Mercurial > p > roundup > code
view website/issues/extensions/local_replace.py @ 6375:c4371ec7d1c0
Call verifyPassword even if user does not exist.
Address timing attack caused by not doing the password check if the
user doesn't exist. Can expose valid usernames. Really only useful for
a tracker that doesn't allow anonymous access to issues. Issues
usually show usernames as part of the message display.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 06 Apr 2021 22:51:55 -0400 |
| parents | 042c50d5e06e |
| children | ca62a7cc3c9b |
line wrap: on
line source
from __future__ import print_function import re hg_url_base = r'http://sourceforge.net/p/roundup/code/ci/' substitutions = [ (re.compile(r'debian:\#(?P<id>\d+)'), r'<a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=\g<id>">debian#\g<id></a>' ), (re.compile(r'\#(?P<ws>\s*)(?P<id>\d+)'), r"<a href='issue\g<id>'>#\g<ws>\g<id></a>" ), (re.compile(r'(?P<prews>^|\s+)issue(?P<ws>\s*)(?P<id>\d+)'), r"\g<prews><a href='issue\g<id>'>issue\g<ws>\g<id></a>" ), # matching the typical number:hash format of hg's own output # and then use use hash instead of the number (re.compile(r'(?P<prews>(^|\s+))(?P<revstr>(rev\s*|hg\s*|changeset: ))(?P<revnumber>\d+):(?P<refhash>[0-9a-fA-F]{12,40})(?P<post>\W+|$)'), r'\g<prews><a href="' + hg_url_base + '\g<refhash>">\g<revstr>\g<revnumber>:\g<refhash></a>\g<post>'), # matching hg revison number or hash (re.compile(r'(?P<prews>(^|\s+))(?P<revstr>(revision|rev|r)\s?)(?P<revision>([1-9][0-9]*)|[0-9a-fA-F]{4,40})(?P<post>\W+|$)'), r'\g<prews><a href="' + hg_url_base + '\g<revision>">\g<revstr>\g<revision></a>\g<post>'), ] def local_replace(message): for cre, replacement in substitutions: message = cre.sub(replacement, message) return message def init(instance): instance.registerUtil('localReplace', local_replace) def quicktest(msgstr, should_replace = True, substr = True): testcount['run'] += 1 replacedstr = local_replace(msgstr) if not (not replacedstr == msgstr ) == should_replace: print("(fail)", end=' ') testcount['failed'] += 1 elif substr and (msgstr not in replacedstr): print("(fail)", end=' ') testcount['failed'] += 1 if replacedstr == msgstr: print( "'%s'" % (msgstr,)) else: print("'%s' -> '%s'" % (msgstr, replacedstr)) if "__main__" == __name__: testcount = {'run':0 , 'failed': 0} print("Replacement examples:") quicktest(" debian:#222", substr=False) quicktest(" #555", substr=False) quicktest("issue333") quicktest(" revision 222", substr=False) quicktest(" r 222", substr=False) quicktest(" wordthatendswithr 222", False) quicktest(" references", False) quicktest(" too many spaces r 222", False) quicktest("re-evaluate", False) quicktest("rex140eb", False) quicktest("rev 012", False) # too short for a hg hash quicktest("rev 0123") quicktest("re140eb") quicktest(" r7140eb", substr=False) quicktest(" rev7140eb ", substr=False) quicktest("rev7140eb") quicktest("rev7140eb,", substr=False) quicktest("rev4891:ad3d628e73f2") quicktest("hg4891:ad3d628e73f2") quicktest("changeset: 4542:46239c21a1eb") quicktest("rev 4542:46239c21a1eb") quicktest("rev 4542:46239c21a1eb") # many spaces print() print(testcount)