[Pypi-checkins] r966 - trunk/pypi

richard python-checkins at python.org
Wed Aug 24 01:29:28 CEST 2011 

Author: richard
Date: Wed Aug 24 01:29:28 2011
New Revision: 966

Modified:
   trunk/pypi/webui.py
Log:
fix a bunch of CSRF things:
1. handle the token not existing in the form submission at all (the most likely attack case)
2. assert the check in a few more places that were missed
3. explicitly note in a few places that it is not being checked because of command-line tools


Modified: trunk/pypi/webui.py
==============================================================================
--- trunk/pypi/webui.py	(original)
+++ trunk/pypi/webui.py	Wed Aug 24 01:29:28 2011
@@ -1008,6 +1008,8 @@
                 self.store.has_role('Owner', package_name)):
             raise Unauthorised
 
+        self.csrf_check()
+
         # further vali:dation
         if role_name not in ('Owner', 'Maintainer'):
             raise FormError, 'role_name not Owner or Maintainer'
@@ -1656,6 +1658,13 @@
             title='Submitting package information',
             fields=content.getvalue().decode('utf8'))
 
+    def csrf_check(self):
+        '''Check that the required CSRF token is present in the form
+        submission.
+        '''
+        if self.form.get('CSRFToken') != self.store.get_token(self.username):
+            self.FormError, "Form Failure; reset form submission"
+
     def submit_pkg_info(self):
         ''' Handle the submission of distro metadata as a PKG-INFO file.
         '''
@@ -1668,8 +1677,7 @@
             raise FormError, \
                 "You must supply the PKG-INFO file"
 
-        if self.form['CSRFToken'] != self.store.get_token(self.username):
-            raise FormError, "Form Failure; reset form submission"
+        self.csrf_check()
 
         # get the data
         pkginfo = self.form['pkginfo']
@@ -1937,6 +1945,8 @@
             raise Unauthorised, \
                 "You must be identified to edit package information"
 
+        self.csrf_check()
+
         name = self.form['name']
 
         if self.form.has_key('submit_remove'):
@@ -1992,8 +2002,8 @@
         if not self.authenticated:
             raise Unauthorised, \
                 "You must be identified to edit package information"
-        if self.form['CSRFToken'] != self.store.get_token(self.username):
-            raise FormError, "Form Failure; reset form submission"
+
+        self.csrf_check()
 
         # vars
         name = self.form['name']
@@ -2124,6 +2134,9 @@
             raise Unauthorised, \
                 "You must be identified to edit package information"
 
+        # can't perform CSRF check as this is invoked by tools
+        #self.csrf_check()
+
         # Verify protocol version
         if self.form.has_key('protocol_version'):
             protocol_version = self.form['protocol_version']
@@ -2269,7 +2282,6 @@
 
     #
     # Documentation Upload
-    # can't perform CSRF test as this might be invoked by a tool
     #
     def doc_upload(self):
         # make sure the user is identified
@@ -2277,6 +2289,9 @@
             raise Unauthorised, \
                 "You must be identified to edit package information"
 
+        # can't perform CSRF check as this is invoked by tools
+        #self.csrf_check()
+
         # figure the package name and version
         name = version = None
         if self.form.has_key('name'):
@@ -2531,6 +2546,8 @@
                        'indicated in the email.') % info['email']
 
         else:
+            self.csrf_check()
+
             # update details
             user = self.store.get_user(self.username)
             password = info.get('password', '').strip()
@@ -2556,8 +2573,8 @@
 
         if "key" not in self.form:
             raise FormError, "missing key"
-        if self.form['CSRFToken'] != self.store.get_token(self.username):
-            raise FormError, "Form Failure; reset form submission"
+
+        self.csrf_check()
 
         key = self.form['key'].splitlines()
         for line in key[1:]:
@@ -2574,10 +2591,12 @@
     def delkey(self):
         if not self.authenticated:
             raise Unauthorised
+
         if "id" not in self.form:
             raise FormError, "missing parameter"
-        if self.form['CSRFToken'] != self.store.get_token(self.username):
-            raise FormError, "Form Failure; reset form submission"
+
+        self.csrf_check()
+
         try:
             id = int(self.form["id"])
         except:
@@ -2647,7 +2666,9 @@
     def delete_user(self):
         if not self.authenticated:
             raise Unauthorised
+
         if self.form.has_key('submit_ok'):
+            self.csrf_check()
             # ok, do it
             self.store.delete_user(self.username)
             self.authenticated = self.loggedin = False
@@ -2667,8 +2688,6 @@
             return self.write_template('dialog.pt', message=message,
                 title='Confirm account deletion', fields=fields)
 
-            
-        
     def send_email(self, recipient, message):
         ''' Send an administrative email to the recipient
         '''
@@ -2898,3 +2917,4 @@
         stdout = p.communicate()[0]
         if p.returncode != 0:
             raise FormError, "Key processing failed. Please contact the administrator. Detail: "+stdout
+

More information about the Pypi-checkins mailing list