac35 document and make easier the actions-returning-content idiom
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
855 return
f913b6beac35 document and make easier the actions-returning-content idiom
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
856
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
857 self.session_api.clean_up()
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
858 otks.clean()
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
859 otks.set('last_clean', last_use=now)
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
860 otks.commit()
1372
3931614b1cce cleaning old unused sessions only once per hour, not on every cgi request
Andrey Lebedev <kedder@users.sourceforge.net>
parents: 1358
diff changeset
861
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
862 def determine_charset(self):
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
863 """Look for client charset in the form parameters or browser cookie.
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
864
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
865 If no charset requested by client, use storage charset (utf-8).
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
866
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
867 If the charset is found, and differs from the storage charset,
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
868 recode all form fields of type 'text/plain'
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
869 """
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
870 # look for client charset
2946
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
871 charset_parameter = 0
4799
b474adb17fda Fix case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4781
diff changeset
872 # Python 2.6 form may raise a TypeError if list in form is None
b474adb17fda Fix case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4781
diff changeset
873 charset = None
4800
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
874 try:
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
875 charset = self.form['@charset'].value
2946
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
876 if charset.lower() == "none":
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
877 charset = ""
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
878 charset_parameter = 1
4799
b474adb17fda Fix case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4781
diff changeset
879 except (KeyError, TypeError):
b474adb17fda Fix case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4781
diff changeset
880 pass
b474adb17fda Fix case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4781
diff changeset
881 if charset is None and 'roundup_charset' in self.cookie:
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
882 charset = self.cookie['roundup_charset'].value
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
883 if charset:
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
884 # make sure the charset is recognized
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
885 try:
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
886 codecs.lookup(charset)
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
887 except LookupError:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
888 self.add_error_message(self._('Unrecognized charset: %r')
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
889 % charset)
2946
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
890 charset_parameter = 0
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
891 else:
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
892 self.charset = charset.lower()
2946
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
893 # If we've got a character set in request parameters,
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
894 # set the browser cookie to keep the preference.
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
895 # This is done after codecs.lookup to make sure
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
896 # that we aren't keeping a wrong value.
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
897 if charset_parameter:
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
898 self.add_cookie('roundup_charset', charset)
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
899
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
900 # if client charset is different from the storage charset,
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
901 # recode form fields
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
902 # XXX this requires FieldStorage from Python library.
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
903 # mod_python FieldStorage is not supported!
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
904 if self.charset != self.STORAGE_CHARSET:
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
905 decoder = codecs.getdecoder(self.charset)
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
906 encoder = codecs.getencoder(self.STORAGE_CHARSET)
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
907 re_charref = re.compile('&#([0-9]+|x[0-9a-f]+);', re.IGNORECASE)
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
908 def _decode_charref(matchobj):
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
909 num = matchobj.group(1)
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
910 if num[0].lower() == 'x':
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
911 uc = int(num[1:], 16)
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
912 else:
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
913 uc = int(num)
5417
c749d6795bc2 Python 3 preparation: unichr.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5408
diff changeset
914 return uchr(uc)
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
915
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
916 for field_name in self.form:
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
917 field = self.form[field_name]
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
918 if (field.type == 'text/plain') and not field.filename:
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
919 try:
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
920 value = decoder(field.value)[0]
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
921 except UnicodeError:
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
922 continue
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
923 value = re_charref.sub(_decode_charref, value)
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
924 field.value = encoder(value)[0]
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
925
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
926 def determine_language(self):
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
927 """Determine the language"""
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
928 # look for language parameter
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
929 # then for language cookie
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
930 # last for the Accept-Language header
4800
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
931 # Python 2.6 form may raise a TypeError if list in form is None
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
932 language = None
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
933 try:
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
934 language = self.form["@language"].value
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
935 if language.lower() == "none":
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
936 language = ""
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
937 self.add_cookie("roundup_language", language)
4800
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
938 except (KeyError, TypeError):
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
939 pass
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
940 if language is None:
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
941 if "roundup_language" in self.cookie:
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
942 language = self.cookie["roundup_language"].value
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
943 elif self.instance.config["WEB_USE_BROWSER_LANGUAGE"]:
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
944 hal = self.env.get('HTTP_ACCEPT_LANGUAGE')
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
945 language = accept_language.parse(hal)
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
946 else:
3961b2b91568 2nd case where querying form returns a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4799
diff changeset
947 language = ""
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
948
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
949 self.language = language
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
950 if language:
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
951 self.setTranslator(TranslationService.get_translation(
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
952 language,
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
953 tracker_home=self.instance.config["TRACKER_HOME"]))
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
954
5934
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
955 def authenticate_bearer_token(self, challenge):
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
956 ''' authenticate the bearer token. Refactored from determine_user()
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
957 to alow it to be overridden if needed.
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
958 '''
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
959 try: # will jwt import?
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
960 import jwt
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
961 except ImportError:
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
962 # no support for jwt, this is fine.
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
963 self.setHeader("WWW-Authenticate", "Basic")
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
964 raise LoginError('Support for jwt disabled.')
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
965
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
966 secret = self.db.config.WEB_JWT_SECRET
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
967 if len(secret) < 32:
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
968 # no support for jwt, this is fine.
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
969 self.setHeader("WWW-Authenticate", "Basic")
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
970 raise LoginError('Support for jwt disabled by admin.')
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
971
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
972 try: # handle jwt exceptions
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
973 token = jwt.decode(challenge, secret,
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
974 algorithms=['HS256'],
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
975 audience=self.db.config.TRACKER_WEB,
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
976 issuer=self.db.config.TRACKER_WEB)
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
977 except jwt.exceptions.InvalidTokenError as err:
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
978 self.setHeader("WWW-Authenticate", "Basic, Bearer")
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
979 self.make_user_anonymous()
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
980 raise LoginError(str(err))
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
981
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
982 return(token)
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
983
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
984 def determine_user(self):
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
985 """Determine who the user is"""
1724
bc4f0aec594e oops, we really do need a database
Richard Jones <richard@users.sourceforge.net>
parents: 1719
diff changeset
986 self.opendb('admin')
bc4f0aec594e oops, we really do need a database
Richard Jones <richard@users.sourceforge.net>
parents: 1719
diff changeset
987
5878
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
988 # if we get a jwt, it includes the roles to be used for this session
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
989 # so we define a new function to encpsulate and return the jwt roles
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
990 # and not take the roles from the database.
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
991 override_get_roles = None
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
992
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
993 # get session data from db
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
994 # XXX: rename
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
995 self.session_api = Session(self)
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
996
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
997 # take the opportunity to cleanup expired sessions and otks
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
998 self.clean_up()
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
999
3453
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
1000 user = None
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
1001 # first up, try http authorization if enabled
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
1002 if self.instance.config['WEB_HTTP_AUTH']:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1003 if 'REMOTE_USER' in self.env:
3453
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
1004 # we have external auth (e.g. by Apache)
3356
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
1005 user = self.env['REMOTE_USER']
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
1006 elif self.env.get('HTTP_AUTHORIZATION', ''):
3453
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
1007 # try handling Basic Auth ourselves
3356
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
1008 auth = self.env['HTTP_AUTHORIZATION']
5549
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
1009 try:
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
1010 scheme, challenge = auth.split(' ', 1)
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
1011 except ValueError:
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
1012 # Invalid header.
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
1013 scheme = ''
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
1014 challenge = ''
3356
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
1015 if scheme.lower() == 'basic':
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
1016 try:
5474
4c9192393cd9 encoding fixes
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5456
diff changeset
1017 decoded = b2s(base64.b64decode(challenge))
3356
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
1018 except TypeError:
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
1019 # invalid challenge
5474
4c9192393cd9 encoding fixes
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5456
diff changeset
1020 decoded = ''
5549
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
1021 try:
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
1022 username, password = decoded.split(':', 1)
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
1023 except ValueError:
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
1024 # Invalid challenge.
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
1025 username = ''
901d7ba146ad Avoid errors from invalid Authorization headers (issue2550992).
Joseph Myers <jsm@polyomino.org.uk>
parents: 5524
diff changeset
1026 password = ''
3356
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
1027 try:
4669
d7ac6c7bc371 Fix basic authentication.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4649
diff changeset
1028 # Current user may not be None, otherwise
d7ac6c7bc371 Fix basic authentication.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4649
diff changeset
1029 # instatiation of the login action will fail.
d7ac6c7bc371 Fix basic authentication.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4649
diff changeset
1030 # So we set the user to anonymous first.
d7ac6c7bc371 Fix basic authentication.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4649
diff changeset
1031 self.make_user_anonymous()
3356
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
1032 login = self.get_action_class('login')(self)
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
1033 login.verifyLogin(username, password)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
1034 except LoginError as err:
3356
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
1035 self.make_user_anonymous()
4265
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
1036 raise
3356
2913b42c0810 enabled disabling of REMOTE_USER for when it's not a valid username
Richard Jones <richard@users.sourceforge.net>
parents: 3276
diff changeset
1037 user = username
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1038 # try to seed with something harder to guess than
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1039 # just the time. If random is SystemRandom,
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1040 # this is a no-op.
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5475
diff changeset
1041 random_.seed("%s%s"%(password,time.time()))
5878
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
1042 elif scheme.lower() == 'bearer':
5934
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1043 token = self.authenticate_bearer_token(challenge)
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1044
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1045 from roundup.hyperdb import iter_roles
5878
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
1046
5934
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1047 # if we got here token is valid, use the role
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1048 # and sub claims.
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1049 try:
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1050 # make sure to str(token['sub']) the subject. As decoded
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1051 # by json, it is unicode which thows an error when used
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1052 # with 'nodeid in db' down the call chain.
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1053 user = self.db.user.get(str(token['sub']), 'username')
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1054 except IndexError:
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1055 raise LoginError("Token subject is invalid.")
5878
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
1056
5934
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1057 # validate roles
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1058 all_rolenames = [ role[0] for role in self.db.security.role.items() ]
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1059 for r in token['roles']:
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1060 if r.lower() not in all_rolenames:
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1061 raise LoginError("Token roles are invalid.")
5878
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
1062
5934
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1063 # will be used later to override the get_roles method
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1064 override_get_roles = \
db9bd45d50ad Refactor jwt auth into authenticate_bearer_token() method on Client
John Rouillard <rouilj@ieee.org>
parents: 5924
diff changeset
1065 lambda self: iter_roles(','.join(token['roles']))
2928
81c99c857b57 applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2923
diff changeset
1066
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
1067 # if user was not set by http authorization, try session lookup
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
1068 if not user:
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
1069 user = self.session_api.get('user')
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
1070 if user:
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
1071 # update session lifetime datestamp
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
1072 self.session_api.update()
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1073
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
1074 # if no user name set by http authorization or session lookup
3453
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
1075 # the user is anonymous
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
1076 if not user:
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
1077 user = 'anonymous'
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
1078
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
1079 # sanity check on the user still being valid,
8e3c0b88afad prefer http authorization over cookie sessions [SF#1396134]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3427
diff changeset
1080 # getting the userid at the same time
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1081 try:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1082 self.userid = self.db.user.lookup(user)
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1083 except (KeyError, TypeError):
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1084 user = 'anonymous'
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1085
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1086 # make sure the anonymous user is valid if we're using it
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1087 if user == 'anonymous':
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1088 self.make_user_anonymous()
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1089 else:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1090 self.user = user
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1091
1003
f89b8d32291b Hack hack hack...
