* looking for arch@arch.thinkmo.de--2003-archives/moin--main--1.5--patch-347 to compare with * comparing to arch@arch.thinkmo.de--2003-archives/moin--main--1.5--patch-347 M MoinMoin/auth.py M MoinMoin/multiconfig.py M MoinMoin/request.py M MoinMoin/user.py M MoinMoin/userform.py M wiki/server/moin.cgi M wiki/config/farmconfig.py * modified files --- orig/MoinMoin/auth.py +++ mod/MoinMoin/auth.py @@ -45,6 +45,7 @@ import Cookie from MoinMoin import user +from MoinMoin.util import securitystring def moin_cookie(request, **kw): """ authenticate via the MOIN_ID cookie """ @@ -72,7 +73,21 @@ # ignore invalid cookies, else user can't relogin cookie = None if cookie and cookie.has_key('MOIN_ID'): - u = user.User(request, id=cookie['MOIN_ID'].value, + # Use security_string to handle the Cookie. + # So. need to use + # MoinMoin.util.securitystring.cal_security_userid modify + # to do cookie auth. + # Need Pass the user_obj to cal_security_userid. + # Because the MoinMoin.util.securitystring.cal_security_userid + # need to do MoinMoin.user.getUserList, + # and MoinMoin.user.User.load_from_id + user_obj = user + u = user.User(request, + # if can auth, then + # MoinMoin.util.securitystring.cal_security_userid + # return the uid. + # if cannot match any uid then return None. + id=securitystring.cal_security_userid(request, cookie['MOIN_ID'].value, user_obj), auth_method='moin_cookie', auth_attribs=()) if u.valid: return u, False --- orig/MoinMoin/multiconfig.py +++ mod/MoinMoin/multiconfig.py @@ -8,6 +8,7 @@ import re, os, sys from MoinMoin import error +from MoinMoin.util import securitystring import MoinMoin.auth as authmodule _url_re_cache = None @@ -361,6 +362,7 @@ ('aliasname', _('Alias-Name'), "text", "36", ''), ('password', _('Password'), "password", "36", ''), ('password2', _('Password repeat'), "password", "36", _('(Only when changing passwords)')), + ('security_string', _('Security String'), "text", "36", _('(Protect Your Wiki Account.)')), ('email', _('Email'), "text", "36", ''), ('css_url', _('User CSS URL'), "text", "40", _('(Leave it empty for disabling user CSS)')), ('edit_rows', _('Editor size'), "text", "3", ''), @@ -376,6 +378,13 @@ 'aliasname': '', 'password': '', 'password2': '', + # Use random string to init the securitystring. + # + # Note: When every user create or every user do + # MoinMoin.user.User._validatePassword + # If the user haven't securitystring then MoinMoin + # will create it. + 'security_string': securitystring.gen(30), 'email': '', 'css_url': '', 'edit_rows': "20", --- orig/MoinMoin/request.py +++ mod/MoinMoin/request.py @@ -9,7 +9,7 @@ import os, time, sys, cgi, StringIO from MoinMoin import config, wikiutil, user -from MoinMoin.util import MoinMoinNoFooter, IsWin9x +from MoinMoin.util import MoinMoinNoFooter, IsWin9x, securitystring # Timing --------------------------------------------------------------- @@ -1216,7 +1216,18 @@ # Set the cookie from Cookie import SimpleCookie c = SimpleCookie() - c['MOIN_ID'] = self.user.id + # Modify the Cookie String Syntax. + # Keep the self.user.id in Cookie. + # 1. easy for auth. + # 2. and don't need to care the + # securitystring.make_security_key(security_string, self.user.id) + # is unique. + # ':=:' is FrankieChow luck string. maybe you can change this to + # self.cfg.site_luck_string + c['MOIN_ID'] = '%s%s%s' %( + securitystring.make_security_key(security_string, self.user.id), + ':=:', + self.user.id ) c['MOIN_ID']['max-age'] = maxage if self.cfg.cookie_domain: c['MOIN_ID']['domain'] = self.cfg.cookie_domain --- orig/MoinMoin/user.py +++ mod/MoinMoin/user.py @@ -17,7 +17,7 @@ PICKLE_PROTOCOL = pickle.HIGHEST_PROTOCOL from MoinMoin import config, caching, wikiutil -from MoinMoin.util import datetime, filesys +from MoinMoin.util import datetime, filesys, securitystring def getUserList(request): @@ -214,6 +214,17 @@ self.auth_username = auth_username self.auth_method = kw.get('auth_method', 'internal') self.auth_attribs = kw.get('auth_attribs', ()) + + # Add the default security_string. + # Random create the user's security_string. + # Beacues when the user pass the cookie, + # and it have c['MOIN_ID'] then it will have bug. + # I think this will not create the security hole. + # Because the cookie is the + # hmac.new( security_string, uid ) + # not + # Just security_string. + self.security_string = securitystring.gen(30) # create some vars automatically for tuple in self._cfg.user_form_fields: @@ -450,6 +461,12 @@ # First try with default encoded