Mercurial > libervia-web
annotate libervia/web/pages/files/view/page_meta.py @ 1598:86c7a3a625d5
server: always start a new session on connection:
The session was kept when a user was connecting from service profile (but not from other
profiles), this was leading to session fixation vulnerability (an attacker on the same
machine could get service profile session cookie, and use it when a victim would log-in).
This patch fixes it by always starting a new session on connection.
fix 443
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Fri, 23 Feb 2024 13:35:24 +0100 |
| parents | eb00d593801d |
| children | ebd538cb26cb |
| rev | line source |
|---|---|
| 1216 | 1 #!/usr/bin/env python3 |
| 1239 | 2 |
|
1064
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
3 |
|
1518
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
4 from libervia.web.server.constants import Const as C |
|
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
5 from libervia.backend.core.i18n import _ |
|
1064
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
6 from twisted.web import static |
|
1518
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
7 from libervia.web.server.utils import ProgressHandler |
|
1064
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
8 import tempfile |
|
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
9 import os |
|
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
10 import os.path |
|
1518
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
11 from libervia.backend.core.log import getLogger |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1069
diff
changeset
|
12 |
|
1145
29eb15062416
pages: set __name__ for imported pages
Goffi <goffi@goffi.org>
parents:
1124
diff
changeset
|
13 log = getLogger(__name__) |
|
1064
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
14 """files handling pages""" |
|
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
15 |
| 1216 | 16 name = "files_view" |
|
1064
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
17 access = C.PAGES_ACCESS_PROFILE |
|
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
18 |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1069
diff
changeset
|
19 |
|
1064
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
20 def parse_url(self, request): |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1421
diff
changeset
|
21 self.get_path_args(request, ["service", "*path"], min_args=2, service="jid", path="") |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1069
diff
changeset
|
22 |
|
1064
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
23 |
|
1238
f55056bb67d4
replaced former use of "dummy" by "__"
Goffi <goffi@goffi.org>
parents:
1216
diff
changeset
|
24 def cleanup(__, tmp_dir, dest_path): |
|
1064
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
25 try: |
|
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
26 os.unlink(dest_path) |
|
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
27 except OSError: |
| 1216 | 28 log.warning(_("Can't remove temporary file {path}").format(path=dest_path)) |
|
1064
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
29 try: |
|
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
30 os.rmdir(tmp_dir) |
|
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
31 except OSError: |
| 1216 | 32 log.warning(_("Can't remove temporary directory {path}").format(path=tmp_dir)) |
|
1064
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
33 |
|
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
34 |
|
1421
e065c8886b81
pages (files/list): set empty affiliations when they can't be retrieved
Goffi <goffi@goffi.org>
parents:
1239
diff
changeset
|
35 async def render(self, request): |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1421
diff
changeset
|
36 data = self.get_r_data(request) |
|
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1421
diff
changeset
|
37 profile = self.get_profile(request) |
| 1216 | 38 service, path_elts = data["service"], data["path"] |
|
1064
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
39 basename = path_elts[-1] |
|
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
40 dir_elts = path_elts[:-1] |
| 1216 | 41 dir_path = "/".join(dir_elts) |
|
1064
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
42 tmp_dir = tempfile.mkdtemp() |
|
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
43 dest_path = os.path.join(tmp_dir, basename) |
|
abc5d545dbaa
pages (files): files sharing first draft:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
44 request.notifyFinish().addCallback(cleanup, tmp_dir, dest_path) |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1421
diff
changeset
|
45 progress_id = await self.host.bridge_call( |
|
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1421
diff
changeset
|
46 "file_jingle_request", |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1069
diff
changeset
|
47 service.full(), |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1069
diff
changeset
|
48 dest_path, |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1069
diff
changeset
|
49 basename, |
| 1216 | 50 "", |
| 51 "", | |
| 52 {"path": dir_path}, | |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1069
diff
changeset
|
53 profile, |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1069
diff
changeset
|
54 ) |
| 1216 | 55 log.debug("file requested") |
|
1421
e065c8886b81
pages (files/list): set empty affiliations when they can't be retrieved
Goffi <goffi@goffi.org>
parents:
1239
diff
changeset
|
56 await ProgressHandler(self.host, progress_id, profile).register() |
| 1216 | 57 log.debug("file downloaded") |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1421
diff
changeset
|
58 self.delegate_to_resource(request, static.File(dest_path)) |