Mercurial > p > roundup > code
view roundup/cgi/wsgi_handler.py @ 5201:a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
and
https://seclab.stanford.edu/websec/csrf/csrf.pdf
Basically implement Synchronizer (CSRF) Tokens per form on a page.
Single use (destroyed once used). Random input data for the token
includes:
system random implementation in python using /dev/urandom
(fallback to random based on timestamp as the seed. Not
as good, but should be ok for the short lifetime of the
token??)
the id (in cpython it's the memory address) of the object
requesting a token. In theory this depends on memory layout, the
history of the process (how many previous objects have been
allocated from the heap etc.) I claim without any proof that for
long running processes this is another source of randomness. For
short running processes with little activity it could be guessed.
last the floating point time.time() value is added. This may
only have 1 second resolution so may be guessable.
Hopefully for a short lived (2 week by default) token this is
sufficient. Also in the current implementation the user is notified when
validation fails and is told why. This allows the roundup admin to find
the log entry (at error level) and try to resolve the issue. In the
future user notification may change but for now this is probably best.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 18 Mar 2017 16:59:01 -0400 |
| parents | 7aa72c31464d |
| children | 92757447dcf0 35ea9b1efc14 ab37c1705dbf |
line wrap: on
line source
# WSGI interface for Roundup Issue Tracker # # This module is free software, you may redistribute it # and/or modify under the same terms as Python. # import os import cgi import weakref import roundup.instance from roundup.cgi import TranslationService from BaseHTTPServer import BaseHTTPRequestHandler, DEFAULT_ERROR_MESSAGE class Writer(object): '''Perform a start_response if need be when we start writing.''' def __init__(self, request): self.request = request #weakref.ref(request) def write(self, data): f = self.request.get_wfile() self.write = f return f(data) class RequestDispatcher(object): def __init__(self, home, debug=False, timing=False, lang=None): assert os.path.isdir(home), '%r is not a directory'%(home,) self.home = home self.debug = debug self.timing = timing if lang: self.translator = TranslationService.get_translation(lang, tracker_home=home) else: self.translator = None def __call__(self, environ, start_response): """Initialize with `apache.Request` object""" self.environ = environ request = RequestDispatcher(self.home, self.debug, self.timing) request.__start_response = start_response request.wfile = Writer(request) request.__wfile = None if environ ['REQUEST_METHOD'] == 'OPTIONS': code = 501 message, explain = BaseHTTPRequestHandler.responses[code] request.start_response([('Content-Type', 'text/html'), ('Connection', 'close')], code) request.wfile.write(DEFAULT_ERROR_MESSAGE % locals()) return [] tracker = roundup.instance.open(self.home, not self.debug) # need to strip the leading '/' environ["PATH_INFO"] = environ["PATH_INFO"][1:] if request.timing: environ["CGI_SHOW_TIMING"] = request.timing form = cgi.FieldStorage(fp=environ['wsgi.input'], environ=environ) client = tracker.Client(tracker, request, environ, form, request.translator) try: client.main() except roundup.cgi.client.NotFound: request.start_response([('Content-Type', 'text/html')], 404) request.wfile.write('Not found: %s'%client.path) # all body data has been written using wfile return [] def start_response(self, headers, response_code): """Set HTTP response code""" message, explain = BaseHTTPRequestHandler.responses[response_code] self.__wfile = self.__start_response('%d %s'%(response_code, message), headers) def get_wfile(self): if self.__wfile is None: raise ValueError, 'start_response() not called' return self.__wfile