Mercurial Repository: p/roundup/code: roundup/cgi/client.py comparison

comparison roundup/cgi/client.py @ 5696:b67636bc87d0

Add CSRF protection to rest code path. Follow same model as for xmlrpc. The original rest code was developed before the CSRF code was added to xmlrpc.

author	John Rouillard <rouilj@ieee.org>
date	Sun, 07 Apr 2019 20:27:25 -0400
parents	f60c44563c3a
children	17e110426ad7

comparison

equal deleted inserted replaced

-:3e1b66c4e1e2
+:b67636bc87d0
 self.write(output)
 return
 self.check_anonymous_access()
-# Call rest library to handle the request
+try:
-handler = rest.RestfulInstance(self, self.db)
+# Call csrf with xmlrpc checks enabled.
-output = handler.dispatch(self.env['REQUEST_METHOD'], self.path,
+# It will return True if everything is ok,
-self.form)
+# raises exception on check failure.
+csrf_ok =  self.handle_csrf(xmlrpc=True)
+except (Unauthorised, UsageError) as msg:
+# report exception back to server
+exc_type, exc_value, exc_tb = sys.exc_info()
+# FIXME should return what the client requests
+# via accept header.
+output = s2b("%s: %s\n"%(exc_type, exc_value))
+self.response_code = 400
+self.setHeader("Content-Length", str(len(output)))
+self.setHeader("Content-Type", "text/plain")
+self.write(output)
+csrf_ok = False # we had an error, failed check
+return
+# With the return above the if will never be false,
+# Keeping the if so we can remove return to pass
+# output though  and format output according to accept
+# header.
+if csrf_ok == True:
+# Call rest library to handle the request
+handler = rest.RestfulInstance(self, self.db)
+output = handler.dispatch(self.env['REQUEST_METHOD'],
+self.path, self.form)
+# type header set by rest handler
 # self.setHeader("Content-Type", "text/xml")
 self.setHeader("Content-Length", str(len(output)))
 self.write(output)
 def add_ok_message(self, msg, escape=True):

Mercurial > p > roundup > code

comparison roundup/cgi/client.py @ 5696:b67636bc87d0