Mercurial > kallithea

changeset 5524:1346754f1852 stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
forms: don't use secure forms with authentication token for GET requests The token is secret and should never be used in forms posted with GET which are URL encoded. aef21d16a262 was too aggresive in using secure forms everywhere and did thus also incorrectly use them for forms posted with GET. Some token leakage was reported by Gjoko Krstic <gjoko@zeroscience.mk> of Zero Science Lab.
author Mads Kiilerich <madski@unity3d.com>
date Sat, 26 Sep 2015 02:34:16 +0200
parents 38d1c99cd000
children ef392737c203
files kallithea/controllers/changelog.py kallithea/lib/helpers.py
diffstat 2 files changed, 13 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/controllers/changelog.py	Wed Sep 23 16:09:14 2015 +0200
+++ b/kallithea/controllers/changelog.py	Sat Sep 26 02:34:16 2015 +0200
@@ -98,7 +98,6 @@
         # TODO: Somehow just don't send this extra junk in the GET URL
         if request.GET.get('set'):
             request.GET.pop('set', None)
-            request.GET.pop('_authentication_token', None)
             if revision is None:
                 return redirect(url('changelog_home', repo_name=repo_name, **request.GET))
             return redirect(url('changelog_file_home', repo_name=repo_name, revision=revision, f_path=f_path, **request.GET))
--- a/kallithea/lib/helpers.py	Wed Sep 23 16:09:14 2015 +0200
+++ b/kallithea/lib/helpers.py	Sat Sep 26 02:34:16 2015 +0200
@@ -36,12 +36,13 @@
 from webhelpers.html.tags import auto_discovery_link, checkbox, css_classes, \
     end_form, file, hidden, image, javascript_link, link_to, \
     link_to_if, link_to_unless, ol, required_legend, select, stylesheet_link, \
-    submit, text, password, textarea, title, ul, xml_declaration, radio
+    submit, text, password, textarea, title, ul, xml_declaration, radio, \
+    form as insecure_form
 from webhelpers.html.tools import auto_link, button_to, highlight, \
     js_obfuscate, mail_to, strip_links, strip_tags, tag_re
 from webhelpers.number import format_byte_size, format_bit_size
 from webhelpers.pylonslib import Flash as _Flash
-from webhelpers.pylonslib.secure_form import secure_form as form, authentication_token
+from webhelpers.pylonslib.secure_form import secure_form, authentication_token
 from webhelpers.text import chop_at, collapse, convert_accented_entities, \
     convert_misc_entities, lchop, plural, rchop, remove_formatting, \
     replace_whitespace, urlify, truncate, wrap_paragraphs
@@ -1451,3 +1452,13 @@
     from kallithea.model.db import UserIpMap
     s, e = UserIpMap._get_ip_range(ip_addr)
     return '%s - %s' % (s, e)
+
+
+def form(url, method="post", **attrs):
+    """Like webhelpers.html.tags.form but automatically using secure_form with
+    authentication_token for POST. authentication_token is thus never leaked
+    in the URL."""
+    if method.lower() == 'get':
+        return insecure_form(url, method=method, **attrs)
+    # webhelpers will turn everything but GET into POST
+    return secure_form(url, method=method, **attrs)