Mercurial > p > roundup > code
comparison roundup/scripts/roundup_server.py @ 5629:8e3df461d316 maint-1.6
issue2551023: Fix CSRF headers for use with wsgi and cgi. The
env variable array used - separators rather than _. Compare:
HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is
correct. Also fix roundup-server to produce the latter form. (Patch
by Cédric Krier)
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Wed, 27 Feb 2019 21:47:39 -0500 |
| parents | 91954be46a66 |
| children |
comparison
equal
deleted
inserted
replaced
| 5628:64ceb9c14b28 | 5629:8e3df461d316 |
|---|---|
| 382 xfh = self.headers.getheader('X-Forwarded-Host', None) | 382 xfh = self.headers.getheader('X-Forwarded-Host', None) |
| 383 if xfh: | 383 if xfh: |
| 384 # If behind a proxy, this is the hostname supplied | 384 # If behind a proxy, this is the hostname supplied |
| 385 # via the Host header to the proxy. Used by core code. | 385 # via the Host header to the proxy. Used by core code. |
| 386 # Controlled by the CSRF settings. | 386 # Controlled by the CSRF settings. |
| 387 env['HTTP_X-FORWARDED-HOST'] = xfh | 387 env['HTTP_X_FORWARDED_HOST'] = xfh |
| 388 xff = self.headers.getheader('X-Forwarded-For', None) | 388 xff = self.headers.get('X-Forwarded-For', None) |
| 389 if xff: | 389 if xff: |
| 390 # xff is a list of ip addresses for original client/proxies: | 390 # xff is a list of ip addresses for original client/proxies: |
| 391 # X-Forwarded-For: clientIP, proxy1IP, proxy2IP | 391 # X-Forwarded-For: clientIP, proxy1IP, proxy2IP |
| 392 # May not be trustworthy. Do not use in core without | 392 # May not be trustworthy. Do not use in core without |
| 393 # config option to control its use. | 393 # config option to control its use. |
| 394 # Made available for extensions if the user trusts it. | 394 # Made available for extensions if the user trusts it. |
| 395 # E.g. you may wish to disable recaptcha validation extension | 395 # E.g. you may wish to disable recaptcha validation extension |
| 396 # if the ip of the client matches 172.16.0.0. | 396 # if the ip of the client matches 172.16.0.0. |
| 397 env['HTTP_X-FORWARDED-FOR'] = xff | 397 env['HTTP_X_FORWARDED_FOR'] = xff |
| 398 xfp = self.headers.getheader('X-Forwarded-Proto', None) | 398 xfp = self.headers.get('X-Forwarded-Proto', None) |
| 399 if xfp: | 399 if xfp: |
| 400 # xfp is the protocol (http/https) seen by proxies in the | 400 # xfp is the protocol (http/https) seen by proxies in the |
| 401 # path of the request. I am not sure if there is only | 401 # path of the request. I am not sure if there is only |
| 402 # one value or multiple, but I suspect multiple | 402 # one value or multiple, but I suspect multiple |
| 403 # is possible so: | 403 # is possible so: |
| 406 # client -> proxy1 -> proxy2 -> back end server | 406 # client -> proxy1 -> proxy2 -> back end server |
| 407 # an proxy1 is an SSL terminator. | 407 # an proxy1 is an SSL terminator. |
| 408 # May not be trustworthy. Do not use in core without | 408 # May not be trustworthy. Do not use in core without |
| 409 # config option to control its use. | 409 # config option to control its use. |
| 410 # Made available for extensions if the user trusts it. | 410 # Made available for extensions if the user trusts it. |
| 411 env['HTTP_X-FORWARDED-PROTO'] = xfp | 411 env['HTTP_X_FORWARDED_PROTO'] = xfp |
| 412 if os.environ.has_key('CGI_SHOW_TIMING'): | 412 if 'CGI_SHOW_TIMING' in os.environ: |
| 413 env['CGI_SHOW_TIMING'] = os.environ['CGI_SHOW_TIMING'] | 413 env['CGI_SHOW_TIMING'] = os.environ['CGI_SHOW_TIMING'] |
| 414 env['HTTP_ACCEPT_LANGUAGE'] = self.headers.get('accept-language') | 414 env['HTTP_ACCEPT_LANGUAGE'] = self.headers.get('accept-language') |
| 415 referer = self.headers.get('Referer') | 415 referer = self.headers.get('Referer') |
| 416 if referer: | 416 if referer: |
| 417 env['HTTP_REFERER'] = referer | 417 env['HTTP_REFERER'] = referer |
| 418 origin = self.headers.get('Origin') | 418 origin = self.headers.get('Origin') |
| 419 if origin: | 419 if origin: |
| 420 env['HTTP_ORIGIN'] = origin | 420 env['HTTP_ORIGIN'] = origin |
| 421 xrw = self.headers.get('x-requested-with') | 421 xrw = self.headers.get('x-requested-with') |
| 422 if xrw: | 422 if xrw: |
| 423 env['HTTP_X-REQUESTED-WITH'] = xrw | 423 env['HTTP_X_REQUESTED_WITH'] = xrw |
| 424 range = self.headers.getheader('range') | 424 range = self.headers.get('range') |
| 425 if range: | 425 if range: |
| 426 env['HTTP_RANGE'] = range | 426 env['HTTP_RANGE'] = range |
| 427 | 427 |
| 428 # do the roundup thing | 428 # do the roundup thing |
| 429 tracker = self.get_tracker(tracker_name) | 429 tracker = self.get_tracker(tracker_name) |