Mercurial > libervia-web
annotate libervia/web/server/utils.py @ 1598:86c7a3a625d5
server: always start a new session on connection:
The session was kept when a user was connecting from service profile (but not from other
profiles), this was leading to session fixation vulnerability (an attacker on the same
machine could get service profile session cookie, and use it when a victim would log-in).
This patch fixes it by always starting a new session on connection.
fix 443
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Fri, 23 Feb 2024 13:35:24 +0100 |
| parents | eb00d593801d |
| children |
| rev | line source |
|---|---|
| 1239 | 1 #!/usr/bin/env python3 |
| 2 | |
|
984
f0fc28b3bd1e
server: moved LiberviaPage code in its own module
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
3 |
|
f0fc28b3bd1e
server: moved LiberviaPage code in its own module
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
4 # Libervia: a Salut à Toi frontend |
| 1396 | 5 # Copyright (C) 2011-2021 Jérôme Poisson <goffi@goffi.org> |
|
984
f0fc28b3bd1e
server: moved LiberviaPage code in its own module
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
6 |
|
f0fc28b3bd1e
server: moved LiberviaPage code in its own module
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
7 # This program is free software: you can redistribute it and/or modify |
|
f0fc28b3bd1e
server: moved LiberviaPage code in its own module
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
8 # it under the terms of the GNU Affero General Public License as published by |
|
f0fc28b3bd1e
server: moved LiberviaPage code in its own module
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
9 # the Free Software Foundation, either version 3 of the License, or |
|
f0fc28b3bd1e
server: moved LiberviaPage code in its own module
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
10 # (at your option) any later version. |
|
f0fc28b3bd1e
server: moved LiberviaPage code in its own module
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
11 |
|
f0fc28b3bd1e
server: moved LiberviaPage code in its own module
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
12 # This program is distributed in the hope that it will be useful, |
|
f0fc28b3bd1e
server: moved LiberviaPage code in its own module
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
f0fc28b3bd1e
server: moved LiberviaPage code in its own module
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
f0fc28b3bd1e
server: moved LiberviaPage code in its own module
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
15 # GNU Affero General Public License for more details. |
|
f0fc28b3bd1e
server: moved LiberviaPage code in its own module
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
16 |
|
f0fc28b3bd1e
server: moved LiberviaPage code in its own module
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
17 # You should have received a copy of the GNU Affero General Public License |
|
f0fc28b3bd1e
server: moved LiberviaPage code in its own module
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. |
|
1518
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
19 from libervia.backend.core.i18n import _ |
|
1063
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
20 from twisted.internet import reactor |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
21 from twisted.internet import defer |
|
1518
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
22 from libervia.backend.core import exceptions |
|
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
23 from libervia.backend.core.log import getLogger |
| 1216 | 24 import urllib.request, urllib.parse, urllib.error |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1092
diff
changeset
|
25 |
|
1063
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
26 log = getLogger(__name__) |
|
984
f0fc28b3bd1e
server: moved LiberviaPage code in its own module
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
27 |
|
f0fc28b3bd1e
server: moved LiberviaPage code in its own module
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
28 |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1092
diff
changeset
|
29 def quote(value, safe="@"): |
|
984
f0fc28b3bd1e
server: moved LiberviaPage code in its own module
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
30 """shortcut to quote an unicode value for URL""" |
|
1224
62bf4f87c249
server: some encoding fixes following python 3 port
Goffi <goffi@goffi.org>
parents:
1216
diff
changeset
|
31 return urllib.parse.quote(value, safe=safe) |
|
1063
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
32 |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
33 |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
34 class ProgressHandler(object): |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
35 """class to help the management of progressions""" |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1092
diff
changeset
|
36 |
|
1063
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
37 handlers = {} |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
38 |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
39 def __init__(self, host, progress_id, profile): |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
40 self.host = host |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
41 self.progress_id = progress_id |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
42 self.profile = profile |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
43 |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
44 @classmethod |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
45 def _signal(cls, name, progress_id, data, profile): |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
46 handlers = cls.handlers |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
47 if profile in handlers and progress_id in handlers[profile]: |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
48 handler_data = handlers[profile][progress_id] |
| 1216 | 49 timeout = handler_data["timeout"] |
|
1063
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
