Mercurial > libervia-web
view libervia/web/pages/events/admin/page_meta.py @ 1598:86c7a3a625d5
server: always start a new session on connection:
The session was kept when a user was connecting from service profile (but not from other
profiles), this was leading to session fixation vulnerability (an attacker on the same
machine could get service profile session cookie, and use it when a victim would log-in).
This patch fixes it by always starting a new session on connection.
fix 443
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Fri, 23 Feb 2024 13:35:24 +0100 |
| parents | eb00d593801d |
| children |
line wrap: on
line source
#!/usr/bin/env python3 from libervia.web.server.constants import Const as C from twisted.words.protocols.jabber import jid from libervia.backend.tools.common.template import safe from libervia.backend.tools.common import data_format from libervia.backend.core.i18n import _, D_ from libervia.backend.core.log import getLogger import time import html import math import re name = "event_admin" label = D_("Event Administration") access = C.PAGES_ACCESS_PROFILE template = "event/admin.html" log = getLogger(__name__) REG_EMAIL_RE = re.compile(C.REG_EMAIL_RE, re.IGNORECASE) def parse_url(self, request): self.get_path_args( request, ("event_service", "event_node", "event_id"), min_args=2, event_service="@jid", event_id="", ) async def prepare_render(self, request): data = self.get_r_data(request) template_data = request.template_data ## Event ## event_service = template_data["event_service"] = data["event_service"] event_node = template_data["event_node"] = data["event_node"] event_id = template_data["event_id"] = data["event_id"] profile = self.get_profile(request) event_timestamp, event_data = await self.host.bridge_call( "eventGet", event_service.userhost() if event_service else "", event_node, event_id, profile, ) try: background_image = event_data.pop("background-image") except KeyError: pass else: template_data["dynamic_style"] = safe( """ html { background-image: url("%s"); background-size: 15em; } """ % html.escape(background_image, True) ) template_data["event"] = event_data invitees = await self.host.bridge_call( "event_invitees_list", event_data["invitees_service"], event_data["invitees_node"], profile, ) template_data["invitees"] = invitees invitees_guests = 0 for invitee_data in invitees.values(): if invitee_data.get("attend", "no") == "no": continue try: invitees_guests += int(invitee_data.get("guests", 0)) except ValueError: log.warning( _("guests value is not valid: {invitee}").format(invitee=invitee_data) ) template_data["invitees_guests"] = invitees_guests template_data["days_left"] = int( math.ceil((event_timestamp - time.time()) / (60 * 60 * 24)) ) ## Blog ## data["service"] = jid.JID(event_data["blog_service"]) data["node"] = event_data["blog_node"] data["allow_commenting"] = "simple" # we now need blog items, using blog common page # this will fill the "items" template data blog_page = self.get_page_by_name("blog_view") await blog_page.prepare_render(self, request) async def on_data_post(self, request): profile = self.get_profile(request) if not profile: log.error("got post data without profile") self.page_error(request, C.HTTP_INTERNAL_ERROR) type_ = self.get_posted_data(request, "type") if type_ == "blog": service, node, title, body, lang = self.get_posted_data( request, ("service", "node", "title", "body", "language") ) if not body.strip(): self.page_error(request, C.HTTP_BAD_REQUEST) data = {"content": body} if title: data["title"] = title if lang: data["language"] = lang try: comments = bool(self.get_posted_data(request, "comments").strip()) except KeyError: pass else: if comments: data["allow_comments"] = True try: await self.host.bridge_call( "mb_send", service, node, data_format.serialise(data), profile) except Exception as e: if "forbidden" in str(e): self.page_error(request, C.HTTP_FORBIDDEN) else: raise e elif type_ == "event": service, node, event_id, jids, emails = self.get_posted_data( request, ("service", "node", "event_id", "jids", "emails") ) for invitee_jid_s in jids.split(): try: invitee_jid = jid.JID(invitee_jid_s) except RuntimeError: log.warning( _("this is not a valid jid: {jid}").format(jid=invitee_jid_s) ) continue await self.host.bridge_call( "event_invite", invitee_jid.userhost(), service, node, event_id, profile ) for email_addr in emails.split(): if not REG_EMAIL_RE.match(email_addr): log.warning( _("this is not a valid email address: {email}").format( email=email_addr ) ) continue await self.host.bridge_call( "event_invite_by_email", service, node, event_id, email_addr, {}, "", "", "", "", "", "", profile, ) else: log.warning(_("Unhandled data type: {}").format(type_))