# HG changeset patch # User Mads Kiilerich # Date 1563758985 -7200 # Node ID a545d2274120ec22689ca3a5398e17d0e5bcd63c # Parent dcd55892eee0a3216cc4d148b8c0fd48d0088235 helpers: rename internal names of authentication_token to clarify that secure_form is about session CSRF secrets - not authentication diff -r dcd55892eee0 -r a545d2274120 kallithea/controllers/login.py --- a/kallithea/controllers/login.py Sun Jul 21 18:24:09 2019 +0200 +++ b/kallithea/controllers/login.py Mon Jul 22 03:29:45 2019 +0200 @@ -255,4 +255,4 @@ Only intended for testing but might also be useful for other kinds of automation. """ - return h.authentication_token() + return h.session_csrf_secret_token() diff -r dcd55892eee0 -r a545d2274120 kallithea/lib/base.py --- a/kallithea/lib/base.py Sun Jul 21 18:24:09 2019 +0200 +++ b/kallithea/lib/base.py Mon Jul 22 03:29:45 2019 +0200 @@ -366,8 +366,8 @@ # where we allow side effects without ambient authority is when the # authority comes from an API key; and that is handled above. from kallithea.lib import helpers as h - token = request.POST.get(h.token_key) - if not token or token != h.authentication_token(): + token = request.POST.get(h.session_csrf_secret_name) + if not token or token != h.session_csrf_secret_token(): log.error('CSRF check failed') raise webob.exc.HTTPForbidden() @@ -479,9 +479,9 @@ # Make sure CSRF token never appears in the URL. If so, invalidate it. from kallithea.lib import helpers as h - if h.token_key in request.GET: + if h.session_csrf_secret_name in request.GET: log.error('CSRF key leak detected') - session.pop(h.token_key, None) + session.pop(h.session_csrf_secret_name, None) session.save() h.flash(_('CSRF token leak has been detected - all form tokens have been expired'), category='error') diff -r dcd55892eee0 -r a545d2274120 kallithea/lib/helpers.py --- a/kallithea/lib/helpers.py Sun Jul 21 18:24:09 2019 +0200 +++ b/kallithea/lib/helpers.py Mon Jul 22 03:29:45 2019 +0200 @@ -35,7 +35,7 @@ select, submit, text, password, textarea, radio, form as insecure_form from webhelpers.number import format_byte_size from webhelpers.pylonslib import Flash as _Flash -from webhelpers.pylonslib.secure_form import secure_form, authentication_token, token_key +from webhelpers.pylonslib.secure_form import secure_form, authentication_token as session_csrf_secret_token, token_key as session_csrf_secret_name from webhelpers.text import chop_at, truncate, wrap_paragraphs from webhelpers.html.tags import _set_input_attrs, _set_id_attr, \ convert_boolean_attrs, NotGiven, _make_safe_id_component @@ -1275,8 +1275,9 @@ def form(url, method="post", **attrs): """Like webhelpers.html.tags.form but automatically using secure_form with - authentication_token for POST. authentication_token is thus never leaked - in the URL.""" + session_csrf_secret_token for POST. The secret is thus never leaked in + URLs. + """ if method.lower() == 'get': return insecure_form(url, method=method, **attrs) # webhelpers will turn everything but GET into POST diff -r dcd55892eee0 -r a545d2274120 kallithea/model/user.py --- a/kallithea/model/user.py Sun Jul 21 18:24:09 2019 +0200 +++ b/kallithea/model/user.py Mon Jul 22 03:29:45 2019 +0200 @@ -338,7 +338,7 @@ log.debug('password reset user %s found', user) token = self.get_reset_password_token(user, timestamp, - h.authentication_token()) + h.session_csrf_secret_token()) # URL must be fully qualified; but since the token is locked to # the current browser session, we must provide a URL with the # current scheme and hostname, rather than the canonical_url. @@ -391,7 +391,7 @@ expected_token = self.get_reset_password_token(user, timestamp, - h.authentication_token()) + h.session_csrf_secret_token()) log.debug('computed password reset token: %s', expected_token) log.debug('received password reset token: %s', token) return expected_token == token diff -r dcd55892eee0 -r a545d2274120 kallithea/public/js/base.js --- a/kallithea/public/js/base.js Sun Jul 21 18:24:09 2019 +0200 +++ b/kallithea/public/js/base.js Mon Jul 22 03:29:45 2019 +0200 @@ -408,7 +408,7 @@ }; var ajaxPOST = function(url, postData, success, failure) { - postData['_authentication_token'] = _authentication_token; + postData['_authentication_token'] = _session_csrf_secret_token; var postData = _toQueryString(postData); if(failure === undefined) { failure = function(jqXHR, textStatus, errorThrown) { @@ -458,7 +458,7 @@ var toggleFollowingRepo = function(target, follows_repository_id){ var args = 'follows_repository_id=' + follows_repository_id; - args += '&_authentication_token=' + _authentication_token; + args += '&_authentication_token=' + _session_csrf_secret_token; $.post(TOGGLE_FOLLOW_URL, args, function(data){ _onSuccessFollow(target); }); @@ -466,7 +466,7 @@ }; var showRepoSize = function(target, repo_name){ - var args = '_authentication_token=' + _authentication_token; + var args = '_authentication_token=' + _session_csrf_secret_token; if(!$("#" + target).hasClass('loaded')){ $("#" + target).html(_TM['Loading ...']); diff -r dcd55892eee0 -r a545d2274120 kallithea/templates/admin/gists/edit.html --- a/kallithea/templates/admin/gists/edit.html Sun Jul 21 18:24:09 2019 +0200 +++ b/kallithea/templates/admin/gists/edit.html Mon Jul 22 03:29:45 2019 +0200 @@ -153,7 +153,7 @@ // check for newer version. $.ajax({ url: ${h.js(h.url('edit_gist_check_revision', gist_id=c.gist.gist_access_id))}, - data: {'revision': ${h.js(c.file_changeset.raw_id)}, '_authentication_token': _authentication_token}, + data: {'revision': ${h.js(c.file_changeset.raw_id)}, '_authentication_token': _session_csrf_secret_token}, dataType: 'json', type: 'POST', success: function(data) { diff -r dcd55892eee0 -r a545d2274120 kallithea/templates/base/root.html --- a/kallithea/templates/base/root.html Sun Jul 21 18:24:09 2019 +0200 +++ b/kallithea/templates/base/root.html Mon Jul 22 03:29:45 2019 +0200 @@ -65,7 +65,7 @@ var REPO_NAME = ${h.js(c.repo_name)}; %endif - var _authentication_token = ${h.js(h.authentication_token())}; + var _session_csrf_secret_token = ${h.js(h.session_csrf_secret_token())};