Mercurial > p > roundup > code
view roundup/scripts/roundup_gettext.py @ 5201:a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
and
https://seclab.stanford.edu/websec/csrf/csrf.pdf
Basically implement Synchronizer (CSRF) Tokens per form on a page.
Single use (destroyed once used). Random input data for the token
includes:
system random implementation in python using /dev/urandom
(fallback to random based on timestamp as the seed. Not
as good, but should be ok for the short lifetime of the
token??)
the id (in cpython it's the memory address) of the object
requesting a token. In theory this depends on memory layout, the
history of the process (how many previous objects have been
allocated from the heap etc.) I claim without any proof that for
long running processes this is another source of randomness. For
short running processes with little activity it could be guessed.
last the floating point time.time() value is added. This may
only have 1 second resolution so may be guessable.
Hopefully for a short lived (2 week by default) token this is
sufficient. Also in the current implementation the user is notified when
validation fails and is told why. This allows the roundup admin to find
the log entry (at error level) and try to resolve the issue. In the
future user notification may change but for now this is probably best.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 18 Mar 2017 16:59:01 -0400 |
| parents | 86ef4ab17dc5 |
| children | 64b05e24dbd8 |
line wrap: on
line source
#! /usr/bin/env python # # Copyright 2004 Richard Jones (richard@mechanicalcat.net) """Extract translatable strings from tracker templates""" import os import sys # --- patch sys.path to make sure 'import roundup' finds correct version import os.path as osp thisdir = osp.dirname(osp.abspath(__file__)) rootdir = osp.dirname(osp.dirname(thisdir)) if (osp.exists(thisdir + '/__init__.py') and osp.exists(rootdir + '/roundup/__init__.py')): # the script is located inside roundup source code sys.path.insert(0, rootdir) # --/ from roundup.i18n import _ from roundup.cgi.TAL import talgettext # name of message template file. # i don't think this will ever need to be changed, but still... TEMPLATE_FILE = "messages.pot" def run(): # return unless command line arguments contain single directory path if (len(sys.argv) != 2) or (sys.argv[1] in ("-h", "--help")): print _("Usage: %(program)s <tracker home>") % {"program": sys.argv[0]} return # collect file paths of html templates home = os.path.abspath(sys.argv[1]) htmldir = os.path.join(home, "html") if os.path.isdir(htmldir): # glob is not used because i want to match file names # without case sensitivity, and that is easier done this way. htmlfiles = [filename for filename in os.listdir(htmldir) if os.path.isfile(os.path.join(htmldir, filename)) and filename.lower().endswith(".html")] else: htmlfiles = [] # return if no html files found if not htmlfiles: print _("No tracker templates found in directory %s") % home return # change to locale dir to have relative source references locale = os.path.join(home, "locale") if not os.path.isdir(locale): os.mkdir(locale) os.chdir(locale) # tweak sys.argv as this is the only way to tell talgettext what to do # Note: unix-style paths used instead of os.path.join deliberately sys.argv[1:] = ["-o", TEMPLATE_FILE] \ + ["../html/" + filename for filename in htmlfiles] # run talgettext.main() if __name__ == "__main__": run() # vim: set et sts=4 sw=4 :