Richard Jones <richard@users.sourceforge.net>
parents: 1002
diff changeset
1092 # reopen the database as the correct user
f89b8d32291b Hack hack hack...
Richard Jones <richard@users.sourceforge.net>
parents: 1002
diff changeset
1093 self.opendb(self.user)
5878
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
1094 if override_get_roles:
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
1095 # opendb destroys and re-opens the db if instance.optimize
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
1096 # is not true. This deletes an override of get_roles. So
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
1097 # assign get_roles override from the jwt if needed at this
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
1098 # point.
1b57d8f3eb97 Add rudimentery experiment JSON Web Token (jwt) support
John Rouillard <rouilj@ieee.org>
parents: 5847
diff changeset
1099 self.db.user.get_roles = override_get_roles
1003
f89b8d32291b Hack hack hack...
Richard Jones <richard@users.sourceforge.net>
parents: 1002
diff changeset
1100
4327
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
1101 def check_anonymous_access(self):
4326
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
1102 """Check that the Anonymous user is actually allowed to use the web
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
1103 interface and short-circuit all further processing if they're not.
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
1104 """
4327
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
1105 # allow Anonymous to use the "login" and "register" actions (noting
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
1106 # that "register" has its own "Register" permission check)
4367
fa5587802af9 Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
1107
4802
e1ffab417c28 Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4801
diff changeset
1108 action = ''
e1ffab417c28 Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4801
diff changeset
1109 try:
e1ffab417c28 Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4801
diff changeset
1110 if ':action' in self.form:
e1ffab417c28 Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4801
diff changeset
1111 action = self.form[':action']
e1ffab417c28 Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4801
diff changeset
1112 elif '@action' in self.form:
e1ffab417c28 Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4801
diff changeset
1113 action = self.form['@action']
e1ffab417c28 Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4801
diff changeset
1114 except TypeError:
e1ffab417c28 Yet another instance of a TypeError fixed
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4801
diff changeset
1115 pass
4367
fa5587802af9 Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
1116 if isinstance(action, list):
fa5587802af9 Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
1117 raise SeriousError('broken form: multiple @action values submitted')
4384
b0d812e10549 fix actions check for < Python2.6
Richard Jones <richard@users.sourceforge.net>
parents: 4380
diff changeset
1118 elif action != '':
4367
fa5587802af9 Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
1119 action = action.value.lower()
4327
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
1120 if action in ('login', 'register'):
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
1121 return
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
1122
4329
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4327
diff changeset
1123 # allow Anonymous to view the "user" "register" template if they're
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4327
diff changeset
1124 # allowed to register
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4327
diff changeset
1125 if (self.db.security.hasPermission('Register', self.userid, 'user')
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4327
diff changeset
1126 and self.classname == 'user' and self.template == 'register'):
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4327
diff changeset
1127 return
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4327
diff changeset
1128
4327
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
1129 # otherwise for everything else
4326
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
1130 if self.user == 'anonymous':
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
1131 if not self.db.security.hasPermission('Web Access', self.userid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1132 raise Unauthorised(self._("Anonymous users are not "
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1133 "allowed to use the web interface"))
4326
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
1134
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1135
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1136 def handle_csrf(self, xmlrpc=False):
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1137 '''Handle csrf token lookup and validate current user and session
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1138
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1139 This implements (or tries to implement) the
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1140 Session-Dependent Nonce from
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1141 https://seclab.stanford.edu/websec/csrf/csrf.pdf.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1142
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1143 Changing this to an HMAC(sessionid,secret) will
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1144 remove the need for saving a fair amount of
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1145 state on the server (one nonce per form per
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1146 page). If you have multiple forms/page this can
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1147 lead to abandoned csrf tokens that have to time
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1148 out and get cleaned up.But you lose per form
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1149 tokens which may be an advantage. Also the HMAC
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1150 is constant for the session, so provides more
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1151 occasions for it to be exposed.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1152
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1153 This only runs on post (or put and delete for
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1154 future use). Nobody should be changing data
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1155 with a get.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1156
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1157 A session token lifetime is settable in
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1158 config.ini. A future enhancement to the
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1159 creation routines should allow for the requester
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1160 of the token to set the lifetime.t
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1161
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1162 The unique session key and user id is stored
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1163 with the token. The token is valid if the stored
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1164 values match the current client's userid and
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1165 session.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1166
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1167 If a user logs out, the csrf keys are
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1168 invalidated since no other connection should
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1169 have the same session id.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1170
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1171 At least to start I am reporting anti-csrf to
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1172 the user. If it's an attacker who can see the
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1173 site, they can see the @csrf fields and can
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1174 probably figure out that he needs to supply
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1175 valid headers. Or they can just read this code
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1176 8-). So hiding it doesn't seem to help but it
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1177 does arguably show the enforcement settings, but
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1178 given the newness of this code notifying the
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1179 user and having them notify the admins for
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1180 debugging seems to be an advantage.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1181
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1182 '''
5210
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1183 # Create the otks handle here as we need it almost immediately.
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1184 # If this is perf issue, set to None here and check below
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1185 # once all header checks have passed if it needs to be opened.
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1186 otks=self.db.getOTKManager()
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1187
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1188 # Assume: never allow changes via GET
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1189 if self.env['REQUEST_METHOD'] not in ['POST', 'PUT', 'DELETE']:
5210
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1190 if "@csrf" in self.form:
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1191 # We have a nonce being used with a method it should
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1192 # not be. If the nonce exists, report to admin so they
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1193 # can fix the nonce leakage and destroy it. (nonces
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1194 # used in a get are more exposed than those used in a
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1195 # post.) Note, I don't attempt to validate here since
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1196 # existence here is the sign of a failure. If nonce
5210
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1197 # exists try to report the referer header to try to
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1198 # find where this comes from so it can be fixed. If
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1199 # nonce doesn't exist just ignore it. Maybe we should
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1200 # report, but somebody could spam us with a ton of
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1201 # invalid keys and fill up the logs.
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1202 if 'HTTP_REFERER' in self.env:
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1203 referer = self.env['HTTP_REFERER']
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1204 else:
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1205 referer = self._("Referer header not available.")
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1206 key=self.form['@csrf'].value
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1207 if otks.exists(key):
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1208 logger.error(
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1209 self._("csrf key used with wrong method from: %s"),
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1210 referer)
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1211 otks.destroy(key)
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
1212 otks.commit()
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1213 # do return here. Keys have been obsoleted.
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1214 # we didn't do a expire cycle of session keys,
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1215 # but that's ok.
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1216 return True
5210
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1217
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1218 config=self.instance.config
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1219 current_user=self.db.getuid()
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1220
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1221 # List HTTP headers we check. Note that the xmlrpc header is
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1222 # missing. Its enforcement is different (yes/required are the
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1223 # same for example) so we don't include here.
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1224 header_names = [
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1225 "ORIGIN",
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1226 "REFERER",
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1227 "X-FORWARDED-HOST",
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1228 "HOST"
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1229 ]
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1230
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1231 header_pass = 0 # count of passing header checks
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1232
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1233 # If required headers are missing, raise an error
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1234 for header in header_names:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1235 if (config["WEB_CSRF_ENFORCE_HEADER_%s"%header] == 'required'
5624
b3618882f906 issue2551023: Fix CSRF headers for use with wsgi and cgi. The
John Rouillard <rouilj@ieee.org>
parents: 5615
diff changeset
1236 and "HTTP_%s" % header.replace('-', '_') not in self.env):
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1237 logger.error(self._("csrf header %s required but missing for user%s."), header, current_user)
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1238 raise Unauthorised(self._("Missing header: %s")%header)
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1239
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1240 # self.base always matches: ^https?://hostname
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1241 enforce=config['WEB_CSRF_ENFORCE_HEADER_REFERER']
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1242 if 'HTTP_REFERER' in self.env and enforce != "no":
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1243 referer = self.env['HTTP_REFERER']
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1244 # self.base always has trailing /
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1245 foundat = referer.find(self.base)
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1246 if foundat != 0:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1247 if enforce in ('required', 'yes'):
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1248 logger.error(self._("csrf Referer header check failed for user%s. Value=%s"), current_user, referer)
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1249 raise Unauthorised(self._("Invalid Referer %s, %s")%(referer,self.base))
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1250 elif enforce == 'logfailure':
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1251 logger.warning(self._("csrf Referer header check failed for user%s. Value=%s"), current_user, referer)
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1252 else:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1253 header_pass += 1
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1254
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1255 # if you change these make sure to consider what
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1256 # happens if header variable exists but is empty.
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1257 # self.base.find("") returns 0 for example not -1
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1258 enforce=config['WEB_CSRF_ENFORCE_HEADER_ORIGIN']
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1259 if 'HTTP_ORIGIN' in self.env and enforce != "no":
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1260 origin = self.env['HTTP_ORIGIN']
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1261 foundat = self.base.find(origin +'/')
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1262 if foundat != 0:
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1263 if enforce in ('required', 'yes'):
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1264 logger.error(self._("csrf Origin header check failed for user%s. Value=%s"), current_user, origin)
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1265 raise Unauthorised(self._("Invalid Origin %s"%origin))
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1266 elif enforce == 'logfailure':
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1267 logger.warning(self._("csrf Origin header check failed for user%s. Value=%s"), current_user, origin)
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1268 else:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1269 header_pass += 1
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1270
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1271 enforce=config['WEB_CSRF_ENFORCE_HEADER_X-FORWARDED-HOST']
5624
b3618882f906 issue2551023: Fix CSRF headers for use with wsgi and cgi. The
John Rouillard <rouilj@ieee.org>
parents: 5615
diff changeset
1272 if 'HTTP_X_FORWARDED_HOST' in self.env:
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1273 if enforce != "no":
5624
b3618882f906 issue2551023: Fix CSRF headers for use with wsgi and cgi. The
John Rouillard <rouilj@ieee.org>
parents: 5615
diff changeset
1274 host = self.env['HTTP_X_FORWARDED_HOST']
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1275 foundat = self.base.find('://' + host + '/')
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1276 # 4 means self.base has http:/ prefix, 5 means https:/ prefix
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1277 if foundat not in [4, 5]:
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1278 if enforce in ('required', 'yes'):
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1279 logger.error(self._("csrf X-FORWARDED-HOST header check failed for user%s. Value=%s"), current_user, host)
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1280 raise Unauthorised(self._("Invalid X-FORWARDED-HOST %s")%host)
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1281 elif enforce == 'logfailure':
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1282 logger.warning(self._("csrf X-FORWARDED-HOST header check failed for user%s. Value=%s"), current_user, host)
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1283 else:
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1284 header_pass += 1
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1285 else:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1286 # https://seclab.stanford.edu/websec/csrf/csrf.pdf
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1287 # recommends checking HTTP HOST header as well.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1288 # If there is an X-FORWARDED-HOST header, check
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1289 # that only. The proxy setting X-F-H has probably set
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1290 # the host header to a local hostname that is
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1291 # internal name of system not name supplied by user.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1292 enforce=config['WEB_CSRF_ENFORCE_HEADER_HOST']
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1293 if 'HTTP_HOST' in self.env and enforce != "no":
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1294 host = self.env['HTTP_HOST']
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1295 foundat = self.base.find('://' + host + '/')
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1296 # 4 means http:// prefix, 5 means https:// prefix
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1297 if foundat not in [4, 5]:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1298 if enforce in ('required', 'yes'):
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1299 logger.error(self._("csrf HOST header check failed for user%s. Value=%s"), current_user, host)
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1300 raise Unauthorised(self._("Invalid HOST %s")%host)
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1301 elif enforce == 'logfailure':
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1302 logger.warning(self._("csrf HOST header check failed for user%s. Value=%s"), current_user, host)
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1303 else:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1304 header_pass += 1
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1305
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1306 enforce=config['WEB_CSRF_HEADER_MIN_COUNT']
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1307 if header_pass < enforce:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1308 logger.error(self._("Csrf: unable to verify sufficient headers"))
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1309 raise UsageError(self._("Unable to verify sufficient headers"))
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1310
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1311 enforce=config['WEB_CSRF_ENFORCE_HEADER_X-REQUESTED-WITH']
5218
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
1312 if xmlrpc:
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
1313 if enforce in ['required', 'yes']:
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
1314 # if we get here we have usually passed at least one
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
1315 # header check. We check for presence of this custom
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
1316 # header for xmlrpc calls only.
