Mercurial > libervia-web
view libervia/web/pages/forums/topics/page_meta.py @ 1598:86c7a3a625d5
server: always start a new session on connection:
The session was kept when a user was connecting from service profile (but not from other
profiles), this was leading to session fixation vulnerability (an attacker on the same
machine could get service profile session cookie, and use it when a victim would log-in).
This patch fixes it by always starting a new session on connection.
fix 443
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Fri, 23 Feb 2024 13:35:24 +0100 |
| parents | eb00d593801d |
| children |
line wrap: on
line source
#!/usr/bin/env python3 from libervia.web.server.constants import Const as C from libervia.backend.core.i18n import _, D_ from libervia.backend.core.log import getLogger from libervia.backend.tools.common import uri as xmpp_uri from libervia.backend.tools.common import data_format from libervia.web.server import session_iface log = getLogger(__name__) name = "forum_topics" label = D_("Forum Topics") access = C.PAGES_ACCESS_PUBLIC template = "forum/view_topics.html" def parse_url(self, request): self.get_path_args(request, ["service", "node"], 2, service="jid") def add_breadcrumb(self, request, breadcrumbs): data = self.get_r_data(request) breadcrumbs.append({ "label": label, "url": self.get_url(data["service"].full(), data["node"]) }) async def prepare_render(self, request): profile = self.get_profile(request) or C.SERVICE_PROFILE data = self.get_r_data(request) service, node = data["service"], data["node"] request.template_data.update({"service": service, "node": node}) template_data = request.template_data page_max = data.get("page_max", 20) extra = self.get_pubsub_extra(request, page_max=page_max) topics, metadata = await self.host.bridge_call( "forum_topics_get", service.full(), node, extra, profile ) metadata = data_format.deserialise(metadata) self.set_pagination(request, metadata) identities = self.host.get_session_data( request, session_iface.IWebSession ).identities for topic in topics: parsed_uri = xmpp_uri.parse_xmpp_uri(topic["uri"]) author = topic["author"] topic["http_uri"] = self.get_page_by_name("forum_view").get_url( parsed_uri["path"], parsed_uri["node"] ) if author not in identities: id_raw = await self.host.bridge_call( "identity_get", author, [], True, profile ) identities[topic["author"]] = data_format.deserialise(id_raw) template_data["topics"] = topics template_data["url_topic_new"] = self.get_sub_page_url(request, "forum_topic_new") async def on_data_post(self, request): profile = self.get_profile(request) if profile is None: self.page_error(request, C.HTTP_FORBIDDEN) type_ = self.get_posted_data(request, "type") if type_ == "new_topic": service, node, title, body = self.get_posted_data( request, ("service", "node", "title", "body") ) if not title or not body: self.page_error(request, C.HTTP_BAD_REQUEST) topic_data = {"title": title, "content": body} try: await self.host.bridge_call( "forum_topic_create", service, node, topic_data, profile ) except Exception as e: if "forbidden" in str(e): self.page_error(request, 401) else: raise e else: log.warning(_("Unhandled data type: {}").format(type_))