Mercurial > p > roundup > code
view scripts/add-issue @ 6375:c4371ec7d1c0
Call verifyPassword even if user does not exist.
Address timing attack caused by not doing the password check if the
user doesn't exist. Can expose valid usernames. Really only useful for
a tracker that doesn't allow anonymous access to issues. Issues
usually show usernames as part of the message display.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 06 Apr 2021 22:51:55 -0400 |
| parents | c75defc1c2f0 |
| children | 9c3ec0a5c7fc |
line wrap: on
line source
#! /usr/bin/env python ''' Usage: %s <tracker home> <priority> <issue title> Create a new issue in the given tracker. Input is taken from STDIN to create the initial issue message (which may be empty). Issues will be created as the current user (%s) if they exist as a Roundup user, or "admin" otherwise. ''' from __future__ import print_function import sys, os, pwd from roundup import instance, mailgw, date # open the instance username = pwd.getpwuid(os.getuid())[0] if len(sys.argv) < 3: print("Error: Not enough arguments") print(__doc__.strip()%(sys.argv[0], username)) sys.exit(1) tracker_home = sys.argv[1] issue_priority = sys.argv[2] issue_title = ' '.join(sys.argv[3:]) # get the message, if any message_text = sys.stdin.read().strip() # open the tracker tracker = instance.open(tracker_home) db = tracker.open('admin') db.tx_Source = "cli" uid = db.user.lookup('admin') try: # try to open the tracker as the current user uid = db.user.lookup(username) db.close() db = tracker.open(username) except KeyError: pass try: # handle the message messages = [] if message_text: summary, x = mailgw.parseContent(message_text, 0, 0) msg = db.msg.create(content=message_text, summary=summary, author=uid, date=date.Date()) messages = [msg] # now create the issue db.issue.create(title=issue_title, priority=issue_priority, messages=messages) db.commit() finally: db.close() # vim: set filetype=python ts=4 sw=4 et si