Mercurial > p > roundup > code
view doc/_templates/layout.html @ 5201:a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
and
https://seclab.stanford.edu/websec/csrf/csrf.pdf
Basically implement Synchronizer (CSRF) Tokens per form on a page.
Single use (destroyed once used). Random input data for the token
includes:
system random implementation in python using /dev/urandom
(fallback to random based on timestamp as the seed. Not
as good, but should be ok for the short lifetime of the
token??)
the id (in cpython it's the memory address) of the object
requesting a token. In theory this depends on memory layout, the
history of the process (how many previous objects have been
allocated from the heap etc.) I claim without any proof that for
long running processes this is another source of randomness. For
short running processes with little activity it could be guessed.
last the floating point time.time() value is added. This may
only have 1 second resolution so may be guessable.
Hopefully for a short lived (2 week by default) token this is
sufficient. Also in the current implementation the user is notified when
validation fails and is told why. This allows the roundup admin to find
the log entry (at error level) and try to resolve the issue. In the
future user notification may change but for now this is probably best.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 18 Mar 2017 16:59:01 -0400 |
| parents | 515ab1749b14 |
| children | 9619d64c0351 |
line wrap: on
line source
{# _templates/layout.html ~~~~~~~~~~~~~~~~~~~~~~ Custom layout template for Roundup. #} {%- block doctype -%} <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> {%- endblock %} {%- macro relbar(class) %} <div class="related {{ class }}"> <ul> {%- for rellink in rellinks %} <li class="right" {% if loop.first %}style="margin-right: 10px"{% endif %}> <a href="{{ pathto(rellink[0]) }}" title="{{ rellink[1]|striptags }}" accesskey="{{ rellink[2] }}">{{ rellink[3] }}</a> {%- if not loop.first %}{{ reldelim2 }}{% endif %}</li> {%- endfor %} {%- block rootrellink %} <li><a href="{{ pathto(master_doc) }}">{{ shorttitle|e }}</a>{{ reldelim1 }}</li> {%- endblock %} {%- for parent in parents %} <li><a href="{{ parent.link|e }}" accesskey="U">{{ parent.title }}</a>{{ reldelim1 }}</li> {%- endfor %} {%- block relbaritems %} {% endblock %} </ul> </div> {%- endmacro %} {%- macro sidebar() %} {%- block sidebartoc %} {%- if display_toc %} <h3><a href="{{ pathto(master_doc) }}">{{ _('Table Of Contents') }}</a></h3> {{ toc }} {%- endif %} {%- endblock %} {%- block sidebarrel %} {%- if prev %} <h4>{{ _('Previous topic') }}</h4> <p class="topless"><a href="{{ prev.link|e }}" title="{{ _('previous chapter') }}">{{ prev.title }}</a></p> {%- endif %} {%- if next %} <h4>{{ _('Next topic') }}</h4> <p class="topless"><a href="{{ next.link|e }}" title="{{ _('next chapter') }}">{{ next.title }}</a></p> {%- endif %} {%- endblock %} {%- block sidebarsourcelink %} {%- if show_source and has_source and sourcename %} <h3>{{ _('This Page') }}</h3> <ul class="this-page-menu"> <li><a href="{{ pathto('_sources/' + sourcename, true)|e }}" rel="nofollow">{{ _('Show Source') }}</a></li> </ul> {%- endif %} {%- endblock %} {%- block sidebarsearch %} {%- if pagename != "search" %} <div id="searchbox" style="display: none"> <h3>{{ _('Quick search') }}</h3> <form class="search" action="{{ pathto('search') }}" method="get"> <input type="text" name="q" size="18" /> <input type="submit" value="{{ _('Go') }}" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> <p style="font-size: 90%">{{ _('Enter search terms or a module, class or function