annotate MoinMoin/action/login.py @ 5685:37306fba2189

Fixing security issues related to MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg (possible XSS)
author Eugene Syromyatnikov <evgsyr@gmail.com>
date Fri, 04 Jun 2010 00:13:24 +0400
parents 2a3a6cb34e45
children 4238b0c90871 f8871116c6b3
rev   line source
483
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
1 # -*- coding: iso-8859-1 -*-
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
2 """
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
3 MoinMoin - login action
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
4
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
5 The real login is done in MoinMoin.request.
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
6 Here is only some user notification in case something went wrong.
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
7
1918
bb2e053067fb fixing copyright headers: remove umlauts (encoding troubles), make epydoc compatible, reformat
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 1890
diff changeset
8 @copyright: 2005-2006 Radomirs Cirskis <nad2000@gmail.com>,
bb2e053067fb fixing copyright headers: remove umlauts (encoding troubles), make epydoc compatible, reformat
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 1890
diff changeset
9 2006 MoinMoin:ThomasWaldmann
483
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
10 @license: GNU GPL, see COPYING for details.
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
11 """
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
12
3175
2a3a6cb34e45 pylint findings: fix some harmless stuff
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2966
diff changeset
13 from MoinMoin import userform
483
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
14 from MoinMoin.Page import Page
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
15 from MoinMoin.widget import html
483
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
16
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
17 def execute(pagename, request):
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
18 return LoginHandler(pagename, request).handle()
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
19
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
20 class LoginHandler:
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
21 def __init__(self, pagename, request):
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
22 self.request = request
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
23 self._ = request.getText
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
24 self.cfg = request.cfg
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
25 self.pagename = pagename
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
26 self.page = Page(request, pagename)
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
27
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
28 def handle_multistage(self):
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
29 """Handle a multistage request.
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
30
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
31 If the auth handler wants a multistage request, we
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
32 now set up the login form for that.
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
33 """
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
34 _ = self._
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
35 request = self.request
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
36 form = html.FORM(method='POST', name='logincontinue')
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
37 form.append(html.INPUT(type='hidden', name='login', value='login'))
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
38 form.append(html.INPUT(type='hidden', name='stage',
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
39 value=request._login_multistage_name))
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
40
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
41 request.emit_http_headers()
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
42 request.theme.send_title(_("Login"), pagename=self.pagename)
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
43 # Start content (important for RTL support)
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
44 request.write(request.formatter.startContent("content"))
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
45
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
46 extra = request._login_multistage(request, form)
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
47 request.write(unicode(form))
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
48 if extra:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
49 request.write(extra)
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
50
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
51 request.write(request.formatter.endContent())
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
52 request.theme.send_footer(self.pagename)
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
53 request.theme.send_closing_html()
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
54
483
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
55 def handle(self):
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
56 _ = self._
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
57 request = self.request
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
58 form = request.form
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
59
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
60 error = None
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
61
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
62 islogin = form.get('login', [''])[0]
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
63
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
64 if islogin: # user pressed login button
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
65 if request._login_multistage:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
66 return self.handle_multistage()
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
67 error = []
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
68 if hasattr(request, '_login_messages'):
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
69 for msg in request._login_messages:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
70 error.append('<p>')
5685
37306fba2189 Fixing security issues related to MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg (possible XSS)
Eugene Syromyatnikov <evgsyr@gmail.com>
parents: 3175
diff changeset
71 error.append(wikiutil.escape(msg))
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1920
diff changeset
72 error = ''.join(error)
2966
ba14d391c2ba Refactor all modules to use the new add_msg interface in 1.7 (done by Frederico Lorenzi). Should not be backported to 1.6 but
Alexander Schremmer <alex AT alexanderweb DOT de>
parents: 2009
diff changeset
73 request.theme.add_msg(error, "error")
ba14d391c2ba Refactor all modules to use the new add_msg interface in 1.7 (done by Frederico Lorenzi). Should not be backported to 1.6 but
Alexander Schremmer <alex AT alexanderweb DOT de>
parents: 2009
diff changeset
74 return self.page.send_page()
949
cbbde07e00c4 whitespace-only cleanup, small style changes
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 866
diff changeset
75
483
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
76 else: # show login form
1068
ecece5db5288 use emit_http_headers
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 949
diff changeset
77 request.emit_http_headers()
616
3b08d9413589 move send_title/footer from wikiutil to theme.__init__
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 483
diff changeset
78 request.theme.send_title(_("Login"), pagename=self.pagename)
483
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
79 # Start content (important for RTL support)
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
80 request.write(request.formatter.startContent("content"))
949
cbbde07e00c4 whitespace-only cleanup, small style changes
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 866
diff changeset
81
483
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
82 request.write(userform.getLogin(request))
949
cbbde07e00c4 whitespace-only cleanup, small style changes
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 866
diff changeset
83
483
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
84 request.write(request.formatter.endContent())
616
3b08d9413589 move send_title/footer from wikiutil to theme.__init__
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 483
diff changeset
85 request.theme.send_footer(self.pagename)
617
cf420addd95c removed MoinMoinNoFooter at many places, added call to theme.send_closing_html() where needed
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 616
diff changeset
86 request.theme.send_closing_html()
483
a594780d5e64 Login macro, login/logout/UserPreferences actions
Thomas Waldmann <tw@waldmann-edv.de>
parents:
diff changeset
87