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
1317 # E.G. X-Requested-With: XMLHttpRequest
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
1318 # Note we do not use CSRF nonces for xmlrpc requests.
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
1319 #
44f7e6b958fe Added tests for csrf with xmlrpc.
John Rouillard <rouilj@ieee.org>
parents: 5212
diff changeset
1320 # see: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers
5624
b3618882f906 issue2551023: Fix CSRF headers for use with wsgi and cgi. The
John Rouillard <rouilj@ieee.org>
parents: 5615
diff changeset
1321 if 'HTTP_X_REQUESTED_WITH' not in self.env:
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1322 logger.error(self._("csrf X-REQUESTED-WITH xmlrpc required header check failed for user%s."), current_user)
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1323 raise UsageError(self._("Required Header Missing"))
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1324
5211
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1325 # Expire old csrf tokens now so we don't use them. These will
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1326 # be committed after the otks.destroy below. Note that the
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1327 # self.clean_up run as part of determine_user() will run only
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1328 # once an hour. If we have short lived (e.g. 5 minute) keys
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1329 # they will live too long if we depend on clean_up. So we do
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1330 # our own.
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1331 otks.clean()
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1332
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1333 if xmlrpc:
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1334 # Save removal of expired keys from database.
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
1335 otks.commit()
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1336 # Return from here since we have done housekeeping
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1337 # and don't use csrf tokens for xmlrpc.
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1338 return True
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1339
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1340 # process @csrf tokens past this point.
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1341 key=None
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1342 nonce_user = None
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1343 nonce_session = None
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1344
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1345 if '@csrf' in self.form:
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1346 key=self.form['@csrf'].value
5210
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1347
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1348 nonce_user = otks.get(key, 'uid', default=None)
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1349 nonce_session = otks.get(key, 'sid', default=None)
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1350 # The key has been used or compromised.
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1351 # Delete it to prevent replay.
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1352 otks.destroy(key)
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1353
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1354 # commit the deletion/expiration of all keys
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
1355 otks.commit()
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1356
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1357 enforce=config['WEB_CSRF_ENFORCE_TOKEN']
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1358 if key is None: # we do not have an @csrf token
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1359 if enforce == 'required':
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1360 logger.error(self._("Required csrf field missing for user%s"), current_user)
5847
26cd8e8bbed3 Change microcopy for missing csrf to follow mismatched csrf. Fix tests.
John Rouillard <rouilj@ieee.org>
parents: 5846
diff changeset
1361 raise UsageError(self._("We can't validate your session (csrf failure). Re-enter any unsaved data and try again."))
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1362 elif enforce == 'logfailure':
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1363 # FIXME include url
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1364 logger.warning(self._("csrf field not supplied by user%s"), current_user)
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1365 else:
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1366 # enforce is either yes or no. Both permit change if token is
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1367 # missing
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1368 return True
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1369
5211
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1370 current_session = self.session_api._sid
f4b6a2a3e605 Fix expiration dates and expire csrf tokens properly
John Rouillard <rouilj@ieee.org>
parents: 5210
diff changeset
1371
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1372 '''
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1373 # I think now that LogoutAction redirects to
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1374 # self.base ([tracker] web parameter in config.ini),
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1375 # this code is not needed. However I am keeping it
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1376 # around in case it has to come back to life.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1377 # Delete if this is still around in 3/2018.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1378 # rouilj 3/2017.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1379 #
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1380 # Note using this code may cause a CSRF Login vulnerability.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1381 # Handle the case where user logs out and tries to
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1382 # log in again in same window.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1383 # The csrf token for the login button is associated
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1384 # with the prior login, so it will not validate.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1385 #
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1386 # To bypass error, Verify that nonce_user != user and that
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1387 # user is '2' (anonymous) and there is no current
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1388 # session key. Validate that the csrf exists
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1389 # in the db and nonce_user and nonce_session are not None.
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1390 # Also validate that the action is Login.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1391 # Lastly requre at least one csrf header check to pass.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1392 # If all of those work process the login.
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1393 if current_user != nonce_user and \
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1394 current_user == '2' and \
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1395 current_session is None and \
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1396 nonce_user is not None and \
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1397 nonce_session is not None and \
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1398 "@action" in self.form and \
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1399 self.form["@action"].value == "Login":
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1400 if header_pass > 0:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1401 otks.destroy(key)
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5248
diff changeset
1402 otks.commit()
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1403 return True
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1404 else:
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1405 self.add_error_message("Reload window before logging in.")
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1406 '''
5210
7da56980754d Remove csrf keys used with get
John Rouillard <rouilj@ieee.org>
parents: 5202
diff changeset
1407 # validate against user and session
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1408 if current_user != nonce_user:
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1409 if enforce in ('required', "yes"):
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1410 logger.error(
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1411 self._("Csrf mismatch user: current user %s != stored user %s, current session, stored session: %s,%s for key %s."),
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1412 current_user, nonce_user, current_session, nonce_session, key)
5846
fd015c4c6c23 Fix microcopy for CSRF validation failure. Remove display of bad
John Rouillard <rouilj@ieee.org>
parents: 5837
diff changeset
1413 raise UsageError(self._("We can't validate your session (csrf failure). Re-enter any unsaved data and try again."))
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1414 elif enforce == 'logfailure':
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1415 logger.warning(
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1416 self._("logged only: Csrf mismatch user: current user %s != stored user %s, current session, stored session: %s,%s for key %s."),
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1417 current_user, nonce_user, current_session, nonce_session, key)
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1418 if current_session != nonce_session:
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1419 if enforce in ('required', "yes"):
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1420 logger.error(
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1421 self._("Csrf mismatch user: current session %s != stored session %s, current user/stored user is: %s for key %s."),
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1422 current_session, nonce_session, current_user, key)
5846
fd015c4c6c23 Fix microcopy for CSRF validation failure. Remove display of bad
John Rouillard <rouilj@ieee.org>
parents: 5837
diff changeset
1423 raise UsageError(self._("We can't validate your session (csrf failure). Re-enter any unsaved data and try again."))
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1424 elif enforce == 'logfailure':
5220
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1425 logger.warning(
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1426 self._("logged only: Csrf mismatch user: current session %s != stored session %s, current user/stored user is: %s for key %s."),
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1427 current_session, nonce_session, current_user, key)
14d8f61e6ef2 Reimplemented anti-csrf measures by raising exceptions rather than
John Rouillard <rouilj@ieee.org>
parents: 5218
diff changeset
1428 # we are done and the change can occur.
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1429 return True
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5188
diff changeset
1430
2940
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1431 def opendb(self, username):
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
1432 """Open the database and set the current user.
2940
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1433
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1434 Opens a database once. On subsequent calls only the user is set on
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1435 the database object the instance.optimize is set. If we are in
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1436 "Development Mode" (cf. roundup_server) then the database is always
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1437 re-opened.
3427
198fe87b0254 add language detection (patch [SF#1360321])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3396
diff changeset
1438 """
2940
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1439 # don't do anything if the db is open and the user has not changed
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1440 if hasattr(self, 'db') and self.db.isCurrentUser(username):
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1441 return
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1442
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1443 # open the database or only set the user
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1444 if not hasattr(self, 'db'):
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1445 self.db = self.instance.open(username)
4781
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents: 4740
diff changeset
1446 self.db.tx_Source = "web"
2940
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1447 else:
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1448 if self.instance.optimize:
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1449 self.db.setCurrentUser(username)
4781
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents: 4740
diff changeset
1450 self.db.tx_Source = "web"
2940
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1451 else:
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1452 self.db.close()
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1453 self.db = self.instance.open(username)
4781
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents: 4740
diff changeset
1454 self.db.tx_Source = "web"
4212
51a098592b78 Reopen session with database.
Stefan Seefeld <stefan@seefeld.name>
parents: 4145
diff changeset
1455 # The old session API refers to the closed database;
51a098592b78 Reopen session with database.
Stefan Seefeld <stefan@seefeld.name>
parents: 4145
diff changeset
1456 # we can no longer use it.
51a098592b78 Reopen session with database.
Stefan Seefeld <stefan@seefeld.name>
parents: 4145
diff changeset
1457 self.session_api = Session(self)
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
1458
2940
00f609d53a8c tweaks to last patch
Richard Jones <richard@users.sourceforge.net>
parents: 2938
diff changeset
1459
2829
aa1cb9df09c3 ignore leading zeroes in the ID part of a node designator
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2808
diff changeset
1460 def determine_context(self, dre=re.compile(r'([^\d]+)0*(\d+)')):
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1461 """Determine the context of this page from the URL:
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1462
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1463 The URL path after the instance identifier is examined. The path
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1464 is generally only one entry long.
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1465
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1466 - if there is no path, then we are in the "home" context.
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1467 - if the path is "_file", then the additional path entry
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1468 specifies the filename of a static file we're to serve up
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1469 from the instance "html" directory. Raises a SendStaticFile
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1470 exception.(*)
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1471 - if there is something in the path (eg "issue"), it identifies
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1472 the tracker class we're to display.
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1473 - if the path is an item designator (eg "issue123"), then we're
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1474 to display a specific item.
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1475 - if the path starts with an item designator and is longer than
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1476 one entry, then we're assumed to be handling an item of a
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1477 FileClass, and the extra path information gives the filename
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1478 that the client is going to label the download with (ie
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1479 "file123/image.png" is nicer to download than "file123"). This
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1480 raises a SendFile exception.(*)
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1481
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1482 Both of the "*" types of contexts stop before we bother to
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1483 determine the template we're going to use. That's because they
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1484 don't actually use templates.
