# HG changeset patch # User Mads Kiilerich # Date 1563726249 -7200 # Node ID dcd55892eee0a3216cc4d148b8c0fd48d0088235 # Parent d9421a78a53430c262d0551a5f554b3b333e391d helpers: always access secure_form through helpers diff -r d9421a78a534 -r dcd55892eee0 kallithea/lib/base.py --- a/kallithea/lib/base.py Tue Aug 06 22:50:03 2019 +0200 +++ b/kallithea/lib/base.py Sun Jul 21 18:24:09 2019 +0200 @@ -39,7 +39,6 @@ import paste.httpexceptions import paste.auth.basic import paste.httpheaders -from webhelpers.pylonslib import secure_form from tg import config, tmpl_context as c, request, response, session, render_template from tg import TGController @@ -366,8 +365,9 @@ # guaranteed to be side effect free. In practice, the only situation # where we allow side effects without ambient authority is when the # authority comes from an API key; and that is handled above. - token = request.POST.get(secure_form.token_key) - if not token or token != secure_form.authentication_token(): + from kallithea.lib import helpers as h + token = request.POST.get(h.token_key) + if not token or token != h.authentication_token(): log.error('CSRF check failed') raise webob.exc.HTTPForbidden() @@ -478,11 +478,11 @@ raise webob.exc.HTTPMethodNotAllowed() # Make sure CSRF token never appears in the URL. If so, invalidate it. - if secure_form.token_key in request.GET: + from kallithea.lib import helpers as h + if h.token_key in request.GET: log.error('CSRF key leak detected') - session.pop(secure_form.token_key, None) + session.pop(h.token_key, None) session.save() - from kallithea.lib import helpers as h h.flash(_('CSRF token leak has been detected - all form tokens have been expired'), category='error') diff -r d9421a78a534 -r dcd55892eee0 kallithea/lib/helpers.py --- a/kallithea/lib/helpers.py Tue Aug 06 22:50:03 2019 +0200 +++ b/kallithea/lib/helpers.py Sun Jul 21 18:24:09 2019 +0200 @@ -35,7 +35,7 @@ select, submit, text, password, textarea, radio, form as insecure_form from webhelpers.number import format_byte_size from webhelpers.pylonslib import Flash as _Flash -from webhelpers.pylonslib.secure_form import secure_form, authentication_token +from webhelpers.pylonslib.secure_form import secure_form, authentication_token, token_key from webhelpers.text import chop_at, truncate, wrap_paragraphs from webhelpers.html.tags import _set_input_attrs, _set_id_attr, \ convert_boolean_attrs, NotGiven, _make_safe_id_component