Mercurial > p > roundup > code
view roundup/cgi/engine_jinja2.py @ 8575:b1024bf0d9f7
feature: add nonceless/tokenless CSRF protection
Add tokenless CSRF protection following:
https://words.filippo.io/csrf/
Must be enabled using use_tokenless_csrf_protection in config.ini. By
default it's off. If enabled the older csrf_* settings are ignored.
The allowed_api_origins setting is still used for Origin comparisons.
This should also improve performance as a nonce isn't required so
generating random nonce and saving it to the otks database is
eliminated.
doc/admin_guide.txt, doc/reference.txt doc/upgrading.txt
doc updates.
roundup/configuration.py
add use_tokenless_csrf_protection setting.
move allowed_api_origins directly after
use_tokenless_csrf_protection and before the older csrf_* settings.
It's used by both of them.
Rewrite description of allowed_api_origins as its applied to all
URLs with tokenless protection, not just API URLs.
roundup/anypy/urllib_.py
import urlsplit, it is used in new code.
urlparse() is less efficient and splits params out of the path
component.
Since Roundup doesn't require that params be split from the path. I
expect future patch will replace urlparse() with urlsplit() globally
and not need urlparse().
roundup/cgi/client.py
add handle_csrf_tokenless() and call from handle_csrf() if
use_tokenless_csrf_protection is enabled.
refactor code that expires csrf tokens when used with the wrong
methods (i.e. GET) into expire_exposed_keys(). Call same from
handle_csrf and handle_csrf_tokenless. Also improve logging if this
happens including both Referer and Origin headers if available.
Arguably we dont care about CSRF tokens exposed via
GET/HEAD/OPTIONS in the tokenless case, but this cleans them up in
case the admin has to switch back. At some future date we can
delete all the nonce based CSRF from 2018.
Update handle_csrf() docstring about calling/returning
handle_csrf_tokenless() when enabled. Call
expire_exposed_keys(method) if token is supplied with wrong method.
roundup/cgi/templating.py
disable nonce generation/save and always return "0" when
use_tokenless_csrf_protection enabled.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 19 Apr 2026 20:50:07 -0400 |
| parents | 9c3ec0a5c7fc |
| children |
line wrap: on
line source
""" Experimental Jinja2 support for Roundup. It will become less experimental when it is completely clear what information is passed to template, and when the info is limited to the sane minimal set (to avoid Roundup state changes from template). [ ] fallback mechanizm to use multiple templating engines in parallel and aid in incremental translation from one engine to another [ ] define a place for templates probably TRACKER_HOME/templates/jinja2 with TRACKER_HOME/templates/INFO.txt describing how the dir was created, for example "This is a copy of 'classic' template from ..." also template fallback mechanizm for multi-engine configuration [ ] backward compatibility - if no engine is explicitly specified, use TRACKER_HOME/html directory [ ] copy TEMPLATES-INFO.txt to INFO.txt [ ] implement VERSION file in environment for auto upgrade [ ] precompile() is a stub [ ] add {{ debug() }} dumper to inspect available variables https://github.com/mitsuhiko/jinja2/issues/174 """ import jinja2 import mimetypes import sys # http://jinja.pocoo.org/docs/api/#loaders from roundup.cgi.templating import context, LoaderBase, TemplateBase from roundup.anypy.strings import s2u class Jinja2Loader(LoaderBase): def __init__(self, template_dir): self._env = jinja2.Environment( loader=jinja2.FileSystemLoader(template_dir), extensions=['jinja2.ext.i18n'], autoescape=True ) # Adding a custom filter that can transform roundup's vars to unicode # This is necessary because jinja2 can only deal with unicode objects # and roundup uses utf-8 for the internal representation. # The automatic conversion will assume 'ascii' and fail sometime. # Analysed with roundup 1.5.0 and jinja 2.7.1. See issue2550811. self._env.filters["u"] = s2u def _find(self, tplname): for extension in ('', '.html', '.xml'): try: filename = tplname + extension return self._env.get_template(filename) except jinja2.TemplateNotFound: continue return None def check(self, tplname): return bool(self._find(tplname)) def load(self, tplname): tpl = self._find(tplname) pt = Jinja2ProxyPageTemplate(tpl) pt.content_type = mimetypes.guess_type(tpl.filename)[0] or 'text/html' return pt def precompile(self): pass class Jinja2ProxyPageTemplate(TemplateBase): def __init__(self, template): self._tpl = template def render(self, client, classname, request, **options): # [ ] limit the information passed to the minimal necessary set c = context(client, self, classname, request) c.update({'options': options, 'gettext': lambda s: s2u(client.gettext(s)), 'ngettext': lambda s, p, n: s2u(client.ngettext(s, p, n))}) s = self._tpl.render(c) return s if sys.version_info[0] > 2 else \ s.encode(client.STORAGE_CHARSET, ) def __getitem__(self, name): # [ ] figure out what are these for raise NotImplementedError # return self._pt[name] def __getattr__(self, name): # [ ] figure out what are these for raise NotImplementedError # return getattr(self._pt, name)