name.') }}</p> </div> <script type="text/javascript">$('#searchbox').show(0);</script> {%- endif %} {%- endblock %} {%- endmacro %} {%- macro css() %} <link rel="stylesheet" href="{{ pathto('_static/basic.css', 1) }}" type="text/css" /> <link rel="stylesheet" href="{{ pathto('_static/' + style, 1) }}" type="text/css" /> <link rel="stylesheet" href="{{ pathto('_static/pygments.css', 1) }}" type="text/css" /> {%- for cssfile in css_files %} <link rel="stylesheet" href="{{ pathto(cssfile, 1) }}" type="text/css" /> {%- endfor %} {%- endmacro %} <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> {{ metatags }} {%- if builder != 'htmlhelp' %} {%- set titlesuffix = " — " + docstitle|e %} {%- endif %} <title>{{ title|striptags }}{{ titlesuffix }}</title> {%- if builder == 'web' %} <link rel="stylesheet" href="{{ pathto('index') }}?do=stylesheet{% if in_admin_panel %}&admin=yes{% endif %}" type="text/css" /> {%- for link, type, title in page_links %} <link rel="alternate" type="{{ type|e(true) }}" title="{{ title|e(true) }}" href="{{ link|e(true) }}" /> {%- endfor %} {%- else %} {{ css() }} {%- endif %} {%- if builder != 'htmlhelp' %} <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '{{ pathto("", 1) }}', VERSION: '{{ release|e }}', COLLAPSE_MODINDEX: false, FILE_SUFFIX: '{{ file_suffix }}' }; </script> {%- for scriptfile in script_files %} <script type="text/javascript" src="{{ pathto(scriptfile, 1) }}"></script> {%- endfor %} {%- if use_opensearch %} <link rel="search" type="application/opensearchdescription+xml" title="{% trans docstitle=docstitle|e %}Search within {{ docstitle }}{% endtrans %}" href="{{ pathto('_static/opensearch.xml', 1) }}"/> {%- endif %} {%- if favicon %} <link rel="shortcut icon" href="{{ pathto('_static/' + favicon, 1) }}"/> {%- endif %} {%- endif %} {%- block linktags %} {%- if hasdoc('about') %} <link rel="author" title="{{ _('About these documents') }}" href="{{ pathto('about') }}" /> {%- endif %} <link rel="index" title="{{ _('Index') }}" href="{{ pathto('genindex') }}" /> <link rel="search" title="{{ _('Search') }}" href="{{ pathto('search') }}" /> {%- if hasdoc('copyright') %} <link rel="copyright" title="{{ _('Copyright') }}" href="{{ pathto('copyright') }}" /> {%- endif %} <link rel="top" title="{{ docstitle|e }}" href="{{ pathto('index') }}" /> {%- if parents %} <link rel="up" title="{{ parents[-1].title|striptags }}" href="{{ parents[-1].link|e }}" /> {%- endif %} {%- if next %} <link rel="next" title="{{ next.title|striptags }}" href="{{ next.link|e }}" /> {%- endif %} {%- if prev %} <link rel="prev" title="{{ prev.title|striptags }}" href="{{ prev.link|e }}" /> {%- endif %} {%- endblock %} {%- block extrahead %} {% endblock %} </head> <body> <div class="header"><h1>Roundup</h1> {%- if pagename != "search" %} <div id="searchbox" style="display: none"> <form class="search" action="{{ pathto('search') }}" method="get"> <input type="text" name="q" size="18" /> <input type="submit" value="{{ _('Search') }}" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> </div> <script type="text/javascript">$('#searchbox').show(0);</script> {%- endif %} </div> <div class="navigation"> <div class="menu"> {{ sidebar() }} </div> </div> <div class="content"> {{ relbar('related-top') }} {{ body }} {{ relbar('related-bottom') }} </div> {%- block footer %} <div class="footer"> {%- if hasdoc('copyright') %} {% trans path=pathto('copyright'), copyright=copyright|e %}© <a href="{{ path }}">Copyright</a> {{ copyright }}.{% endtrans %} {%- else %} {% trans copyright=copyright|e %}© Copyright {{ copyright }}.{% endtrans %} {%- endif %} </div> {%- endblock %} </body> </html>