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1485
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1486 The template used is specified by the :template CGI variable,
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1487 which defaults to:
1053
b28393def972 more explanatory docsting
Richard Jones <richard@users.sourceforge.net>
parents: 1051
diff changeset
1488
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1489 - only classname suplied: "index"
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1490 - full item designator supplied: "item"
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1491
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1492 We set:
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1493
1041
c28603c9f831 Class help and generic class editing done.
Richard Jones <richard@users.sourceforge.net>
parents: 1029
diff changeset
1494 self.classname - the class to display, can be None
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1495
1041
c28603c9f831 Class help and generic class editing done.
Richard Jones <richard@users.sourceforge.net>
parents: 1029
diff changeset
1496 self.template - the template to render the current context with
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2004
diff changeset
1497
1041
c28603c9f831 Class help and generic class editing done.
Richard Jones <richard@users.sourceforge.net>
parents: 1029
diff changeset
1498 self.nodeid - the nodeid of the class we're displaying
1937
4c850112895b Some reformatting and fixing docstrings for emacs.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 1936
diff changeset
1499 """
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1500 # default the optional variables
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1501 self.classname = None
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1502 self.nodeid = None
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1503
1420
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1504 # see if a template or messages are specified
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1505 template_override = ok_message = error_message = None
4801
bff9e4145f70 Fix another instance of a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4800
diff changeset
1506 try:
bff9e4145f70 Fix another instance of a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4800
diff changeset
1507 keys = self.form.keys()
bff9e4145f70 Fix another instance of a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4800
diff changeset
1508 except TypeError:
bff9e4145f70 Fix another instance of a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4800
diff changeset
1509 keys = ()
bff9e4145f70 Fix another instance of a TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4800
diff changeset
1510 for key in keys:
1420
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1511 if self.FV_TEMPLATE.match(key):
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1512 template_override = self.form[key].value
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1513 elif self.FV_OK_MESSAGE.match(key):
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1514 ok_message = self.form[key].value
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1515 elif self.FV_ERROR_MESSAGE.match(key):
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1516 error_message = self.form[key].value
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1517
1977
f96592a7c357 changes to support the new templating Unauthorised exception.
Richard Jones <richard@users.sourceforge.net>
parents: 1973
diff changeset
1518 # see if we were passed in a message
f96592a7c357 changes to support the new templating Unauthorised exception.
Richard Jones <richard@users.sourceforge.net>
parents: 1973
diff changeset
1519 if ok_message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1520 self.add_ok_message(ok_message)
1977
f96592a7c357 changes to support the new templating Unauthorised exception.
Richard Jones <richard@users.sourceforge.net>
parents: 1973
diff changeset
1521 if error_message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1522 self.add_error_message(error_message)
1977
f96592a7c357 changes to support the new templating Unauthorised exception.
Richard Jones <richard@users.sourceforge.net>
parents: 1973
diff changeset
1523
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1524 # determine the classname and possibly nodeid
1157
26c8cb2162d7 fixed various URL / base URL issues
Richard Jones <richard@users.sourceforge.net>
parents: 1153
diff changeset
1525 path = self.path.split('/')
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1526 if not path or path[0] in ('', 'home', 'index'):
1420
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1527 if template_override is not None:
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1528 self.template = template_override
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1529 else:
1041
c28603c9f831 Class help and generic class editing done.
Richard Jones <richard@users.sourceforge.net>
parents: 1029
diff changeset
1530 self.template = ''
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1531 return
1911
f5c804379c85 fixed ZRoundup - mostly changes to classic template
Richard Jones <richard@users.sourceforge.net>
parents: 1905
diff changeset
1532 elif path[0] in ('_file', '@@file'):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1533 raise SendStaticFile(os.path.join(*path[1:]))
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1534 else:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1535 self.classname = path[0]
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1536 if len(path) > 1:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1537 # send the file identified by the designator in path[0]
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1538 raise SendFile(path[0])
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1539
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1540 # see if we got a designator
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1541 m = dre.match(self.classname)
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1542 if m:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1543 self.classname = m.group(1)
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1544 self.nodeid = m.group(2)
3494
5a56abcf1b22 catch bad classname in URL (related to [SF#1240541])
Richard Jones <richard@users.sourceforge.net>
parents: 3453
diff changeset
1545 try:
5a56abcf1b22 catch bad classname in URL (related to [SF#1240541])
Richard Jones <richard@users.sourceforge.net>
parents: 3453
diff changeset
1546 klass = self.db.getclass(self.classname)
5a56abcf1b22 catch bad classname in URL (related to [SF#1240541])
Richard Jones <richard@users.sourceforge.net>
parents: 3453
diff changeset
1547 except KeyError:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1548 raise NotFound('%s/%s'%(self.classname, self.nodeid))
5555
7b663b588292 Don't pass huge itemids into the backend.
martin.v.loewis <martin.v.loewis>
parents: 5554
diff changeset
1549 if int(self.nodeid) > 2**31:
7b663b588292 Don't pass huge itemids into the backend.
martin.v.loewis <martin.v.loewis>
parents: 5554
diff changeset
1550 # Postgres will complain with a ProgrammingError
7b663b588292 Don't pass huge itemids into the backend.
martin.v.loewis <martin.v.loewis>
parents: 5554
diff changeset
1551 # if we try to pass in numbers that are too large
5556
d75aa88c2a99 Added RestInstance and calling rest from client.py
Chau Nguyen <dangchau1991@yahoo.com>
parents: 5555
diff changeset
1552 raise NotFound('%s/%s'%(self.classname, self.nodeid))
3494
5a56abcf1b22 catch bad classname in URL (related to [SF#1240541])
Richard Jones <richard@users.sourceforge.net>
parents: 3453
diff changeset
1553 if not klass.hasnode(self.nodeid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1554 raise NotFound('%s/%s'%(self.classname, self.nodeid))
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1555 # with a designator, we default to item view
1041
c28603c9f831 Class help and generic class editing done.
Richard Jones <richard@users.sourceforge.net>
parents: 1029
diff changeset
1556 self.template = 'item'
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1557 else:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1558 # with only a class, we default to index view
1041
c28603c9f831 Class help and generic class editing done.
Richard Jones <richard@users.sourceforge.net>
parents: 1029
diff changeset
1559 self.template = 'index'
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1560
1288
ad8de51d7cd5 handle "classname" URL path errors cleaner (generate a 404)
Richard Jones <richard@users.sourceforge.net>
parents: 1277
diff changeset
1561 # make sure the classname is valid
ad8de51d7cd5 handle "classname" URL path errors cleaner (generate a 404)
Richard Jones <richard@users.sourceforge.net>
parents: 1277
diff changeset
1562 try:
ad8de51d7cd5 handle "classname" URL path errors cleaner (generate a 404)
Richard Jones <richard@users.sourceforge.net>
parents: 1277
diff changeset
1563 self.db.getclass(self.classname)
ad8de51d7cd5 handle "classname" URL path errors cleaner (generate a 404)
Richard Jones <richard@users.sourceforge.net>
parents: 1277
diff changeset
1564 except KeyError:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1565 raise NotFound(self.classname)
1288
ad8de51d7cd5 handle "classname" URL path errors cleaner (generate a 404)
Richard Jones <richard@users.sourceforge.net>
parents: 1277
diff changeset
1566
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1567 # see if we have a template override
1420
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1568 if template_override is not None:
3ac43c62a250 implemented extension to form parsing...
Richard Jones <richard@users.sourceforge.net>
parents: 1417
diff changeset
1569 self.template = template_override
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1570
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1571 def serve_file(self, designator, dre=re.compile(r'([^\d]+)(\d+)')):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1572 """ Serve the file from the content property of the designated item.
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1573 """
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1574 m = dre.match(str(designator))
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1575 if not m:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1576 raise NotFound(str(designator))
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1577 classname, nodeid = m.group(1), m.group(2)
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1578
4263
bd000a1e9a57 Robustify web interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4224
diff changeset
1579 try:
bd000a1e9a57 Robustify web interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4224
diff changeset
1580 klass = self.db.getclass(classname)
bd000a1e9a57 Robustify web interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4224
diff changeset
1581 except KeyError:
bd000a1e9a57 Robustify web interface.
Stefan Seefeld <stefan@seefeld.name>
parents: 4224
diff changeset
1582 # The classname was not valid.
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1583 raise NotFound(str(designator))
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
1584
4326
d51a9c498dc4 Fix "Web Access" permission check to allow serving of static files to Anonymous again
Richard Jones <richard@users.sourceforge.net>
parents: 4291
diff changeset
1585 # perform the Anonymous user access check
4327
095d92109cc7 allow Anonymous users to log in, and register
Richard Jones <richard@users.sourceforge.net>
parents: 4326
diff changeset
1586 self.check_anonymous_access()
1946
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1587
1967
d30cd44321f2 commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents: 1946
diff changeset
1588 # make sure we have the appropriate properties
d30cd44321f2 commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents: 1946
diff changeset
1589 props = klass.getprops()
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1590 if 'type' not in props:
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1591 raise NotFound(designator)
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1592 if 'content' not in props:
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1593 raise NotFound(designator)
1967
d30cd44321f2 commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents: 1946
diff changeset
1594
2870
795cdba40c05 enforce View Permission when serving file content [SF#1050470]
Richard Jones <richard@users.sourceforge.net>
parents: 2864
diff changeset
1595 # make sure we have permission
795cdba40c05 enforce View Permission when serving file content [SF#1050470]
Richard Jones <richard@users.sourceforge.net>
parents: 2864
diff changeset
1596 if not self.db.security.hasPermission('View', self.userid,
795cdba40c05 enforce View Permission when serving file content [SF#1050470]
Richard Jones <richard@users.sourceforge.net>
parents: 2864
diff changeset
1597 classname, 'content', nodeid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1598 raise Unauthorised(self._("You are not allowed to view "
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1599 "this file."))
2870
795cdba40c05 enforce View Permission when serving file content [SF#1050470]
Richard Jones <richard@users.sourceforge.net>
parents: 2864
diff changeset
1600
4962
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1601
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1602 # --- mime-type security
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1603 # mime type detection is performed in cgi.form_parser
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1604
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1605 # everything not here is served as 'application/octet-stream'
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1606 whitelist = [
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1607 'text/plain',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1608 'text/x-csrc', # .c
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1609 'text/x-chdr', # .h
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1610 'text/x-patch', # .patch and .diff
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1611 'text/x-python', # .py
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1612 'text/xml',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1613 'text/csv',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1614 'text/css',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1615 'application/pdf',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1616 'image/gif',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1617 'image/jpeg',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1618 'image/png',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1619 'image/webp',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1620 'audio/ogg',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1621 'video/webm',
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1622 ]
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1623
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1624 if self.instance.config['WEB_ALLOW_HTML_FILE']:
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1625 whitelist.append('text/html')
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1626
4530
c1c395058dee issue2550715: IndexError when requesting non-existing file via http.
Bernhard Reiter <Bernhard.Reiter@intevation.de>
parents: 4523
diff changeset
1627 try:
c1c395058dee issue2550715: IndexError when requesting non-existing file via http.
Bernhard Reiter <Bernhard.Reiter@intevation.de>
parents: 4523
diff changeset
1628 mime_type = klass.get(nodeid, 'type')
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
1629 except IndexError as e:
4530
c1c395058dee issue2550715: IndexError when requesting non-existing file via http.
