Mercurial > p > roundup > code
view roundup/cgi/cgitb.py @ 5201:a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
and
https://seclab.stanford.edu/websec/csrf/csrf.pdf
Basically implement Synchronizer (CSRF) Tokens per form on a page.
Single use (destroyed once used). Random input data for the token
includes:
system random implementation in python using /dev/urandom
(fallback to random based on timestamp as the seed. Not
as good, but should be ok for the short lifetime of the
token??)
the id (in cpython it's the memory address) of the object
requesting a token. In theory this depends on memory layout, the
history of the process (how many previous objects have been
allocated from the heap etc.) I claim without any proof that for
long running processes this is another source of randomness. For
short running processes with little activity it could be guessed.
last the floating point time.time() value is added. This may
only have 1 second resolution so may be guessable.
Hopefully for a short lived (2 week by default) token this is
sufficient. Also in the current implementation the user is notified when
validation fails and is told why. This allows the roundup admin to find
the log entry (at error level) and try to resolve the issue. In the
future user notification may change but for now this is probably best.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 18 Mar 2017 16:59:01 -0400 |
| parents | 6e3e4f24c753 |
| children | 64b05e24dbd8 |
line wrap: on
line source
# # This module was written by Ka-Ping Yee, <ping@lfw.org>. # """Extended CGI traceback handler by Ka-Ping Yee, <ping@lfw.org>. """ __docformat__ = 'restructuredtext' import sys, os, types, string, keyword, linecache, tokenize, inspect, cgi import pydoc, traceback from roundup.cgi import templating, TranslationService def get_translator(i18n=None): """Return message translation function (gettext) Parameters: i18n - translation service, such as roundup.i18n module or TranslationService object. Return ``gettext`` attribute of the ``i18n`` object, if available (must be a message translation function with one argument). If ``gettext`` cannot be obtained from ``i18n``, take default TranslationService. """ try: return i18n.gettext except: return TranslationService.get_translation().gettext def breaker(): return ('<body bgcolor="white">' + '<font color="white" size="-5"> > </font> ' + '</table>' * 5) def niceDict(indent, dict): l = [] for k in sorted(dict): v = dict[k] l.append('<tr><td><strong>%s</strong></td><td>%s</td></tr>'%(k, cgi.escape(repr(v)))) return '\n'.join(l) def pt_html(context=5, i18n=None): _ = get_translator(i18n) esc = cgi.escape exc_info = [esc(str(value)) for value in sys.exc_info()[:2]] l = [_('<h1>Templating Error</h1>\n' '<p><b>%(exc_type)s</b>: %(exc_value)s</p>\n' '<p class="help">Debugging information follows</p>' ) % {'exc_type': exc_info[0], 'exc_value': exc_info[1]}, '<ol>',] from roundup.cgi.PageTemplates.Expressions import TraversalError t = inspect.trace(context) t.reverse() for frame, file, lnum, func, lines, index in t: args, varargs, varkw, locals = inspect.getargvalues(frame) if '__traceback_info__' in locals: ti = locals['__traceback_info__'] if isinstance(ti, TraversalError): s = [] for name, info in ti.path: s.append(_('<li>"%(name)s" (%(info)s)</li>') % {'name': name, 'info': esc(repr(info))}) s = '\n'.join(s) l.append(_('<li>Looking for "%(name)s", ' 'current path:<ol>%(path)s</ol></li>' ) % {'name': ti.name, 'path': s}) else: l.append(_('<li>In %s</li>') % esc(str(ti))) if '__traceback_supplement__' in locals: ts = locals['__traceback_supplement__'] if len(ts) == 2: supp, context = ts s = _('A problem occurred in your template "%s".') \ % str(context.id) if context._v_errors: s = s + '<br>' + '<br>'.join( [esc(x) for x in context._v_errors]) l.append('<li>%s</li>'%s) elif len(ts) == 3: supp, context, info = ts l.append(_(''' <li>While evaluating the %(info)r