Mercurial > kallithea

--- a/kallithea/lib/base.py	Tue Aug 06 22:50:03 2019 +0200
+++ b/kallithea/lib/base.py	Sun Jul 21 18:24:09 2019 +0200
@@ -39,7 +39,6 @@
 import paste.httpexceptions
 import paste.auth.basic
 import paste.httpheaders
-from webhelpers.pylonslib import secure_form

 from tg import config, tmpl_context as c, request, response, session, render_template
 from tg import TGController
@@ -366,8 +365,9 @@
             # guaranteed to be side effect free. In practice, the only situation
             # where we allow side effects without ambient authority is when the
             # authority comes from an API key; and that is handled above.
-            token = request.POST.get(secure_form.token_key)
-            if not token or token != secure_form.authentication_token():
+            from kallithea.lib import helpers as h
+            token = request.POST.get(h.token_key)
+            if not token or token != h.authentication_token():
                 log.error('CSRF check failed')
                 raise webob.exc.HTTPForbidden()

@@ -478,11 +478,11 @@
             raise webob.exc.HTTPMethodNotAllowed()

         # Make sure CSRF token never appears in the URL. If so, invalidate it.
-        if secure_form.token_key in request.GET:
+        from kallithea.lib import helpers as h
+        if h.token_key in request.GET:
             log.error('CSRF key leak detected')
-            session.pop(secure_form.token_key, None)
+            session.pop(h.token_key, None)
             session.save()
-            from kallithea.lib import helpers as h
             h.flash(_('CSRF token leak has been detected - all form tokens have been expired'),
                     category='error')
--- a/kallithea/lib/helpers.py	Tue Aug 06 22:50:03 2019 +0200
+++ b/kallithea/lib/helpers.py	Sun Jul 21 18:24:09 2019 +0200
@@ -35,7 +35,7 @@
     select, submit, text, password, textarea, radio, form as insecure_form
 from webhelpers.number import format_byte_size
 from webhelpers.pylonslib import Flash as _Flash
-from webhelpers.pylonslib.secure_form import secure_form, authentication_token
+from webhelpers.pylonslib.secure_form import secure_form, authentication_token, token_key
 from webhelpers.text import chop_at, truncate, wrap_paragraphs
 from webhelpers.html.tags import _set_input_attrs, _set_id_attr, \
     convert_boolean_attrs, NotGiven, _make_safe_id_component