Bernhard Reiter <Bernhard.Reiter@intevation.de>
parents: 4523
diff changeset
1630 raise NotFound(e)
4291
b1772fdb09d0 Fix traceback on .../msgN/ url...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4265
diff changeset
1631 # Can happen for msg class:
b1772fdb09d0 Fix traceback on .../msgN/ url...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4265
diff changeset
1632 if not mime_type:
b1772fdb09d0 Fix traceback on .../msgN/ url...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4265
diff changeset
1633 mime_type = 'text/plain'
4047
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1634
4962
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1635 if mime_type not in whitelist:
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1636 mime_type = 'application/octet-stream'
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1637
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1638 # --/ mime-type security
63c31b18b955 Fix issue 2550848: HTML attachments should not be served as text/html
anatoly techtonik <techtonik@gmail.com>
parents: 4919
diff changeset
1639
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1640
4047
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1641 # If this object is a file (i.e., an instance of FileClass),
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1642 # see if we can find it in the filesystem. If so, we may be
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1643 # able to use the more-efficient request.sendfile method of
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1644 # sending the file. If not, just get the "content" property
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1645 # in the usual way, and use that.
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1646 content = None
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1647 filename = None
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1648 if isinstance(klass, hyperdb.FileClass):
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1649 try:
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1650 filename = self.db.filename(classname, nodeid)
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1651 except AttributeError:
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1652 # The database doesn't store files in the filesystem
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1653 # and therefore doesn't provide the "filename" method.
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1654 pass
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1655 except IOError:
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1656 # The file does not exist.
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1657 pass
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1658 if not filename:
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1659 content = klass.get(nodeid, 'content')
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
1660
1967
d30cd44321f2 commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents: 1946
diff changeset
1661 lmt = klass.get(nodeid, 'activity').timestamp()
1946
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1662
4047
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1663 self._serve_file(lmt, mime_type, content, filename)
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1664
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1665 def serve_static_file(self, file):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1666 """ Serve up the file named from the templates dir
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1667 """
2864
930e780c751f support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2853
diff changeset
1668 # figure the filename - try STATIC_FILES, then TEMPLATES dir
930e780c751f support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2853
diff changeset
1669 for dir_option in ('STATIC_FILES', 'TEMPLATES'):
930e780c751f support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2853
diff changeset
1670 prefix = self.instance.config[dir_option]
930e780c751f support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2853
diff changeset
1671 if not prefix:
930e780c751f support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2853
diff changeset
1672 continue
5613
0a8f0fddc2ae Support non-ASCII prefixes in instance config for finding static files (issue2551022).
Cédric Krier <cedric.krier@b2ck.com>
parents: 5608
diff changeset
1673 if is_us(prefix):
5231
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1674 # prefix can be a string or list depending on
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1675 # option. Make it a list to iterate over.
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1676 prefix = [ prefix ]
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1677
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1678 for p in prefix:
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1679 # if last element of STATIC_FILES ends with '/-',
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1680 # we failed to find the file and we should
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1681 # not look in TEMPLATES. So raise exception.
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1682 if dir_option == 'STATIC_FILES' and p[-2:] == '/-':
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1683 raise NotFound(file)
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1684
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1685 # ensure the load doesn't try to poke outside
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1686 # of the static files directory
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1687 p = os.path.normpath(p)
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1688 filename = os.path.normpath(os.path.join(p, file))
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1689 if os.path.isfile(filename) and filename.startswith(p):
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1690 break # inner loop over list of directories
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1691 else:
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1692 # reset filename to None as sentinel for use below.
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1693 filename = None
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1694
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1695 # break out of outer loop over options
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1696 if filename:
2864
930e780c751f support STATIC_FILES directory in addition to TEMPLATES
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2853
diff changeset
1697 break
5231
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1698
8743b7226dc7 Fix issue with retreiving raw template files using the @@file mechanism.
John Rouillard <rouilj@ieee.org>
parents: 5220
diff changeset
1699 if filename is None: # we didn't find a filename
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1700 raise NotFound(file)
1946
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1701
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1702 # last-modified time
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1703 lmt = os.stat(filename)[stat.ST_MTIME]
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1704
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1705 # detemine meta-type
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1706 file = str(file)
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1707 mime_type = mimetypes.guess_type(file)[0]
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1708 if not mime_type:
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1709 if file.endswith('.css'):
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1710 mime_type = 'text/css'
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1711 else:
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1712 mime_type = 'text/plain'
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1713
4047
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1714 self._serve_file(lmt, mime_type, '', filename)
1946
c538a64b94a7 Refactored CGI file serving so that FileClass contents are...
Richard Jones <richard@users.sourceforge.net>
parents: 1937
diff changeset
1715
4047
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1716 def _serve_file(self, lmt, mime_type, content=None, filename=None):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1717 """ guts of serve_file() and serve_static_file()
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1718 """
4047
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1719
3736
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
1720 # spit out headers
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
1721 self.additional_headers['Content-Type'] = mime_type
4980
13f8f88ad984 Replace rfc822 imports with email package (issue2550870)
John Kristensen <john@jerrykan.com>
parents: 4979
diff changeset
1722 self.additional_headers['Last-Modified'] = email.utils.formatdate(lmt)
3736
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
1723
1498
203f6a154b30 even better if-modified-since handling for cgi-bin
Andrey Lebedev <kedder@users.sourceforge.net>
parents: 1497
diff changeset
1724 ims = None
1469
79d8956de3f5 implemented last-modified and if-modified-since support
Richard Jones <richard@users.sourceforge.net>
parents: 1468
diff changeset
1725 # see if there's an if-modified-since...
3736
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
1726 # XXX see which interfaces set this
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
1727 #if hasattr(self.request, 'headers'):
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
1728 #ims = self.request.headers.getheader('if-modified-since')
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1729 if 'HTTP_IF_MODIFIED_SINCE' in self.env:
1497
2704d8438823 better if-modified-since handling for cgi-bin
Richard Jones <richard@users.sourceforge.net>
parents: 1477
diff changeset
1730 # cgi will put the header in the env var
1469
79d8956de3f5 implemented last-modified and if-modified-since support
Richard Jones <richard@users.sourceforge.net>
parents: 1468
diff changeset
1731 ims = self.env['HTTP_IF_MODIFIED_SINCE']
79d8956de3f5 implemented last-modified and if-modified-since support
Richard Jones <richard@users.sourceforge.net>
parents: 1468
diff changeset
1732 if ims:
4980
13f8f88ad984 Replace rfc822 imports with email package (issue2550870)
John Kristensen <john@jerrykan.com>
parents: 4979
diff changeset
1733 ims = email.utils.parsedate(ims)[:6]
3800
75d3896929bb really fix the last-modified code
Richard Jones <richard@users.sourceforge.net>
parents: 3796
diff changeset
1734 lmtt = time.gmtime(lmt)[:6]
1469
79d8956de3f5 implemented last-modified and if-modified-since support
Richard Jones <richard@users.sourceforge.net>
parents: 1468
diff changeset
1735 if lmtt <= ims:
79d8956de3f5 implemented last-modified and if-modified-since support
Richard Jones <richard@users.sourceforge.net>
parents: 1468
diff changeset
1736 raise NotModified
79d8956de3f5 implemented last-modified and if-modified-since support
Richard Jones <richard@users.sourceforge.net>
parents: 1468
diff changeset
1737
4047
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
1738 if filename:
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1739 self.write_file(filename)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1740 else:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1741 self.additional_headers['Content-Length'] = str(len(content))
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1742 self.write(content)
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1743
4543
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1744 def send_error_to_admin(self, subject, html, txt):
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1745 """Send traceback information to admin via email.
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1746 We send both, the formatted html (with more information) and
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1747 the text version of the traceback. We use
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1748 multipart/alternative so the receiver can chose which version
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1749 to display.
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1750 """
4264
b1e614c6759f Improve error reporting.
Stefan Seefeld <stefan@seefeld.name>
parents: 4263
diff changeset
1751 to = [self.mailer.config.ADMIN_EMAIL]
4543
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1752 message = MIMEMultipart('alternative')
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1753 self.mailer.set_message_attributes(message, to, subject)
5518
db3a95f28b3c fixed typos in send_error_to_admin
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5493
diff changeset
1754 part = self.mailer.get_text_message('utf-8', 'html')
5493
725266c03eab updated mailgw to no longer use mimetools based on jerrykan's patch
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5488
diff changeset
1755 part.set_payload(html, part.get_charset())
4543
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1756 message.attach(part)
5518
db3a95f28b3c fixed typos in send_error_to_admin
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5493
diff changeset
1757 part = self.mailer.get_text_message()
db3a95f28b3c fixed typos in send_error_to_admin
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5493
diff changeset
1758 part.set_payload(txt, part.get_charset())
4543
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1759 message.attach(part)
4523
a03646a02f68 Fix issue2550691 where a Unix From-Header was sometimes inserted...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4384
diff changeset
1760 self.mailer.smtp_send(to, message.as_string())
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
1761
4265
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
1762 def renderFrontPage(self, message):
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
1763 """Return the front page of the tracker."""
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
1764
4265
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
1765 self.classname = self.nodeid = None
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
1766 self.template = ''
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1767 self.add_error_message(message)
4265
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
1768 self.write_html(self.renderContext())
e24a6ca34448 Improve login failure response.
Stefan Seefeld <stefan@seefeld.name>
parents: 4264
diff changeset
1769
4740
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1770 def selectTemplate(self, name, view):
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1771 """ Choose existing template for the given combination of
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1772 classname (name parameter) and template request variable
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1773 (view parameter) and return its name.
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1774
5185
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1775 View can be a single template or two templates separated
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1776 by a vbar '|' character. If the Client object has a
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1777 non-empty _error_message attribute, the right hand
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1778 template (error template) will be used. If the
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1779 _error_message is empty, the left hand template (ok
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1780 template) will be used.
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1781
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1782 In most cases the name will be "classname.view", but
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1783 if "view" is None, then template name "classname" will
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1784 be returned.
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1785
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1786 If "classname.view" template doesn't exist, the
4740
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1787 "_generic.view" is used as a fallback.
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1788
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1789 [ ] cover with tests
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1790 """
5185
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1791
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1792 # determine if view is oktmpl|errortmpl. If so assign the
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1793 # right one to the view parameter. If we don't have alternate
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1794 # templates, just leave view alone.
5188
8768a95c9a4f Small fix. Make sure view is defined before trying to find('|') in it.
John Rouillard <rouilj@ieee.org>
parents: 5185
diff changeset
1795 if (view and view.find('|') != -1 ):
5185
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1796 # we have alternate templates, parse them apart.
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1797 (oktmpl, errortmpl) = view.split("|", 2)
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1798 if self._error_message:
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1799 # we have an error, use errortmpl
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1800 view = errortmpl
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1801 else:
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1802 # no error message recorded, use oktmpl
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1803 view = oktmpl
349bef975367 Make @template support two alternate templates for error and ok cases.