50 if timeout.active(): |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
51 timeout.cancel() |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
52 cb = handler_data[name] |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
53 if cb is not None: |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
54 cb(data) |
| 1216 | 55 if name == "started": |
|
1063
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
56 pass |
| 1216 | 57 elif name == "finished": |
| 58 handler_data["deferred"].callback(data) | |
| 59 handler_data["instance"].unregister_handler() | |
| 60 elif name == "error": | |
| 61 handler_data["deferred"].errback(Exception(data)) | |
| 62 handler_data["instance"].unregister_handler() | |
|
1067
808ec98de8b3
pages (files/list): retrieve thumbnail:
Goffi <goffi@goffi.org>
parents:
1063
diff
changeset
|
63 else: |
| 1216 | 64 log.error("unexpected signal: {name}".format(name=name)) |
|
1063
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
65 |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
66 def _timeout(self): |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1092
diff
changeset
|
67 log.warning( |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1092
diff
changeset
|
68 _( |
| 1216 | 69 "No progress received, cancelling handler: {progress_id} [{profile}]" |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1092
diff
changeset
|
70 ).format(progress_id=self.progress_id, profile=self.profile) |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1092
diff
changeset
|
71 ) |
|
1063
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
72 |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
73 def unregister_handler(self): |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
74 """remove a previously registered handler""" |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
75 try: |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
76 del self.handlers[self.profile][self.progress_id] |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
77 except KeyError: |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1092
diff
changeset
|
78 log.warning( |
| 1216 | 79 _("Trying to remove unknown handler: {progress_id} [{profile}]").format( |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1092
diff
changeset
|
80 progress_id=self.progress_id, profile=self.profile |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1092
diff
changeset
|
81 ) |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1092
diff
changeset
|
82 ) |
|
1063
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
83 else: |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
84 if not self.handlers[self.profile]: |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
85 self.handlers[self.profile] |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
86 |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
87 def register(self, started_cb=None, finished_cb=None, error_cb=None, timeout=30): |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
88 """register the signals to handle progression |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
89 |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1396
diff
changeset
|
90 @param started_cb(callable, None): method to call when progress_started signal is received |
|
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1396
diff
changeset
|
91 @param finished_cb(callable, None): method to call when progress_finished signal is received |
|
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1396
diff
changeset
|
92 @param error_cb(callable, None): method to call when progress_error signal is received |
|
1063
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
93 @param timeout(int): progress time out |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
94 if nothing happen in this progression during this delay, |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
95 an exception is raised |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
96 @return (D(dict[unicode,unicode])): a deferred called when progression is finished |
|
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
97 """ |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1092
diff
changeset
|
98 handler_data = self.handlers.setdefault(self.profile, {}).setdefault( |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1092
diff
changeset
|
99 self.progress_id, {} |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1092
diff
changeset
|
100 ) |
|
1063
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
101 if handler_data: |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1092
diff
changeset
|
102 raise exceptions.ConflictError( |
| 1216 | 103 "There is already one handler for this progression" |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1092
diff
changeset
|
104 ) |
| 1216 | 105 handler_data["instance"] = self |
| 106 deferred = handler_data["deferred"] = defer.Deferred() | |
| 107 handler_data["started"] = started_cb | |
| 108 handler_data["finished"] = finished_cb | |
| 109 handler_data["error"] = error_cb | |
| 110 handler_data["timeout"] = reactor.callLater(timeout, self._timeout) | |
|
1063
4b69f69c6ffd
server: new ProgressHandler helper class, to handle progressing actions
Goffi <goffi@goffi.org>
parents:
1054
diff
changeset
|
111 return deferred |
|
1092
63ed5f6bd4eb
pages: new "getURLByPath" method in LiberviaPage, which is similar to getURLByNames, but which a more readable way to request a path with named pages.
Goffi <goffi@goffi.org>
parents:
1067
diff
changeset
|
112 |
|
63ed5f6bd4eb
pages: new "getURLByPath" method in LiberviaPage, which is similar to getURLByNames, but which a more readable way to request a path with named pages.
Goffi <goffi@goffi.org>
parents:
1067
diff
changeset
|
113 |
| 1216 | 114 class SubPage(str): |
|
1092
63ed5f6bd4eb
pages: new "getURLByPath" method in LiberviaPage, which is similar to getURLByNames, but which a more readable way to request a path with named pages.
Goffi <goffi@goffi.org>
parents:
1067
diff
changeset
|
115 """use to mark subpages when generating a page path""" |