Mercurial > libervia-web
annotate libervia/web/pages/u/page_meta.py @ 1598:86c7a3a625d5
server: always start a new session on connection:
The session was kept when a user was connecting from service profile (but not from other
profiles), this was leading to session fixation vulnerability (an attacker on the same
machine could get service profile session cookie, and use it when a victim would log-in).
This patch fixes it by always starting a new session on connection.
fix 443
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Fri, 23 Feb 2024 13:35:24 +0100 |
| parents | eb00d593801d |
| children |
| rev | line source |
|---|---|
| 1216 | 1 #!/usr/bin/env python3 |
| 1239 | 2 |
|
929
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
3 |
|
1518
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
4 from libervia.web.server.constants import Const as C |
|
929
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
5 from twisted.internet import defer |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
6 from twisted.words.protocols.jabber import jid |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
7 |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
8 """page used to target a user profile, e.g. for public blog""" |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
9 |
| 1216 | 10 name = "user" |
|
929
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
11 access = C.PAGES_ACCESS_PUBLIC # can be a callable |
| 1216 | 12 template = "blog/articles.html" |
|
1020
1c9b6d2c30b5
pages (u): activated URL caching, avoiding bridge calls on each request.
Goffi <goffi@goffi.org>
parents:
929
diff
changeset
|
13 url_cache = True |
|
929
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
14 |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
15 |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
16 @defer.inlineCallbacks |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
17 def parse_url(self, request): |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
18 try: |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1419
diff
changeset
|
19 prof_requested = self.next_path(request) |
|
929
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
20 except IndexError: |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1419
diff
changeset
|
21 self.page_error(request) |
|
929
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
22 |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1419
diff
changeset
|
23 data = self.get_r_data(request) |
|
929
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
24 |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1419
diff
changeset
|
25 target_profile = yield self.host.bridge_call("profile_name_get", prof_requested) |
| 1216 | 26 request.template_data["target_profile"] = target_profile |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1419
diff
changeset
|
27 target_jid = yield self.host.bridge_call( |
|
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1419
diff
changeset
|
28 "param_get_a_async", "JabberID", "Connection", "value", profile_key=target_profile |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1098
diff
changeset
|
29 ) |
|
929
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
30 target_jid = jid.JID(target_jid) |
| 1216 | 31 data["service"] = target_jid |
|
929
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
32 |
|
1171
469d0de8da0e
pages (blog, u): added atom feed link in "links" template data.
Goffi <goffi@goffi.org>
parents:
1159
diff
changeset
|
33 # if URL is parsed here, we'll have atom.xml available and we need to |
|
469d0de8da0e
pages (blog, u): added atom feed link in "links" template data.
Goffi <goffi@goffi.org>
parents:
1159
diff
changeset
|
34 # add the link to the page |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1419
diff
changeset
|
35 atom_url = self.get_sub_page_url(request, 'user_blog_feed_atom') |
| 1216 | 36 request.template_data['atom_url'] = atom_url |
| 37 request.template_data.setdefault('links', []).append({ | |
| 38 "href": atom_url, | |
| 39 "type": "application/atom+xml", | |
| 40 "rel": "alternate", | |
| 41 "title": "{target_profile}'s blog".format(target_profile=target_profile)}) | |
|
1171
469d0de8da0e
pages (blog, u): added atom feed link in "links" template data.
Goffi <goffi@goffi.org>
parents:
1159
diff
changeset
|
42 |
|
1419
6fc41f000d24
pages (blog/view, u, files/list): custom breadcrumbs:
Goffi <goffi@goffi.org>
parents:
1239
diff
changeset
|
43 def add_breadcrumb(self, request, breadcrumbs): |
|
6fc41f000d24
pages (blog/view, u, files/list): custom breadcrumbs:
Goffi <goffi@goffi.org>
parents:
1239
diff
changeset
|
44 # we don't want a breadcrumb here |
|
6fc41f000d24
pages (blog/view, u, files/list): custom breadcrumbs:
Goffi <goffi@goffi.org>
parents:
1239
diff
changeset
|
45 pass |
|
6fc41f000d24
pages (blog/view, u, files/list): custom breadcrumbs:
Goffi <goffi@goffi.org>
parents:
1239
diff
changeset
|
46 |
|
929
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
47 |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
48 @defer.inlineCallbacks |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
49 def prepare_render(self, request): |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1419
diff
changeset
|
50 data = self.get_r_data(request) |
|
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1419
diff
changeset
|
51 self.check_cache( |
| 1216 | 52 request, C.CACHE_PUBSUB, service=data["service"], node=None, short="microblog" |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1098
diff
changeset
|
53 ) |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1419
diff
changeset
|
54 self.page_redirect("blog_view", request) |
| 1159 | 55 |
| 56 def on_data_post(self, request): | |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1419
diff
changeset
|
57 return self.get_page_by_name("blog_view").on_data_post(self, request) |