John Rouillard <rouilj@ieee.org>
parents: 5166
diff changeset
1804
4739
94be76e04140 templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents: 4728
diff changeset
1805 loader = self.instance.templates
94be76e04140 templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents: 4728
diff changeset
1806
94be76e04140 templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents: 4728
diff changeset
1807 # if classname is not set, use "home" template
94be76e04140 templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents: 4728
diff changeset
1808 if name is None:
94be76e04140 templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents: 4728
diff changeset
1809 name = 'home'
94be76e04140 templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents: 4728
diff changeset
1810
4740
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1811 tplname = name
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1812 if view:
5154
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1813 # Support subdirectories for templates. Value is path/to/VIEW
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1814 # or just VIEW if the template is in the html directory of
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1815 # the tracker.
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1816 slash_loc = view.rfind("/")
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1817 if slash_loc == -1:
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1818 # try plain class.view
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1819 tplname = '%s.%s' % (name, view)
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1820 else:
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1821 # try path/class.view
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1822 tplname = '%s/%s.%s'%(
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1823 view[:slash_loc], name, view[slash_loc+1:])
4740
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1824
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1825 if loader.check(tplname):
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1826 return tplname
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1827
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1828 # rendering class/context with generic template for this view.
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1829 # with no view it's impossible to choose which generic template to use
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1830 if not view:
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1831 raise templating.NoTemplate('Template "%s" doesn\'t exist' % name)
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1832
5154
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1833 if slash_loc == -1:
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1834 generic = '_generic.%s' % view
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1835 else:
f608eeecf638 issue2550891: Allow subdir in template value. Anthony (antmail)
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1836 generic = '%s/_generic.%s' % (view[:slash_loc], view[slash_loc+1:])
4740
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1837 if loader.check(generic):
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1838 return generic
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1839
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1840 raise templating.NoTemplate('No template file exists for templating '
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1841 '"%s" with template "%s" (neither "%s" nor "%s")' % (name, view,
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1842 tplname, generic))
4739
94be76e04140 templating: Move template selection logic from the template loaders
anatoly techtonik <techtonik@gmail.com>
parents: 4728
diff changeset
1843
1204
b862bbf2067a Replaced the content() callback ickiness with Page Template macro usage
Richard Jones <richard@users.sourceforge.net>
parents: 1196
diff changeset
1844 def renderContext(self):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1845 """ Return a PageTemplate for the named page
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1846 """
4740
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1847 tplname = self.selectTemplate(self.classname, self.template)
1204
b862bbf2067a Replaced the content() callback ickiness with Page Template macro usage
Richard Jones <richard@users.sourceforge.net>
parents: 1196
diff changeset
1848
1103
db787cef1385 handled some XXXs
Richard Jones <richard@users.sourceforge.net>
parents: 1096
diff changeset
1849 # catch errors so we can handle PT rendering errors more nicely
1204
b862bbf2067a Replaced the content() callback ickiness with Page Template macro usage
Richard Jones <richard@users.sourceforge.net>
parents: 1196
diff changeset
1850 args = {
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1851 'ok_message': self._ok_message,
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1852 'error_message': self._error_message
1204
b862bbf2067a Replaced the content() callback ickiness with Page Template macro usage
Richard Jones <richard@users.sourceforge.net>
parents: 1196
diff changeset
1853 }
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1854 try:
4740
fe9568a6cbd6 Untangle template selection logic from template loading functionality.
anatoly techtonik <techtonik@gmail.com>
parents: 4739
diff changeset
1855 pt = self.instance.templates.load(tplname)
1016
d6c13142e7b9 Keep a cache of compiled PageTemplates.
Richard Jones <richard@users.sourceforge.net>
parents: 1008
diff changeset
1856 # let the template render figure stuff out
1967
d30cd44321f2 commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents: 1946
diff changeset
1857 result = pt.render(self, None, None, **args)
d30cd44321f2 commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents: 1946
diff changeset
1858 self.additional_headers['Content-Type'] = pt.content_type
2942
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1859 if self.env.get('CGI_SHOW_TIMING', ''):
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1860 if self.env['CGI_SHOW_TIMING'].upper() == 'COMMENT':
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1861 timings = {'starttag': '<!-- ', 'endtag': ' -->'}
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1862 else:
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1863 timings = {'starttag': '<p>', 'endtag': '</p>'}
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1864 timings['seconds'] = time.time()-self.start
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1865 s = self._('%(starttag)sTime elapsed: %(seconds)fs%(endtag)s\n'
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1866 ) % timings
2237
f624fc20f8fe added capturing of stats
Richard Jones <richard@users.sourceforge.net>
parents: 2233
diff changeset
1867 if hasattr(self.db, 'stats'):
2942
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1868 timings.update(self.db.stats)
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1869 s += self._("%(starttag)sCache hits: %(cache_hits)d,"
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1870 " misses %(cache_misses)d."
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1871 " Loading items: %(get_items)f secs."
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1872 " Filtering: %(filtering)f secs."
a50e4f7c9276 look for CGI_SHOW_TIMING in self.env instead of os.environ;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2940
diff changeset
1873 "%(endtag)s\n") % timings
2237
f624fc20f8fe added capturing of stats
Richard Jones <richard@users.sourceforge.net>
parents: 2233
diff changeset
1874 s += '</body>'
2230
ca2664e095be disable forking server when os.fork() not available [SF#938586]
Richard Jones <richard@users.sourceforge.net>
parents: 2183
diff changeset
1875 result = result.replace('</body>', s)
1967
d30cd44321f2 commit old file-serving bugfix, and new pt content-type fix
Richard Jones <richard@users.sourceforge.net>
parents: 1946
diff changeset
1876 return result
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
1877 except templating.NoTemplate as message:
5802
0e6d45413e88 catching last couple of cgi.escape references.
John Rouillard <rouilj@ieee.org>
parents: 5775
diff changeset
1878 return '<strong>%s</strong>'%html_escape(str(message))
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
1879 except templating.Unauthorised as message:
5802
0e6d45413e88 catching last couple of cgi.escape references.
John Rouillard <rouilj@ieee.org>
parents: 5775
diff changeset
1880 raise Unauthorised(html_escape(str(message)))
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1881 except:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1882 # everything else
4045
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1883 if self.instance.config.WEB_DEBUG:
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1884 return cgitb.pt_html(i18n=self.translator)
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1885 exc_info = sys.exc_info()
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1886 try:
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1887 # If possible, send the HTML page template traceback
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1888 # to the administrator.
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1889 subject = "Templating Error: %s" % exc_info[1]
4543
d16d9bf655d8 - fix handling of traceback mails to the roundup admin
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4530
diff changeset
1890 self.send_error_to_admin(subject, cgitb.pt_html(), format_exc())
4045
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1891 # Now report the error to the user.
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
1892 return self._(default_err_msg)
4045
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1893 except:
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1894 # Reraise the original exception. The user will
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1895 # receive an error message, and the adminstrator will
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1896 # receive a traceback, albeit with less information
82213b1971b4 Only feed back traceback to web users if config.WEB_DEBUG is True
Stefan Seefeld <stefan@seefeld.name>
parents: 4027
diff changeset
1897 # than the one we tried to generate above.
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1898 if sys.version_info[0] > 2:
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1899 raise exc_info[0](exc_info[1]).with_traceback(exc_info[2])
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1900 else:
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1901 exec('raise exc_info[0], exc_info[1], exc_info[2]')
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1902
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1903 # these are the actions that are available
2904
b1ad7add1a2c back out
Richard Jones <richard@users.sourceforge.net>
parents: 2903
diff changeset
1904 actions = (
5073
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1905 ('edit', actions.EditItemAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1906 ('editcsv', actions.EditCSVAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1907 ('new', actions.NewItemAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1908 ('register', actions.RegisterAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1909 ('confrego', actions.ConfRegoAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1910 ('passrst', actions.PassResetAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1911 ('login', actions.LoginAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1912 ('logout', actions.LogoutAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1913 ('search', actions.SearchAction),
5119
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5079
diff changeset
1914 ('restore', actions.RestoreAction),
5073
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1915 ('retire', actions.RetireAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1916 ('show', actions.ShowAction),
d0aa596daca8 Remove 'import *' statement from cgi/client.py
John Kristensen <john@jerrykan.com>
parents: 5044
diff changeset
1917 ('export_csv', actions.ExportCSVAction),
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5608
diff changeset
1918 ('export_csv_id', actions.ExportCSVWithIdAction),
2904
b1ad7add1a2c back out
Richard Jones <richard@users.sourceforge.net>
parents: 2903
diff changeset
1919 )
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1920 def handle_action(self):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1921 """ Determine whether there should be an Action called.
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1922
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1923 The action is defined by the form variable :action which
1477
ed725179953d Added password reset facility for forgotten passwords.
Richard Jones <richard@users.sourceforge.net>
parents: 1472
diff changeset
1924 identifies the method on this object to call. The actions
2904
b1ad7add1a2c back out
Richard Jones <richard@users.sourceforge.net>
parents: 2903
diff changeset
1925 are defined in the "actions" sequence on this class.
2045
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1926
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1927 Actions may return a page (by default HTML) to return to the
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1928 user, bypassing the usual template rendering.
3388
0c66acaea802 present Reject exception messages to web users [SF#1237685]
Richard Jones <richard@users.sourceforge.net>
parents: 3356
diff changeset
1929
0c66acaea802 present Reject exception messages to web users [SF#1237685]
Richard Jones <richard@users.sourceforge.net>
parents: 3356
diff changeset
1930 We explicitly catch Reject and ValueError exceptions and
0c66acaea802 present Reject exception messages to web users [SF#1237685]
Richard Jones <richard@users.sourceforge.net>
parents: 3356
diff changeset
1931 present their messages to the user.
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
1932 """
4804
bc4144417861 More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4802
diff changeset
1933 action = None
bc4144417861 More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4802
diff changeset
1934 try:
bc4144417861 More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4802
diff changeset
1935 if ':action' in self.form:
bc4144417861 More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4802
diff changeset
1936 action = self.form[':action']
bc4144417861 More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4802
diff changeset
1937 elif '@action' in self.form:
bc4144417861 More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4802
diff changeset
1938 action = self.form['@action']
bc4144417861 More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4802
diff changeset
1939 except TypeError:
bc4144417861 More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4802
diff changeset
1940 pass
bc4144417861 More fixes for form TypeError
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4802
diff changeset
1941 if action is None:
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1942 return None
2638
18e86941c950 Load up extensions in the tracker "extensions" directory.