password. Match only non empty # passwords. (require non empty enc_password) if self.enc_password and self.enc_password == data['enc_password']: + # If the user profile: It is create in moin-1.3 or old. + # then user profile have not security_string. + # MoinMoin will random create it. + if not data.has_key('security_string'): + data['security_string'] = securitystring.gen(30) + return True, True return True, False # Try to match using one of pre 1.3 8 bit charsets @@ -483,6 +500,11 @@ # User password match - replace the user password in the # file with self.password data['enc_password'] = self.enc_password + # If the user profile: It is create in pro moin-1.3 or old. + # then user profile have not security_string. + # MoinMoin will random create it. + if not data.has_key('security_string'): + data['security_string'] = securitystring.gen(30) return True, True # No encoded password match, this must be wrong password --- orig/MoinMoin/userform.py +++ mod/MoinMoin/userform.py @@ -8,7 +8,7 @@ import string, time, re from MoinMoin import user, util, wikiutil -from MoinMoin.util import web, mail, datetime +from MoinMoin.util import web, mail, datetime, securitystring from MoinMoin.widget import html _debug = 0 @@ -78,6 +78,10 @@ theuser = user.User(self.request, uid) if theuser.valid and theuser.email.lower() == email: msg = theuser.mailAccountData() + # Change the security_string + # When the user request the account_sendmail. + theuser.security_string = securitystring.gen(30) + theuser.save() return wikiutil.escape(msg) return _("Found no account matching the given email address '%(email)s'!") % {'email': wikiutil.escape(email)} @@ -148,6 +152,8 @@ if thisuser.email == theuser.email and not thisuser.disabled: return _("This email already belongs to somebody else.") + # Before create the user's profile, create the user's security_string. + theuser.security_string = securitystring.gen(30) # save data theuser.save() if form.has_key('create_and_mail'): @@ -207,6 +213,24 @@ email = form.get('email', [theuser.email])[0] theuser.email = email.strip() + # Try to record the security_string in UserPreferences form. + theuser.security_string = form.get('security_string', [''])[0] + # If the user send the security_string, check it is all ascii. + # Because the hmac class just can handle the ascii data. + if theuser.security_string: + try: + theuser.security_string.encode('ascii') + except: + return _(""" +Please use ASCII string modify the security_string. + """) + # setCookie when the user input's security_string isn't same of the user's datafile. + if not theuser.security_string == self.request.user.security_string: + self.request.user.security_string = theuser.security_string + self.request.setCookie() + else: + pass + # Require email if not theuser.email: return _("Please provide your email address. If you lose your" @@ -271,7 +295,7 @@ already_handled = ['name', 'password', 'password2', 'email', 'aliasname', 'edit_rows', 'editor_default', 'editor_ui', 'tz_offset', 'datetime_fmt', - 'theme_name', 'language'] + 'theme_name', 'language', 'security_string'] for field in self.cfg.user_form_fields: key = field[0] if ((key in self.cfg.user_form_disable) --- orig/wiki/config/farmconfig.py +++ mod/wiki/config/farmconfig.py @@ -49,6 +49,7 @@ # Twisted server can now use the port, too. ("moinmaster", r"^moinmaster.wikiwikiweb.de/.*$"), ("moinmoin", r"^moinmoin.wikiwikiweb.de/.*$"), + ("debug", r"^127.0.0.1/moin/moin.cgi.*$"), ] @@ -173,4 +174,3 @@ # Enable graphical charts, requires gdchart. #chart_options = {'width': 600, 'height': 300} - --- orig/wiki/server/moin.cgi +++ mod/wiki/server/moin.cgi @@ -13,18 +13,20 @@ # Path of the directory where wikiconfig.py is located. # YOU NEED TO CHANGE THIS TO MATCH YOUR SETUP. -sys.path.insert(0, '/path/to/wikiconfig') +#sys.path.insert(0, '/path/to/wikiconfig') +sys.path.insert(0, '/home/freak/tmp/moinmoin-dev/moin--main--1.5--patch-347/wiki/config') # Path to MoinMoin package, needed if you installed with --prefix=PREFIX # or if you did not use setup.py. ## sys.path.insert(0, 'PREFIX/lib/python2.3/site-packages') +sys.path.insert(0, '/home/freak/tmp/moinmoin-dev/moin--main--1.5--patch-347') # Path of the directory where farmconfig.py is located (if different). ## sys.path.insert(0, '/path/to/farmconfig') # Debug mode - show detailed error reports -## import os -## os.environ['MOIN_DEBUG'] = '1' +import os +os.environ['MOIN_DEBUG'] = '1' # This is used to profile MoinMoin (default disabled) hotshotProfiler = 0