Mercurial > p > roundup > code
diff roundup/cgi/client.py @ 5211:f4b6a2a3e605
Fix expiration dates and expire csrf tokens properly
In client.py: add explicit expiration of csrf tokens to
handle_csrf. There is a clean_up() that runs on every client
connection before handle)csrf is invoked, but it only cleans every
hour. With short lived tokens this is insufficient. Also remove
debugging.
In templating.py fix values for seconds/week and minutes per week. The
original values were shifted/transposed and an order of magnitude off.
In test_templating.py again fix seconds/week constant.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 19 Mar 2017 17:10:13 -0400 |
| parents | 7da56980754d |
| children | d4cc71beb102 |
line wrap: on
line diff
--- a/roundup/cgi/client.py Sun Mar 19 15:32:14 2017 -0400 +++ b/roundup/cgi/client.py Sun Mar 19 17:10:13 2017 -0400 @@ -1086,18 +1086,25 @@ logger.warning(self._("required csrf field missing for user%s"), user) return True + # Expire old csrf tokens now so we don't use them. These will + # be committed after the otks.destroy below. Note that the + # self.clean_up run as part of determine_user() will run only + # once an hour. If we have short lived (e.g. 5 minute) keys + # they will live too long if we depend on clean_up. So we do + # our own. + otks.clean() + key=self.form['@csrf'].value uid = otks.get(key, 'uid', default=None) sid = otks.get(key, 'sid', default=None) - if __debug__: - ts = otks.get(key, '__timestamp', default=None) - print("Found key %s for user%s sess: %s, ts %s, time %s"%(key, uid, sid, ts, time.time())) - current_session = self.session_api._sid - # The key has been used or compromised. Delete it to prevent replay. + # The key has been used or compromised. + # Delete it to prevent replay. otks.destroy(key) self.db.commit() + current_session = self.session_api._sid + ''' # I think now that LogoutAction redirects to # self.base ([tracker] web parameter in config.ini),