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1943
4367
fa5587802af9 Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
1944 if isinstance(action, list):
fa5587802af9 Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
1945 raise SeriousError('broken form: multiple @action values submitted')
fa5587802af9 Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
1946 else:
fa5587802af9 Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
1947 action = action.value.lower()
fa5587802af9 Handle multiple @action values from broken trackers
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
1948
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1949 try:
2948
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1950 action_klass = self.get_action_class(action)
2019
8fab5d394f22 Call actions in a different way so we won't hide any bad TypeErrors.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2018
diff changeset
1951
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1952 # call the mapped action
2019
8fab5d394f22 Call actions in a different way so we won't hide any bad TypeErrors.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2018
diff changeset
1953 if isinstance(action_klass, type('')):
8fab5d394f22 Call actions in a different way so we won't hide any bad TypeErrors.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2018
diff changeset
1954 # old way of specifying actions
2045
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1955 return getattr(self, action_klass)()
2019
8fab5d394f22 Call actions in a different way so we won't hide any bad TypeErrors.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2018
diff changeset
1956 else:
2045
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1957 return action_klass(self).execute()
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
1958 except (ValueError, Reject) as err:
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4980
diff changeset
1959 escape = not isinstance(err, RejectRaw)
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4980
diff changeset
1960 self.add_error_message(str(err), escape=escape)
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1961
2948
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1962 def get_action_class(self, action_name):
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1963 if (hasattr(self.instance, 'cgi_actions') and
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
1964 action_name in self.instance.cgi_actions):
2948
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1965 # tracker-defined action
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1966 action_klass = self.instance.cgi_actions[action_name]
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1967 else:
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1968 # go with a default
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1969 for name, action_klass in self.actions:
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1970 if name == action_name:
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1971 break
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1972 else:
5802
0e6d45413e88 catching last couple of cgi.escape references.
John Rouillard <rouilj@ieee.org>
parents: 5775
diff changeset
1973 raise ValueError('No such action "%s"'%html_escape(action_name))
2948
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1974 return action_klass
deda13909085 factor out get_action_class so it may be called from other places
Richard Jones <richard@users.sourceforge.net>
parents: 2947
diff changeset
1975
3760
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1976 def _socket_op(self, call, *args, **kwargs):
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1977 """Execute socket-related operation, catch common network errors
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1978
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1979 Parameters:
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1980 call: a callable to execute
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1981 args, kwargs: call arguments
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1982
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1983 """
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1984 try:
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1985 call(*args, **kwargs)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
1986 except socket.error as err:
3807
c27aafab067d Band-aid over handling of netework errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3800
diff changeset
1987 err_errno = getattr (err, 'errno', None)
3808
36eb9e8faf30 Real handling of network errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3807
diff changeset
1988 if err_errno is None:
36eb9e8faf30 Real handling of network errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3807
diff changeset
1989 try:
36eb9e8faf30 Real handling of network errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3807
diff changeset
1990 err_errno = err[0]
36eb9e8faf30 Real handling of network errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3807
diff changeset
1991 except TypeError:
36eb9e8faf30 Real handling of network errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3807
diff changeset
1992 pass
3807
c27aafab067d Band-aid over handling of netework errors.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3800
diff changeset
1993 if err_errno not in self.IGNORE_NET_ERRORS:
3760
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
1994 raise
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1995 except IOError:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1996 # Apache's mod_python will raise IOError -- without an
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1997 # accompanying errno -- when a write to the client fails.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1998 # A common case is that the client has closed the
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
1999 # connection. There's no way to be certain that this is
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2000 # the situation that has occurred here, but that is the
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2001 # most likely case.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2002 pass
3760
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
2003
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2004 def write(self, content):
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2005 if not self.headers_done:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2006 self.header()
2592
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2565
diff changeset
2007 if self.env['REQUEST_METHOD'] != 'HEAD':
3760
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
2008 self._socket_op(self.request.wfile.write, content)
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2009
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
2010 def write_html(self, content):
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
2011 if not self.headers_done:
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
2012 # at this point, we are sure about Content-Type
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
2013 if 'Content-Type' not in self.additional_headers:
3867
2563ddf71cd7 Enabled over-riding of content-type in web interface (thanks John Mitchell)
Richard Jones <richard@users.sourceforge.net>
parents: 3808
diff changeset
2014 self.additional_headers['Content-Type'] = \
2563ddf71cd7 Enabled over-riding of content-type in web interface (thanks John Mitchell)
Richard Jones <richard@users.sourceforge.net>
parents: 3808
diff changeset
2015 'text/html; charset=%s' % self.charset
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
2016 self.header()
2592
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2565
diff changeset
2017
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2565
diff changeset
2018 if self.env['REQUEST_METHOD'] == 'HEAD':
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2565
diff changeset
2019 # client doesn't care about content
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2565
diff changeset
2020 return
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2565
diff changeset
2021
5437
a1971da1c5da Python 3 preparation: send bytes to socket in cgi/client.py.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5430
diff changeset
2022 if sys.version_info[0] > 2:
5524
674ad58667b4 Support actions returning binary data with Python 3.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5518
diff changeset
2023 # An action setting appropriate headers for a non-HTML
674ad58667b4 Support actions returning binary data with Python 3.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5518
diff changeset
2024 # response may return a bytes object directly.
674ad58667b4 Support actions returning binary data with Python 3.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5518
diff changeset
2025 if not isinstance(content, bytes):
674ad58667b4 Support actions returning binary data with Python 3.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5518
diff changeset
2026 content = content.encode(self.charset, 'xmlcharrefreplace')
5437
a1971da1c5da Python 3 preparation: send bytes to socket in cgi/client.py.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5430
diff changeset
2027 elif self.charset != self.STORAGE_CHARSET:
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
2028 # recode output
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
2029 content = content.decode(self.STORAGE_CHARSET, 'replace')
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
2030 content = content.encode(self.charset, 'xmlcharrefreplace')
2592
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2565
diff changeset
2031
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2565
diff changeset
2032 # and write
3760
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
2033 self._socket_op(self.request.wfile.write, content)
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
2034
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2035 def http_strip(self, content):
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2036 """Remove HTTP Linear White Space from 'content'.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2037
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2038 'content' -- A string.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2039
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2040 returns -- 'content', with all leading and trailing LWS
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2041 removed."""
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2042
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2043 # RFC 2616 2.2: Basic Rules
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2044 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2045 # LWS = [CRLF] 1*( SP | HT )
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2046 return content.strip(" \r\n\t")
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2047
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2048 def http_split(self, content):
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2049 """Split an HTTP list.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2050
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2051 'content' -- A string, giving a list of items.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2052
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2053 returns -- A sequence of strings, containing the elements of
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2054 the list."""
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2055
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2056 # RFC 2616 2.1: Augmented BNF
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2057 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2058 # Grammar productions of the form "#rule" indicate a
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2059 # comma-separated list of elements matching "rule". LWS
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2060 # is then removed from each element, and empty elements
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2061 # removed.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2062
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2063 # Split at commas.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2064 elements = content.split(",")
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2065 # Remove linear whitespace at either end of the string.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2066 elements = [self.http_strip(e) for e in elements]
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2067 # Remove any now-empty elements.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2068 return [e for e in elements if e]
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
2069
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2070 def handle_range_header(self, length, etag):
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2071 """Handle the 'Range' and 'If-Range' headers.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2072
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2073 'length' -- the length of the content available for the
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2074 resource.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2075
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2076 'etag' -- the entity tag for this resources.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2077
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2078 returns -- If the request headers (including 'Range' and
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2079 'If-Range') indicate that only a portion of the entity should
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2080 be returned, then the return value is a pair '(offfset,
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2081 length)' indicating the first byte and number of bytes of the
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2082 content that should be returned to the client. In addition,
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2083 this method will set 'self.response_code' to indicate Partial
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2084 Content. In all other cases, the return value is 'None'. If
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2085 appropriate, 'self.response_code' will be
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2086 set to indicate 'REQUESTED_RANGE_NOT_SATISFIABLE'. In that
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2087 case, the caller should not send any data to the client."""
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2088
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2089 # RFC 2616 14.35: Range
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2090 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2091 # See if the Range header is present.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2092 ranges_specifier = self.env.get("HTTP_RANGE")
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2093 if ranges_specifier is None:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2094 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2095 # RFC 2616 14.27: If-Range
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2096 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2097 # Check to see if there is an If-Range header.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2098 # Because the specification says:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2099 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2100 # The If-Range header ... MUST be ignored if the request
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2101 # does not include a Range header, we check for If-Range
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2102 # after checking for Range.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2103 if_range = self.env.get("HTTP_IF_RANGE")
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2104 if if_range:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2105 # The grammar for the If-Range header is:
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
2106 #
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2107 # If-Range = "If-Range" ":" ( entity-tag | HTTP-date )
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2108 # entity-tag = [ weak ] opaque-tag
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2109 # weak = "W/"
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2110 # opaque-tag = quoted-string
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2111 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2112 # We only support strong entity tags.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2113 if_range = self.http_strip(if_range)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2114 if (not if_range.startswith('"')
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2115 or not if_range.endswith('"')):
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2116 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2117 # If the condition doesn't match the entity tag, then we
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2118 # must send the client the entire file.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2119 if if_range != etag:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2120 return
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2121 # The grammar for the Range header value is:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2122 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2123 # ranges-specifier = byte-ranges-specifier
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2124 # byte-ranges-specifier = bytes-unit "=" byte-range-set
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2125 # byte-range-set = 1#( byte-range-spec | suffix-byte-range-spec )
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2126 # byte-range-spec = first-byte-pos "-" [last-byte-pos]
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2127 # first-byte-pos = 1*DIGIT
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2128 # last-byte-pos = 1*DIGIT
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2129 # suffix-byte-range-spec = "-" suffix-length
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2130 # suffix-length = 1*DIGIT
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2131 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2132 # Look for the "=" separating the units from the range set.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2133 specs = ranges_specifier.split("=", 1)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2134 if len(specs) != 2:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2135 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2136 # Check that the bytes-unit is in fact "bytes". If it is not,
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2137 # we do not know how to process this range.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2138 bytes_unit = self.http_strip(specs[0])
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2139 if bytes_unit != "bytes":
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2140 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2141 # Seperate the range-set into range-specs.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2142 byte_range_set = self.http_strip(specs[1])
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2143 byte_range_specs = self.http_split(byte_range_set)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2144 # We only handle exactly one range at this time.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2145 if len(byte_range_specs) != 1:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2146 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2147 # Parse the spec.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2148 byte_range_spec = byte_range_specs[0]
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2149 pos = byte_range_spec.split("-", 1)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2150 if len(pos) != 2:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2151 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2152 # Get the first and last bytes.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2153 first = self.http_strip(pos[0])
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2154 last = self.http_strip(pos[1])
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2155 # We do not handle suffix ranges.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2156 if not first:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2157 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2158 # Convert the first and last positions to integers.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2159 try:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2160 first = int(first)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2161 if last:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2162 last = int(last)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2163 else:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2164 last = length - 1
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2165 except:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2166 # The positions could not be parsed as integers.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2167 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2168 # Check that the range makes sense.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2169 if (first < 0 or last < 0 or last < first):
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2170 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2171 if last >= length:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2172 # RFC 2616 10.4.17: 416 Requested Range Not Satisfiable
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2173 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2174 # If there is an If-Range header, RFC 2616 says that we
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2175 # should just ignore the invalid Range header.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2176 if if_range:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2177 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2178 # Return code 416 with a Content-Range header giving the
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2179 # allowable range.
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
2180 self.response_code = http_.client.REQUESTED_RANGE_NOT_SATISFIABLE
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2181 self.setHeader("Content-Range", "bytes */%d" % length)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2182 return None
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2183 # RFC 2616 10.2.7: 206 Partial Content
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2184 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2185 # Tell the client that we are honoring the Range request by
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2186 # indicating that we are providing partial content.
