libervia-web: libervia/web/pages/files/page

annotate libervia/web/pages/files/page_meta.py @ 1598:86c7a3a625d5

server: always start a new session on connection: The session was kept when a user was connecting from service profile (but not from other profiles), this was leading to session fixation vulnerability (an attacker on the same machine could get service profile session cookie, and use it when a victim would log-in). This patch fixes it by always starting a new session on connection. fix 443

author	Goffi <goffi@goffi.org>
date	Fri, 23 Feb 2024 13:35:24 +0100
parents	eb00d593801d
children

rev	line source
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	1 #!/usr/bin/env python3
1239 f511f8fbbf8a fixed shebangs Goffi <goffi@goffi.org> parents: 1216 diff changeset	2
1073 09a5e824dd42 imported patch discover Goffi <goffi@goffi.org> parents: 1064 diff changeset	3
1518 eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	4 from libervia.web.server.constants import Const as C
1073 09a5e824dd42 imported patch discover Goffi <goffi@goffi.org> parents: 1064 diff changeset	5 from twisted.words.protocols.jabber import jid
1518 eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	6 from libervia.backend.core.log import getLogger
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	7
1145 29eb15062416 pages: set __name__ for imported pages Goffi <goffi@goffi.org> parents: 1124 diff changeset	8 log = getLogger(__name__)
1073 09a5e824dd42 imported patch discover Goffi <goffi@goffi.org> parents: 1064 diff changeset	9 """files handling pages"""
09a5e824dd42 imported patch discover Goffi <goffi@goffi.org> parents: 1064 diff changeset	10
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	11 name = "files"
1073 09a5e824dd42 imported patch discover Goffi <goffi@goffi.org> parents: 1064 diff changeset	12 access = C.PAGES_ACCESS_PROFILE
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	13 template = "file/discover.html"
1073 09a5e824dd42 imported patch discover Goffi <goffi@goffi.org> parents: 1064 diff changeset	14
09a5e824dd42 imported patch discover Goffi <goffi@goffi.org> parents: 1064 diff changeset	15
1421 e065c8886b81 pages (files/list): set empty affiliations when they can't be retrieved Goffi <goffi@goffi.org> parents: 1239 diff changeset	16 async def prepare_render(self, request):
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1421 diff changeset	17 profile = self.get_profile(request)
1073 09a5e824dd42 imported patch discover Goffi <goffi@goffi.org> parents: 1064 diff changeset	18 template_data = request.template_data
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	19 namespace = self.host.ns_map["fis"]
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1421 diff changeset	20 entities_services, entities_own, entities_roster = await self.host.bridge_call(
106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1421 diff changeset	21 "disco_find_by_features", [namespace], [], False, True, True, True, False, profile
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	22 )
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	23 tpl_service_entities = template_data["disco_service_entities"] = {}
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	24 tpl_own_entities = template_data["disco_own_entities"] = {}
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	25 tpl_roster_entities = template_data["disco_roster_entities"] = {}
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	26 entities_url = template_data["entities_url"] = {}
1073 09a5e824dd42 imported patch discover Goffi <goffi@goffi.org> parents: 1064 diff changeset	27
09a5e824dd42 imported patch discover Goffi <goffi@goffi.org> parents: 1064 diff changeset	28 # we store identities in dict of dict using category and type as keys
09a5e824dd42 imported patch discover Goffi <goffi@goffi.org> parents: 1064 diff changeset	29 # this way it's easier to test category in the template
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	30 for tpl_entities, entities_map in (
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	31 (tpl_service_entities, entities_services),
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	32 (tpl_own_entities, entities_own),
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	33 (tpl_roster_entities, entities_roster),
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	34 ):
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	35 for entity_str, entity_ids in entities_map.items():
1073 09a5e824dd42 imported patch discover Goffi <goffi@goffi.org> parents: 1064 diff changeset	36 entity_jid = jid.JID(entity_str)
09a5e824dd42 imported patch discover Goffi <goffi@goffi.org> parents: 1064 diff changeset	37 tpl_entities[entity_jid] = identities = {}
09a5e824dd42 imported patch discover Goffi <goffi@goffi.org> parents: 1064 diff changeset	38 for cat, type_, name in entity_ids:
09a5e824dd42 imported patch discover Goffi <goffi@goffi.org> parents: 1064 diff changeset	39 identities.setdefault(cat, {}).setdefault(type_, []).append(name)
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1421 diff changeset	40 entities_url[entity_jid] = self.get_page_by_name("files_list").get_url(
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	41 entity_jid.full()
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	42 )
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	43
1073 09a5e824dd42 imported patch discover Goffi <goffi@goffi.org> parents: 1064 diff changeset	44
09a5e824dd42 imported patch discover Goffi <goffi@goffi.org> parents: 1064 diff changeset	45 def on_data_post(self, request):
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1421 diff changeset	46 jid_str = self.get_posted_data(request, "jid")
1073 09a5e824dd42 imported patch discover Goffi <goffi@goffi.org> parents: 1064 diff changeset	47 try:
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	48 jid_ = jid.JID(jid_str)
1073 09a5e824dd42 imported patch discover Goffi <goffi@goffi.org> parents: 1064 diff changeset	49 except RuntimeError:
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1421 diff changeset	50 self.page_error(request, C.HTTP_BAD_REQUEST)
106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1421 diff changeset	51 url = self.get_page_by_name("files_list").get_url(jid_.full())
106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1421 diff changeset	52 self.http_redirect(request, url)

Mercurial > libervia-web

annotate libervia/web/pages/files/page_meta.py @ 1598:86c7a3a625d5