Mercurial > p > roundup > code
comparison roundup/cgi/client.py @ 5211:f4b6a2a3e605
Fix expiration dates and expire csrf tokens properly
In client.py: add explicit expiration of csrf tokens to
handle_csrf. There is a clean_up() that runs on every client
connection before handle)csrf is invoked, but it only cleans every
hour. With short lived tokens this is insufficient. Also remove
debugging.
In templating.py fix values for seconds/week and minutes per week. The
original values were shifted/transposed and an order of magnitude off.
In test_templating.py again fix seconds/week constant.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 19 Mar 2017 17:10:13 -0400 |
| parents | 7da56980754d |
| children | d4cc71beb102 |
comparison
equal
deleted
inserted
replaced
| 5210:7da56980754d | 5211:f4b6a2a3e605 |
|---|---|
| 1084 if enforce == 'logfailure': | 1084 if enforce == 'logfailure': |
| 1085 # FIXME include url | 1085 # FIXME include url |
| 1086 logger.warning(self._("required csrf field missing for user%s"), user) | 1086 logger.warning(self._("required csrf field missing for user%s"), user) |
| 1087 return True | 1087 return True |
| 1088 | 1088 |
| 1089 # Expire old csrf tokens now so we don't use them. These will | |
| 1090 # be committed after the otks.destroy below. Note that the | |
| 1091 # self.clean_up run as part of determine_user() will run only | |
| 1092 # once an hour. If we have short lived (e.g. 5 minute) keys | |
| 1093 # they will live too long if we depend on clean_up. So we do | |
| 1094 # our own. | |
| 1095 otks.clean() | |
| 1096 | |
| 1089 key=self.form['@csrf'].value | 1097 key=self.form['@csrf'].value |
| 1090 uid = otks.get(key, 'uid', default=None) | 1098 uid = otks.get(key, 'uid', default=None) |
| 1091 sid = otks.get(key, 'sid', default=None) | 1099 sid = otks.get(key, 'sid', default=None) |
| 1092 if __debug__: | 1100 |
| 1093 ts = otks.get(key, '__timestamp', default=None) | 1101 # The key has been used or compromised. |
| 1094 print("Found key %s for user%s sess: %s, ts %s, time %s"%(key, uid, sid, ts, time.time())) | 1102 # Delete it to prevent replay. |
| 1095 current_session = self.session_api._sid | |
| 1096 | |
| 1097 # The key has been used or compromised. Delete it to prevent replay. | |
| 1098 otks.destroy(key) | 1103 otks.destroy(key) |
| 1099 self.db.commit() | 1104 self.db.commit() |
| 1105 | |
| 1106 current_session = self.session_api._sid | |
| 1100 | 1107 |
| 1101 ''' | 1108 ''' |
| 1102 # I think now that LogoutAction redirects to | 1109 # I think now that LogoutAction redirects to |
| 1103 # self.base ([tracker] web parameter in config.ini), | 1110 # self.base ([tracker] web parameter in config.ini), |
| 1104 # this code is not needed. However I am keeping it | 1111 # this code is not needed. However I am keeping it |