Mercurial > kallithea
changeset 7801:dcd55892eee0
helpers: always access secure_form through helpers
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Sun, 21 Jul 2019 18:24:09 +0200 |
parents | d9421a78a534 |
children | a545d2274120 |
files | kallithea/lib/base.py kallithea/lib/helpers.py |
diffstat | 2 files changed, 7 insertions(+), 7 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/lib/base.py Tue Aug 06 22:50:03 2019 +0200 +++ b/kallithea/lib/base.py Sun Jul 21 18:24:09 2019 +0200 @@ -39,7 +39,6 @@ import paste.httpexceptions import paste.auth.basic import paste.httpheaders -from webhelpers.pylonslib import secure_form from tg import config, tmpl_context as c, request, response, session, render_template from tg import TGController @@ -366,8 +365,9 @@ # guaranteed to be side effect free. In practice, the only situation # where we allow side effects without ambient authority is when the # authority comes from an API key; and that is handled above. - token = request.POST.get(secure_form.token_key) - if not token or token != secure_form.authentication_token(): + from kallithea.lib import helpers as h + token = request.POST.get(h.token_key) + if not token or token != h.authentication_token(): log.error('CSRF check failed') raise webob.exc.HTTPForbidden() @@ -478,11 +478,11 @@ raise webob.exc.HTTPMethodNotAllowed() # Make sure CSRF token never appears in the URL. If so, invalidate it. - if secure_form.token_key in request.GET: + from kallithea.lib import helpers as h + if h.token_key in request.GET: log.error('CSRF key leak detected') - session.pop(secure_form.token_key, None) + session.pop(h.token_key, None) session.save() - from kallithea.lib import helpers as h h.flash(_('CSRF token leak has been detected - all form tokens have been expired'), category='error')
--- a/kallithea/lib/helpers.py Tue Aug 06 22:50:03 2019 +0200 +++ b/kallithea/lib/helpers.py Sun Jul 21 18:24:09 2019 +0200 @@ -35,7 +35,7 @@ select, submit, text, password, textarea, radio, form as insecure_form from webhelpers.number import format_byte_size from webhelpers.pylonslib import Flash as _Flash -from webhelpers.pylonslib.secure_form import secure_form, authentication_token +from webhelpers.pylonslib.secure_form import secure_form, authentication_token, token_key from webhelpers.text import chop_at, truncate, wrap_paragraphs from webhelpers.html.tags import _set_input_attrs, _set_id_attr, \ convert_boolean_attrs, NotGiven, _make_safe_id_component