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
2187 self.response_code = http_.client.PARTIAL_CONTENT
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2188 # RFC 2616 14.16: Content-Range
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2189 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2190 # Tell the client what data we are providing.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2191 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2192 # content-range-spec = byte-content-range-spec
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2193 # byte-content-range-spec = bytes-unit SP
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2194 # byte-range-resp-spec "/"
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2195 # ( instance-length | "*" )
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2196 # byte-range-resp-spec = (first-byte-pos "-" last-byte-pos)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2197 # | "*"
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2198 # instance-length = 1 * DIGIT
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2199 self.setHeader("Content-Range",
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2200 "bytes %d-%d/%d" % (first, last, length))
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2201 return (first, last - first + 1)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2202
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2203 def write_file(self, filename):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
2204 """Send the contents of 'filename' to the user."""
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2205
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2206 # Determine the length of the file.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2207 stat_info = os.stat(filename)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2208 length = stat_info[stat.ST_SIZE]
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2209 # Assume we will return the entire file.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2210 offset = 0
4648
e645820e8556 Clean up whitespace in client.py
Ezio Melotti <ezio.melotti@gmail.com>
parents: 4640
diff changeset
2211 # If the headers have not already been finalized,
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2212 if not self.headers_done:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2213 # RFC 2616 14.19: ETag
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2214 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2215 # Compute the entity tag, in a format similar to that
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2216 # used by Apache.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2217 etag = '"%x-%x-%x"' % (stat_info[stat.ST_INO],
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2218 length,
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2219 stat_info[stat.ST_MTIME])
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2220 self.setHeader("ETag", etag)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2221 # RFC 2616 14.5: Accept-Ranges
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2222 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2223 # Let the client know that we will accept range requests.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2224 self.setHeader("Accept-Ranges", "bytes")
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2225 # RFC 2616 14.35: Range
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2226 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2227 # If there is a Range header, we may be able to avoid
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2228 # sending the entire file.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2229 content_range = self.handle_range_header(length, etag)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2230 if content_range:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2231 offset, length = content_range
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2232 # RFC 2616 14.13: Content-Length
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2233 #
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2234 # Tell the client how much data we are providing.
4145
c15fcee3d8a1 Fix issue2550552.
Stefan Seefeld <stefan@seefeld.name>
parents: 4114
diff changeset
2235 self.setHeader("Content-Length", str(length))
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2236 # Send the HTTP header.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2237 self.header()
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2238 # If the client doesn't actually want the body, or if we are
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2239 # indicating an invalid range.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2240 if (self.env['REQUEST_METHOD'] == 'HEAD'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
2241 or self.response_code == http_.client.REQUESTED_RANGE_NOT_SATISFIABLE):
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2242 return
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2243 # Use the optimized "sendfile" operation, if possible.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2244 if hasattr(self.request, "sendfile"):
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2245 self._socket_op(self.request.sendfile, filename, offset, length)
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2246 return
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2247 # Fallback to the "write" operation.
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2248 f = open(filename, 'rb')
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2249 try:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2250 if offset:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2251 f.seek(offset)
4077
7d19ed05baa6 Fix issue2550517
Stefan Seefeld <stefan@seefeld.name>
parents: 4065
diff changeset
2252 content = f.read(length)
4064
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2253 finally:
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2254 f.close()
662cd78df973 Add support for resuming (file) downloads.
Stefan Seefeld <stefan@seefeld.name>
parents: 4047
diff changeset
2255 self.write(content)
4047
e70643990e9c Support the use of sendfile() for file transfer, if available.
Stefan Seefeld <stefan@seefeld.name>
parents: 4046
diff changeset
2256
2046
f913b6beac35 document and make easier the actions-returning-content idiom
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
2257 def setHeader(self, header, value):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
2258 """Override a header to be returned to the user's browser.
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
2259 """
2046
f913b6beac35 document and make easier the actions-returning-content idiom
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
2260 self.additional_headers[header] = value
f913b6beac35 document and make easier the actions-returning-content idiom
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
2261
1120
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
2262 def header(self, headers=None, response=None):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
2263 """Put up the appropriate header.
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
2264 """
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2265 if headers is None:
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
2266 headers = {'Content-Type':'text/html; charset=utf-8'}
1120
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
2267 if response is None:
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
2268 response = self.response_code
1130
89bd02ffe4af tell clients/caches not to cache our dynamic bits
Richard Jones <richard@users.sourceforge.net>
parents: 1129
diff changeset
2269
89bd02ffe4af tell clients/caches not to cache our dynamic bits
Richard Jones <richard@users.sourceforge.net>
parents: 1129
diff changeset
2270 # update with additional info
1120
c26471971d18 Exposed the Batch mechanism through the top-level "utils" variable.
Richard Jones <richard@users.sourceforge.net>
parents: 1103
diff changeset
2271 headers.update(self.additional_headers)
1130
89bd02ffe4af tell clients/caches not to cache our dynamic bits
Richard Jones <richard@users.sourceforge.net>
parents: 1129
diff changeset
2272
2279
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
2273 if headers.get('Content-Type', 'text/html') == 'text/html':
297e46e22e04 implemented HTTP charset negotiation.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2248
diff changeset
2274 headers['Content-Type'] = 'text/html; charset=utf-8'
3736
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
2275
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
2276 headers = list(headers.items())
3736
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
2277
5395
23b8e6067f7c Python 3 preparation: update calls to dict methods.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5378
diff changeset
2278 for ((path, name), (value, expire)) in self._cookies.items():
3548
61d48244e7a8 login may now be for a single session
Richard Jones <richard@users.sourceforge.net>
parents: 3494
diff changeset
2279 cookie = "%s=%s; Path=%s;"%(name, value, path)
61d48244e7a8 login may now be for a single session
Richard Jones <richard@users.sourceforge.net>
parents: 3494
diff changeset
2280 if expire is not None:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4344
diff changeset
2281 cookie += " expires=%s;"%get_cookie_date(expire)
4586
b21bb66de6ff Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4578
diff changeset
2282 # mark as secure if https, see issue2550689
b21bb66de6ff Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4578
diff changeset
2283 if self.secure:
b21bb66de6ff Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4578
diff changeset
2284 cookie += " secure;"
5212
d4cc71beb102 Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents: 5211
diff changeset
2285 ssc = self.db.config['WEB_SAMESITE_COOKIE_SETTING']
d4cc71beb102 Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents: 5211
diff changeset
2286 if ssc != "None":
d4cc71beb102 Added support for SameSite cookie option for CSRF prevention
John Rouillard <rouilj@ieee.org>
parents: 5211
diff changeset
2287 cookie += " SameSite=%s;"%ssc
4586
b21bb66de6ff Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4578
diff changeset
2288 # prevent theft of session cookie, see issue2550689
b21bb66de6ff Mark cookies HttpOnly and -- if https is used -- secure.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4578
diff changeset
2289 cookie += " HttpOnly;"
3736
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
2290 headers.append(('Set-Cookie', cookie))
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
2291
3760
b8f52d030f1a ignore common network errors, like "Connection reset by peer"
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3736
diff changeset
2292 self._socket_op(self.request.start_response, headers, response)
3736
a2d22d0de0bc WSGI support via roundup.cgi.wsgi_handler
Richard Jones <richard@users.sourceforge.net>
parents: 3687
diff changeset
2293
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2294 self.headers_done = 1
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2295 if self.debug:
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2296 self.headers_sent = headers
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2297
2946
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2298 def add_cookie(self, name, value, expire=86400*365, path=None):
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2299 """Set a cookie value to be sent in HTTP headers
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2300
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2301 Parameters:
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2302 name:
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2303 cookie name
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2304 value:
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2305 cookie value
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2306 expire:
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2307 cookie expiration time (seconds).
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2308 If value is empty (meaning "delete cookie"),
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2309 expiration time is forced in the past
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2310 and this argument is ignored.
3548
61d48244e7a8 login may now be for a single session
Richard Jones <richard@users.sourceforge.net>
parents: 3494
diff changeset
2311 If None, the cookie will expire at end-of-session.
2946
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2312 If omitted, the cookie will be kept for a year.
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2313 path:
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2314 cookie path (optional)
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2315
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2316 """
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2317 if path is None:
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2318 path = self.cookie_path
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2319 if not value:
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2320 expire = -1
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3916
diff changeset
2321 self._cookies[(path, name)] = (value, expire)
2946
661028d24cd2 support for multiple cookie headers in single http response;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2942
diff changeset
2322
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2323 def make_user_anonymous(self):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
2324 """ Make us anonymous
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2325
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2326 This method used to handle non-existence of the 'anonymous'
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2327 user, but that user is mandatory now.
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
2328 """
985
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2329 self.userid = self.db.user.lookup('anonymous')
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2330 self.user = 'anonymous'
55ab0c5b49f9 New CGI interface support
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2331
1801
9f9d35f3d8f7 Change the message asking for confirmation of registration...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 1799
diff changeset
2332 def standard_message(self, to, subject, body, author=None):
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
2333 """Send a standard email message from Roundup.
2248
cd7e6d6288c6 fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents: 2246
diff changeset
2334
cd7e6d6288c6 fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents: 2246
diff changeset
2335 "to" - recipients list
cd7e6d6288c6 fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents: 2246
diff changeset
2336 "subject" - Subject
cd7e6d6288c6 fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents: 2246
diff changeset
2337 "body" - Message
cd7e6d6288c6 fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents: 2246
diff changeset
2338 "author" - (name, address) tuple or None for admin email
cd7e6d6288c6 fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents: 2246
diff changeset
2339
cd7e6d6288c6 fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents: 2246
diff changeset
2340 Arguments are passed to the Mailer.standard_message code.
4065
1e28d58c6d1c Uniformly use """...""" instead of '''...''' for comments.
Stefan Seefeld <stefan@seefeld.name>
parents: 4064
diff changeset
2341 """
1799
071ea6fc803f Extracted duplicated mail-sending code...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 1798
diff changeset
2342 try:
1801
9f9d35f3d8f7 Change the message asking for confirmation of registration...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 1799
diff changeset
2343 self.mailer.standard_message(to, subject, body, author)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5231
diff changeset
2344 except MessageSendError as e:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4851
diff changeset
2345 self.add_error_message(str(e))
2248
cd7e6d6288c6 fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents: 2246
diff changeset
2346 return 0
cd7e6d6288c6 fixed rego from email address [SF#947414]
Richard Jones <richard@users.sourceforge.net>
parents: 2246
diff changeset
2347 return 1
1467
378081f066cc registration is now a two-step process with confirmation from the
Richard Jones <richard@users.sourceforge.net>
parents: 1456
diff changeset
2348
2107
b7404a96b58a minor pre-release / test fixes
Richard Jones <richard@users.sourceforge.net>
parents: 2082
diff changeset
2349 def parsePropsFromForm(self, create=0):
2010
1b11ffd8015e forward-porting of fixed edit action / parsePropsFromForm...
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
2350 return FormParser(self).parse(create=create)
1b11ffd8015e forward-porting of fixed edit action / parsePropsFromForm...
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
2351
2799
9605965569b0 disallow caching of pages with error and/or ok messages.
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2724
diff changeset
2352 # vim: set et sts=4 sw=4 :
Roundup Issue Tracker: http://roundup-tracker.org/