expression on line %(line)d <table class="otherinfo" style="font-size: 90%%"> <tr><th colspan="2" class="header">Current variables:</th></tr> %(globals)s %(locals)s </table></li> ''') % { 'info': info, 'line': context.position[0], 'globals': niceDict(' ', context.global_vars), 'locals': niceDict(' ', context.local_vars) }) l.append(''' </ol> <table style="font-size: 80%%; color: gray"> <tr><th class="header" align="left">%s</th></tr> <tr><td><pre>%s</pre></td></tr> </table>''' % (_('Full traceback:'), cgi.escape(''.join( traceback.format_exception(*sys.exc_info()) )))) l.append('<p> </p>') return '\n'.join(l) def html(context=5, i18n=None): _ = get_translator(i18n) etype, evalue = sys.exc_info()[0], sys.exc_info()[1] if type(etype) is type: etype = etype.__name__ pyver = 'Python ' + string.split(sys.version)[0] + '<br>' + sys.executable head = pydoc.html.heading( _('<font size=+1><strong>%(exc_type)s</strong>: %(exc_value)s</font>') % {'exc_type': etype, 'exc_value': evalue}, '#ffffff', '#777777', pyver) head = head + (_('<p>A problem occurred while running a Python script. ' 'Here is the sequence of function calls leading up to ' 'the error, with the most recent (innermost) call first. ' 'The exception attributes are:')) indent = '<tt><small>%s</small> </tt>' % (' ' * 5) traceback = [] for frame, file, lnum, func, lines, index in inspect.trace(context): if file is None: link = _("<file is None - probably inside <tt>eval</tt> " "or <tt>exec</tt>>") else: file = os.path.abspath(file) link = '<a href="file:%s">%s</a>' % (file, pydoc.html.escape(file)) args, varargs, varkw, locals = inspect.getargvalues(frame) if func == '?': call = '' else: call = _('in <strong>%s</strong>') % func + inspect.formatargvalues( args, varargs, varkw, locals, formatvalue=lambda value: '=' + pydoc.html.repr(value)) level = ''' <table width="100%%" bgcolor="#dddddd" cellspacing=0 cellpadding=2 border=0> <tr><td>%s %s</td></tr></table>''' % (link, call) if index is None or file is None: traceback.append('<p>' + level) continue # do a file inspection names = [] def tokeneater(type, token, start, end, line, names=names): if type == tokenize.NAME and token not in keyword.kwlist: if token not in names: names.append(token) if type == tokenize.NEWLINE: raise IndexError def linereader(file=file, lnum=[lnum]): line = linecache.getline(file, lnum[0]) lnum[0] = lnum[0] + 1 return line try: tokenize.tokenize(linereader, tokeneater) except IndexError: pass lvals = [] for name in names: if name in frame.f_code.co_varnames: if name in locals: value = pydoc.html.repr(locals[name]) else: value = _('<em>undefined</em>') name = '<strong>%s</strong>' % name else: if name in frame.f_globals: value = pydoc.html.repr(frame.f_globals[name]) else: value = _('<em>undefined</em>') name = '<em>global</em> <strong>%s</strong>' % name lvals.append('%s = %s'%(name, value)) if lvals: lvals = string.join(lvals, ', ') lvals = indent + '<small><font color="#909090">%s'\ '</font></small><br>'%lvals else: lvals = '' excerpt = [] i = lnum - index for line in lines: number = ' ' * (5-len(str(i))) + str(i) number = '<small><font color="#909090">%s</font></small>' % number line = '<tt>%s %s</tt>' % (number, pydoc.html.preformat(line)) if i == lnum: line = ''' <table width="100%%" bgcolor="white" cellspacing=0 cellpadding=0 border=0> <tr><td>%s</td></tr></table>''' % line excerpt.append('\n' + line) if i == lnum: excerpt.append(lvals) i = i + 1 traceback.append('<p>' + level + string.join(excerpt, '\n')) traceback.reverse() exception = '<p><strong>%s</strong>: %s' % (str(etype), str(evalue)) attribs = [] if type(evalue) is types.InstanceType: for name in dir(evalue): value = pydoc.html.repr(getattr(evalue, name)) attribs.append('<br>%s%s = %s' % (indent, name, value)) return head + string.join(attribs) + string.join(traceback) + '<p> </p>' def handler(): print breaker() print html() # vim: set filetype=python ts=4 sw=4 et si :