Mercurial > libervia-web
annotate libervia/web/server/pages_tools.py @ 1598:86c7a3a625d5
server: always start a new session on connection:
The session was kept when a user was connecting from service profile (but not from other
profiles), this was leading to session fixation vulnerability (an attacker on the same
machine could get service profile session cookie, and use it when a victim would log-in).
This patch fixes it by always starting a new session on connection.
fix 443
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Fri, 23 Feb 2024 13:35:24 +0100 |
| parents | eb00d593801d |
| children |
| rev | line source |
|---|---|
| 1239 | 1 #!/usr/bin/env python3 |
| 2 | |
|
1447
907f519faaf0
pages: pubsub's `extra` is now serialised, following backend change
Goffi <goffi@goffi.org>
parents:
1396
diff
changeset
|
3 # Libervia Web frontend |
| 1396 | 4 # Copyright (C) 2011-2021 Jérôme Poisson <goffi@goffi.org> |
| 1068 | 5 |
| 6 # This program is free software: you can redistribute it and/or modify | |
| 7 # it under the terms of the GNU Affero General Public License as published by | |
| 8 # the Free Software Foundation, either version 3 of the License, or | |
| 9 # (at your option) any later version. | |
| 10 | |
| 11 # This program is distributed in the hope that it will be useful, | |
| 12 # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| 14 # GNU Affero General Public License for more details. | |
| 15 | |
| 16 # You should have received a copy of the GNU Affero General Public License | |
| 17 # along with this program. If not, see <http://www.gnu.org/licenses/>. | |
| 18 | |
| 19 """Helper methods for common operations on pages""" | |
| 20 | |
|
1302
04e7dd6b6f4d
pages (blog, tickets, merge-requests): updated code to handle new serialisation, following backend changes
Goffi <goffi@goffi.org>
parents:
1239
diff
changeset
|
21 from twisted.internet import defer |
|
1518
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
22 from libervia.backend.core.i18n import _ |
|
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
23 from libervia.backend.core.log import getLogger |
|
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
24 from libervia.backend.tools.common import data_format |
|
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
25 from libervia.web.server.constants import Const as C |
|
1302
04e7dd6b6f4d
pages (blog, tickets, merge-requests): updated code to handle new serialisation, following backend changes
Goffi <goffi@goffi.org>
parents:
1239
diff
changeset
|
26 |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1068
diff
changeset
|
27 |
| 1068 | 28 log = getLogger(__name__) |
| 29 | |
| 30 | |
|
1302
04e7dd6b6f4d
pages (blog, tickets, merge-requests): updated code to handle new serialisation, following backend changes
Goffi <goffi@goffi.org>
parents:
1239
diff
changeset
|
31 def deserialise(comments_data_s): |
|
04e7dd6b6f4d
pages (blog, tickets, merge-requests): updated code to handle new serialisation, following backend changes
Goffi <goffi@goffi.org>
parents:
1239
diff
changeset
|
32 return data_format.deserialise(comments_data_s) |
| 1068 | 33 |
| 34 | |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1447
diff
changeset
|
35 def retrieve_comments(self, service, node, profile, pass_exceptions=True): |
| 1068 | 36 """Retrieve comments from server and convert them to data objects |
| 37 | |
| 38 @param service(unicode): service holding the comments | |
| 39 @param node(unicode): node to retrieve | |
| 40 @param profile(unicode): profile of the user willing to find comments | |
| 41 @param pass_exceptions(bool): if True bridge exceptions will be ignored but logged | |
| 42 else exception will be raised | |
| 43 """ | |
| 44 try: | |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1447
diff
changeset
|
45 d = self.host.bridge_call( |
|
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1447
diff
changeset
|
46 "mb_get", service, node, C.NO_LIMIT, [], data_format.serialise({}), profile |
|
1447
907f519faaf0
pages: pubsub's `extra` is now serialised, following backend change
Goffi <goffi@goffi.org>
parents:
1396
diff
changeset
|
47 ) |
| 1068 | 48 except Exception as e: |
| 49 if not pass_exceptions: | |
| 50 raise e | |
| 51 else: | |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1068
diff
changeset
|
52 log.warning( |
| 1216 | 53 _("Can't get comments at {node} (service: {service}): {msg}").format( |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1068
diff
changeset
|
54 service=service, node=node, msg=e |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1068
diff
changeset
|
55 ) |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1068
diff
changeset
|
56 ) |
| 1068 | 57 return defer.succeed([]) |
| 58 | |
|
1302
04e7dd6b6f4d
pages (blog, tickets, merge-requests): updated code to handle new serialisation, following backend changes
Goffi <goffi@goffi.org>
parents:
1239
diff
changeset
|
59 d.addCallback(deserialise) |
| 1068 | 60 return d |