Mercurial > p > roundup > code
view website/issues/detectors/patches.py @ 6375:c4371ec7d1c0
Call verifyPassword even if user does not exist.
Address timing attack caused by not doing the password check if the
user doesn't exist. Can expose valid usernames. Really only useful for
a tracker that doesn't allow anonymous access to issues. Issues
usually show usernames as part of the message display.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 06 Apr 2021 22:51:55 -0400 |
| parents | 0942fe89e82e |
| children |
line wrap: on
line source
# Auditor for patch files # Patches should be declared as text/plain (also .py files), # independent of what the browser says, and # the "patch" keyword should get set automatically. import posixpath patchtypes = ('.diff', '.patch') sourcetypes = ('.diff', '.patch', '.py') def ispatch(file, types): return posixpath.splitext(file)[1] in types def patches_text_plain(db, cl, nodeid, newvalues): if ispatch(newvalues['name'], sourcetypes): newvalues['type'] = 'text/plain' def patches_keyword(db, cl, nodeid, newvalues): # Check whether there are any new files newfiles = set(newvalues.get('files',())) if nodeid: newfiles -= set(db.issue.get(nodeid, 'files')) # Check whether any of these is a patch newpatch = False for fileid in newfiles: if ispatch(db.file.get(fileid, 'name'), patchtypes): newpatch = True break if newpatch: # Add the patch keyword if its not already there patchid = db.keyword.lookup("patch") oldkeywords = [] if nodeid: oldkeywords = db.issue.get(nodeid, 'keywords') if patchid in oldkeywords: # This is already marked as a patch return if 'keywords' not in newvalues: newvalues['keywords'] = oldkeywords newvalues['keywords'].append(patchid) def init(db): db.file.audit('create', patches_text_plain) db.issue.audit('create', patches_keyword) db.issue.audit('set', patches_keyword)