Mercurial > libervia-web
changeset 819:9b9c0fe0a75f
server: fixed bad login check introduced in rev 6a2fd7807770
author | Goffi <goffi@goffi.org> |
---|---|
date | Sun, 03 Jan 2016 16:24:37 +0100 |
parents | f8a7a046ff9c |
children | 4d87bc322a6c |
files | src/server/server.py |
diffstat | 1 files changed, 24 insertions(+), 20 deletions(-) [+] |
line wrap: on
line diff
--- a/src/server/server.py Sun Jan 03 16:24:27 2016 +0100 +++ b/src/server/server.py Sun Jan 03 16:24:37 2016 +0100 @@ -808,28 +808,32 @@ request.finish() return + assert login + if login.startswith('@'): # this is checked by javascript but also here for security reason + # FIXME: return an error instead of an Exception? raise Exception('No profile_key allowed') + if '@' in login: + try: + login_jid = jid.JID(login) + except (RuntimeError, jid.InvalidFormat, AttributeError): + request.write(C.PROFILE_AUTH_ERROR) + request.finish() + return + + if login_jid.host == new_account_domain: + # redirect "user@libervia.org" to the "user" profile + login = login_jid.user + login_jid = None + else: + login_jid = None + try: - login_jid = jid.JID(login) - except (RuntimeError, jid.InvalidFormat, AttributeError): - request.write(C.PROFILE_AUTH_ERROR) - request.finish() - return - - # XXX: if there's no arobase in the JID, its host part is filled and the SàT profile name - # is there ; we need to look in the JID's user part to know if there's an arobase or not. - - if login_jid.user and login_jid.host == new_account_domain: - # redirect "user@libervia.org" to the "user" profile - login_jid = jid.JID(login_jid.user) - - try: - profile = self.sat_host.bridge.getProfileName(login_jid.full()) + profile = self.sat_host.bridge.getProfileName(login) except Exception: # XXX: ProfileUnknownError wouldn't work, it's encapsulated - if login_jid.user: # try to create a new sat profile using the XMPP credentials - profile = login_jid.full() + if login_jid is not None and login_jid.user: # try to create a new sat profile using the XMPP credentials + profile = login # FIXME: what if there is a resource? connect_method = "asyncConnectWithXMPPCredentials" register_with_ext_jid = True else: # non existing username @@ -837,7 +841,7 @@ request.finish() return else: - if profile != login_jid.full() or (not password and profile not in self.sat_host.options['empty_password_allowed_warning_dangerous_list']): + if profile != login or (not password and profile not in self.sat_host.options['empty_password_allowed_warning_dangerous_list']): # profiles with empty passwords are restricted to local frontends request.write(C.PROFILE_AUTH_ERROR) request.finish() @@ -976,7 +980,7 @@ profile = ISATSession(_session).profile if bool(profile): return (True, None) - return (False, self.__getSecurityWarning()) + return (False, self._getSecurityWarning()) def jsonrpc_registerParams(self): """Register the frontend specific parameters""" @@ -988,7 +992,7 @@ # XXX: we put this method in Register because we get menus before being logged return self.sat_host.bridge.getMenus('', C.SECURITY_LIMIT) - def __getSecurityWarning(self): + def _getSecurityWarning(self): """@return: a security warning message, or None if the connection is secure""" if self.request.URLPath().scheme == 'https' or not self.sat_host.options['security_warning']: return None