Mercurial > p > roundup > code

diff roundup/scripts/roundup_server.py @ 5629:8e3df461d316 maint-1.6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
issue2551023: Fix CSRF headers for use with wsgi and cgi. The env variable array used - separators rather than _. Compare: HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is correct. Also fix roundup-server to produce the latter form. (Patch by Cédric Krier)
author John Rouillard <rouilj@ieee.org>
date Wed, 27 Feb 2019 21:47:39 -0500
parents 91954be46a66
children
line wrap: on
line diff
--- a/roundup/scripts/roundup_server.py	Tue Feb 12 21:31:41 2019 -0500
+++ b/roundup/scripts/roundup_server.py	Wed Feb 27 21:47:39 2019 -0500
@@ -384,8 +384,8 @@
             # If behind a proxy, this is the hostname supplied
             # via the Host header to the proxy. Used by core code.
             # Controlled by the CSRF settings.
-            env['HTTP_X-FORWARDED-HOST'] = xfh
-        xff = self.headers.getheader('X-Forwarded-For', None)
+            env['HTTP_X_FORWARDED_HOST'] = xfh
+        xff = self.headers.get('X-Forwarded-For', None)
         if xff:
             # xff is a list of ip addresses for original client/proxies:
             # X-Forwarded-For: clientIP, proxy1IP, proxy2IP
@@ -394,8 +394,8 @@
             # Made available for extensions if the user trusts it.
             # E.g. you may wish to disable recaptcha validation extension
             # if the ip of the client matches 172.16.0.0.
-            env['HTTP_X-FORWARDED-FOR'] = xff
-        xfp = self.headers.getheader('X-Forwarded-Proto', None)
+            env['HTTP_X_FORWARDED_FOR'] = xff
+        xfp = self.headers.get('X-Forwarded-Proto', None)
         if xfp:
             # xfp is the protocol (http/https) seen by proxies in the
             # path of the request. I am not sure if there is only
@@ -408,8 +408,8 @@
             # May not be trustworthy. Do not use in core without
             # config option to control its use.
             # Made available for extensions if the user trusts it.
-            env['HTTP_X-FORWARDED-PROTO'] = xfp
-        if os.environ.has_key('CGI_SHOW_TIMING'):
+            env['HTTP_X_FORWARDED_PROTO'] = xfp
+        if 'CGI_SHOW_TIMING' in os.environ:
             env['CGI_SHOW_TIMING'] = os.environ['CGI_SHOW_TIMING']
         env['HTTP_ACCEPT_LANGUAGE'] = self.headers.get('accept-language')
         referer = self.headers.get('Referer')
@@ -420,8 +420,8 @@
             env['HTTP_ORIGIN'] = origin
         xrw = self.headers.get('x-requested-with')
         if xrw:
-            env['HTTP_X-REQUESTED-WITH'] = xrw
-        range = self.headers.getheader('range')
+            env['HTTP_X_REQUESTED_WITH'] = xrw
+        range = self.headers.get('range')
         if range:
             env['HTTP_RANGE'] = range
Roundup Issue Tracker: http://roundup-tracker.org/