Mercurial > libervia-web
annotate libervia/web/pages/_browser/jid.py @ 1598:86c7a3a625d5
server: always start a new session on connection:
The session was kept when a user was connecting from service profile (but not from other
profiles), this was leading to session fixation vulnerability (an attacker on the same
machine could get service profile session cookie, and use it when a victim would log-in).
This patch fixes it by always starting a new session on connection.
fix 443
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Fri, 23 Feb 2024 13:35:24 +0100 |
| parents | 7006b55001a4 |
| children |
| rev | line source |
|---|---|
| 1530 | 1 #!/usr/bin/env python3 |
| 2 | |
| 3 # Libervia XMPP | |
| 4 # Copyright (C) 2009-2023 Jérôme Poisson (goffi@goffi.org) | |
| 5 | |
| 6 # This program is free software: you can redistribute it and/or modify | |
| 7 # it under the terms of the GNU Affero General Public License as published by | |
| 8 # the Free Software Foundation, either version 3 of the License, or | |
| 9 # (at your option) any later version. | |
| 10 | |
| 11 # This program is distributed in the hope that it will be useful, | |
| 12 # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| 14 # GNU Affero General Public License for more details. | |
| 15 | |
| 16 # You should have received a copy of the GNU Affero General Public License | |
| 17 # along with this program. If not, see <http://www.gnu.org/licenses/>. | |
| 18 | |
| 19 # XXX: this is the same `jid` class as in `libervia.frontends.tools`, but typing hints | |
| 20 # have been removed as they are a bit slow to load with Brython, and this class is used | |
| 21 # a lot. | |
| 22 | |
| 23 | |
| 24 class JID(str): | |
| 25 """This class helps manage JID (<local>@<domain>/<resource>)""" | |
| 26 | |
| 27 def __new__(cls, jid_str: str) -> "JID": | |
| 28 return str.__new__(cls, cls._normalize(jid_str)) | |
| 29 | |
| 30 def __init__(self, jid_str: str): | |
| 31 self._node, self._domain, self._resource = self._parse() | |
| 32 | |
| 33 @staticmethod | |
| 34 def _normalize(jid_str: str) -> str: | |
| 35 """Naive normalization before instantiating and parsing the JID""" | |
| 36 if not jid_str: | |
| 37 return jid_str | |
| 38 tokens = jid_str.split("/") | |
| 39 tokens[0] = tokens[0].lower() # force node and domain to lower-case | |
| 40 return "/".join(tokens) | |
| 41 | |
| 42 def _parse(self): | |
| 43 """Find node, domain, and resource from JID""" | |
| 44 node_end = self.find("@") | |
| 45 if node_end < 0: | |
| 46 node_end = 0 | |
| 47 domain_end = self.find("/") | |
| 48 if domain_end == 0: | |
| 49 raise ValueError("a jid can't start with '/'") | |
| 50 if domain_end == -1: | |
| 51 domain_end = len(self) | |
| 52 node = self[:node_end] or None | |
| 53 domain = self[(node_end + 1) if node_end else 0 : domain_end] | |
| 54 resource = self[domain_end + 1 :] or None | |
| 55 return node, domain, resource | |
| 56 | |
| 57 @property | |
| 58 def node(self): | |
| 59 return self._node | |
| 60 | |
| 61 @property | |
| 62 def local(self): | |
| 63 return self._node | |
| 64 | |
| 65 @property | |
| 66 def domain(self) -> str: | |
| 67 return self._domain | |
| 68 | |
| 69 @property | |
| 70 def resource(self): | |
| 71 return self._resource | |
| 72 | |
| 73 @property | |
| 74 def bare(self) -> "JID": | |
| 75 if not self.node: | |
| 76 return JID(self.domain) | |
| 77 return JID(f"{self.node}@{self.domain}") | |
| 78 | |
| 79 def change_resource(self, resource: str) -> "JID": | |
| 80 """Build a new JID with the same node and domain but a different resource. | |
| 81 | |
| 82 @param resource: The new resource for the JID. | |
| 83 @return: A new JID instance with the updated resource. | |
| 84 """ | |
| 85 return JID(f"{self.bare}/{resource}") | |
| 86 | |
| 87 def is_valid(self) -> bool: | |
| 88 """ | |
| 89 @return: True if the JID is XMPP compliant | |
| 90 """ | |
| 91 # Simple check for domain part | |
|
1572
7006b55001a4
broweser (jid): add a simple check for JID validation.
Goffi <goffi@goffi.org>
parents:
1530
diff
changeset
|
92 if ( |
|
7006b55001a4
broweser (jid): add a simple check for JID validation.
Goffi <goffi@goffi.org>
parents:
1530
diff
changeset
|
93 not self.domain |
|
7006b55001a4
broweser (jid): add a simple check for JID validation.
Goffi <goffi@goffi.org>
parents:
1530
diff
changeset
|
94 or self.domain.startswith(".") |
|
7006b55001a4
broweser (jid): add a simple check for JID validation.
Goffi <goffi@goffi.org>
parents:
1530
diff
changeset
|
95 or self.domain.endswith(".") |
|
7006b55001a4
broweser (jid): add a simple check for JID validation.
Goffi <goffi@goffi.org>
parents:
1530
diff
changeset
|
96 or "." not in self.domain |
|
7006b55001a4
broweser (jid): add a simple check for JID validation.
Goffi <goffi@goffi.org>
parents:
1530
diff
changeset
|
97 ): |
| 1530 | 98 return False |
| 99 if ".." in self.domain: | |
| 100 return False | |
| 101 return True | |
| 102 | |
| 103 | |
| 104 def new_resource(entity: JID, resource: str) -> JID: | |
| 105 """Build a new JID from the given entity and resource. | |
| 106 | |
| 107 @param entity: original JID | |
| 108 @param resource: new resource | |
| 109 @return: a new JID instance | |
| 110 """ | |
| 111 return entity.change_resource(resource) |