Mercurial > p > roundup > code
changeset 353:6713716d8ae9
Fixed various cookie-related bugs:
. [SF#477685] base64.decodestring breaks
. [SF#477837] lynx does not like the cookie
. [SF#477892] Password edit doesn't fix login cookie
Also closed a security hole - a logged-in user could edit another user's
details.
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Sun, 04 Nov 2001 03:07:12 +0000 |
| parents | a158507768f6 |
| children | f90abe9e811d |
| files | CHANGES.txt roundup/cgi_client.py |
| diffstat | 2 files changed, 68 insertions(+), 21 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES.txt Sat Nov 03 01:59:33 2001 +0000 +++ b/CHANGES.txt Sun Nov 04 03:07:12 2001 +0000 @@ -21,6 +21,9 @@ . bug #477107 ] HTTP header problem . bug #477687 ] conforming html . bug #474372 ] Netscape 4.77 do not render Support form + . bug #477685 ] base64.decodestring breaks + . bug #477837 ] lynx does not like the cookie + . bug #477892 ] Password edit doesn't fix login cookie 2001-10-23 - 0.3.0 pre 3 Feature:
--- a/roundup/cgi_client.py Sat Nov 03 01:59:33 2001 +0000 +++ b/roundup/cgi_client.py Sun Nov 04 03:07:12 2001 +0000 @@ -15,7 +15,7 @@ # BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE, # SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. # -# $Id: cgi_client.py,v 1.48 2001-11-03 01:30:18 richard Exp $ +# $Id: cgi_client.py,v 1.49 2001-11-04 03:07:12 richard Exp $ import os, cgi, pprint, StringIO, urlparse, re, traceback, mimetypes import binascii, Cookie, time @@ -312,12 +312,57 @@ showmsg = shownode def showuser(self, message=None): - ''' display an item + '''Display a user page for editing. Make sure the user is allowed + to edit this node, and also check for password changes. ''' - if self.user in ('admin', self.db.user.get(self.nodeid, 'username')): - self.shownode(message) + if self.user == 'anonymous': + raise Unauthorised + + user = self.db.user + + # get the username of the node being edited + node_user = user.get(self.nodeid, 'username') + + if self.user not in ('admin', node_user): + raise Unauthorised + + # + # perform any editing + # + keys = self.form.keys() + num_re = re.compile('^\d+$') + if keys: + try: + props, changed = parsePropsFromForm(self.db, user, self.form, + self.nodeid) + if self.nodeid == self.getuid() and 'password' in changed: + set_cookie = self.form['password'].value.strip() + else: + set_cookie = 0 + user.set(self.nodeid, **props) + self._post_editnode(self.nodeid, changed) + # and some feedback for the user + message = '%s edited ok'%', '.join(changed) + except: + s = StringIO.StringIO() + traceback.print_exc(None, s) + message = '<pre>%s</pre>'%cgi.escape(s.getvalue()) else: - raise Unauthorised + set_cookie = 0 + + # fix the cookie if the password has changed + if set_cookie: + self.set_cookie(self.user, set_cookie) + + # + # now the display + # + self.pagehead('User: %s'%node_user, message) + + # use the template to display the item + item = htmltemplate.ItemTemplate(self, self.TEMPLATES, 'user') + item.render(self.nodeid) + self.pagefoot() def showfile(self): ''' display a file @@ -578,7 +623,6 @@ password = self.form['__login_password'].value else: password = '' - print self.user, password # make sure the user exists try: uid = self.db.user.lookup(self.user) @@ -593,13 +637,15 @@ self.make_user_anonymous() return self.login(message='Incorrect password') + self.set_cookie(self.user, password) + return self.index() + + def set_cookie(self, user, password): # construct the cookie - uid = self.db.user.lookup(self.user) - user = binascii.b2a_base64('%s:%s'%(self.user, password)).strip() - path = '/'.join((self.env['SCRIPT_NAME'], self.env['INSTANCE_NAME'], - '')) - self.header({'Set-Cookie': 'roundup_user=%s; Path=%s;'%(user, path)}) - return self.index() + user = binascii.b2a_base64('%s:%s'%(user, password)).strip() + path = '/'.join((self.env['SCRIPT_NAME'], self.env['INSTANCE_NAME'])) + self.header({'Set-Cookie': 'roundup_user="%s"; Path="%s";'%(user, + path)}) def make_user_anonymous(self): # make us anonymous if we can @@ -612,11 +658,11 @@ def logout(self, message=None): self.make_user_anonymous() # construct the logout cookie - path = '/'.join((self.env['SCRIPT_NAME'], self.env['INSTANCE_NAME'], - '')) now = Cookie._getdate() + path = '/'.join((self.env['SCRIPT_NAME'], self.env['INSTANCE_NAME'])) self.header({'Set-Cookie': - 'roundup_user=deleted; Max-Age=0; expires=%s; Path=%s;'%(now, path)}) + 'roundup_user=deleted; Max-Age=0; expires="%s"; Path="%s";'%(now, + path)}) return self.login() def newuser_action(self, message=None): @@ -633,12 +679,7 @@ uid = cl.create(**props) self.user = self.db.user.get(uid, 'username') password = self.db.user.get(uid, 'password') - # construct the cookie - uid = self.db.user.lookup(self.user) - user = binascii.b2a_base64('%s:%s'%(self.user, password)).strip() - path = '/'.join((self.env['SCRIPT_NAME'], self.env['INSTANCE_NAME'], - '')) - self.header({'Set-Cookie': 'roundup_user=%s; Path=%s;'%(user, path)}) + self.set_cookie(self.user, password) return self.index() def main(self, dre=re.compile(r'([^\d]+)(\d+)'), @@ -878,6 +919,9 @@ # # $Log: not supported by cvs2svn $ +# Revision 1.48 2001/11/03 01:30:18 richard +# Oops. uses pagefoot now. +# # Revision 1.47 2001/11/03 01:29:28 richard # Login page didn't have all close tags. #