MoinMoin: attachment:security_string.patch of MoinMoinPatch/SecurityString

   1 * looking for arch@arch.thinkmo.de--2003-archives/moin--main--1.5--patch-347 to compare with
   2 * comparing to arch@arch.thinkmo.de--2003-archives/moin--main--1.5--patch-347
   3 M  MoinMoin/auth.py
   4 M  MoinMoin/multiconfig.py
   5 M  MoinMoin/request.py
   6 M  MoinMoin/user.py
   7 M  MoinMoin/userform.py
   8 M  wiki/server/moin.cgi
   9 M  wiki/config/farmconfig.py
  10 
  11 * modified files
  12 
  13 --- orig/MoinMoin/auth.py
  14 +++ mod/MoinMoin/auth.py
  15 @@ -45,6 +45,7 @@
  16  
  17  import Cookie
  18  from MoinMoin import user
  19 +from MoinMoin.util import securitystring
  20  
  21  def moin_cookie(request, **kw):
  22      """ authenticate via the MOIN_ID cookie """
  23 @@ -72,7 +73,21 @@
  24          # ignore invalid cookies, else user can't relogin
  25          cookie = None
  26      if cookie and cookie.has_key('MOIN_ID'):
  27 -        u = user.User(request, id=cookie['MOIN_ID'].value,
  28 +        # Use security_string to handle the Cookie.
  29 +	# So. need to use 
  30 +	#     MoinMoin.util.securitystring.cal_security_userid modify
  31 +	#     to do cookie auth.
  32 +	# Need Pass the user_obj to cal_security_userid. 
  33 +	# Because the MoinMoin.util.securitystring.cal_security_userid
  34 +	#     need to do MoinMoin.user.getUserList, 
  35 +	#     and MoinMoin.user.User.load_from_id
  36 +	user_obj = user
  37 +        u = user.User(request, 
  38 +		# if can auth, then 
  39 +		#  MoinMoin.util.securitystring.cal_security_userid
  40 +		#  return the uid.
  41 +		# if cannot match any uid then return None.
  42 +	        id=securitystring.cal_security_userid(request, cookie['MOIN_ID'].value, user_obj),
  43                        auth_method='moin_cookie', auth_attribs=())
  44          if u.valid:
  45              return u, False
  46 
  47 
  48 --- orig/MoinMoin/multiconfig.py
  49 +++ mod/MoinMoin/multiconfig.py
  50 @@ -8,6 +8,7 @@
  51  
  52  import re, os, sys
  53  from MoinMoin import error
  54 +from MoinMoin.util import securitystring
  55  import MoinMoin.auth as authmodule
  56  
  57  _url_re_cache = None
  58 @@ -361,6 +362,7 @@
  59          ('aliasname', _('Alias-Name'), "text", "36", ''),
  60          ('password', _('Password'), "password", "36", ''),
  61          ('password2', _('Password repeat'), "password", "36", _('(Only when changing passwords)')),
  62 +        ('security_string', _('Security String'), "text", "36", _('(Protect Your Wiki Account.)')),
  63          ('email', _('Email'), "text", "36", ''),
  64          ('css_url', _('User CSS URL'), "text", "40", _('(Leave it empty for disabling user CSS)')),
  65          ('edit_rows', _('Editor size'), "text", "3", ''),
  66 @@ -376,6 +378,13 @@
  67          'aliasname': '',
  68          'password': '',
  69          'password2': '',
  70 +	# Use random string to init the securitystring.
  71 +	#
  72 +	#   Note: When every user create or every user do 
  73 +	#   MoinMoin.user.User._validatePassword
  74 +	#   If the user haven't securitystring then MoinMoin
  75 +	#   will create it.
  76 +	'security_string': securitystring.gen(30),
  77          'email': '',
  78          'css_url': '',
  79          'edit_rows': "20",
  80 
  81 
  82 --- orig/MoinMoin/request.py
  83 +++ mod/MoinMoin/request.py
  84 @@ -9,7 +9,7 @@
  85  
  86  import os, time, sys, cgi, StringIO
  87  from MoinMoin import config, wikiutil, user
  88 -from MoinMoin.util import MoinMoinNoFooter, IsWin9x
  89 +from MoinMoin.util import MoinMoinNoFooter, IsWin9x, securitystring
  90  
  91  # Timing ---------------------------------------------------------------
  92  
  93 @@ -1216,7 +1216,18 @@
  94          # Set the cookie
  95          from Cookie import SimpleCookie
  96          c = SimpleCookie()
  97 -        c['MOIN_ID'] = self.user.id
  98 +	# Modify the Cookie String Syntax.
  99 +	# Keep the self.user.id in Cookie.
 100 +	#   1. easy for auth.
 101 +	#   2. and don't need to care the 
 102 +	#       securitystring.make_security_key(security_string, self.user.id)
 103 +	#      is unique.
 104 +	# ':=:' is FrankieChow luck string. maybe you can change this to
 105 +	#   self.cfg.site_luck_string
 106 +	c['MOIN_ID'] = '%s%s%s' %(
 107 +	   securitystring.make_security_key(security_string, self.user.id),
 108 +	   ':=:',
 109 +	   self.user.id )
 110          c['MOIN_ID']['max-age'] = maxage
 111          if self.cfg.cookie_domain:
 112              c['MOIN_ID']['domain'] = self.cfg.cookie_domain
 113 
 114 
 115 --- orig/MoinMoin/user.py
 116 +++ mod/MoinMoin/user.py
 117 @@ -17,7 +17,7 @@
 118  PICKLE_PROTOCOL = pickle.HIGHEST_PROTOCOL
 119  
 120  from MoinMoin import config, caching, wikiutil
 121 -from MoinMoin.util import datetime, filesys
 122 +from MoinMoin.util import datetime, filesys, securitystring
 123  
 124  
 125  def getUserList(request):
 126 @@ -214,6 +214,17 @@
 127          self.auth_username = auth_username
 128          self.auth_method = kw.get('auth_method', 'internal')
 129          self.auth_attribs = kw.get('auth_attribs', ())
 130 +
 131 +	# Add the default security_string.
 132 +	# Random create the user's security_string.
 133 +	# Beacues when the user pass the cookie,
 134 +	#   and it have c['MOIN_ID'] then it will have bug. 
 135 +	#   I think this will not create the security hole.
 136 +	#   Because the cookie is the 
 137 +	#     hmac.new( security_string, uid )
 138 +	#       not
 139 +	#     Just security_string.
 140 +	self.security_string = securitystring.gen(30)
 141                                         
 142          # create some vars automatically
 143          for tuple in self._cfg.user_form_fields:
 144 @@ -450,6 +461,12 @@
 145          # First try with default encoded password. Match only non empty
 146          # passwords. (require non empty enc_password)
 147          if self.enc_password and self.enc_password == data['enc_password']:
 148 +	    # If the user profile: It is create in moin-1.3 or old.
 149 +	    # then user profile have not security_string.
 150 +	    # MoinMoin will random create it.
 151 +	    if not data.has_key('security_string'):
 152 +	        data['security_string'] = securitystring.gen(30)
 153 +		return True, True
 154              return True, False
 155  
 156          # Try to match using one of pre 1.3 8 bit charsets
 157 @@ -483,6 +500,11 @@
 158                  # User password match - replace the user password in the
 159                  # file with self.password
 160                  data['enc_password'] = self.enc_password
 161 +	        # If the user profile: It is create in pro moin-1.3 or old.
 162 +	        # then user profile have not security_string.
 163 +	        # MoinMoin will random create it.
 164 +		if not data.has_key('security_string'):
 165 +		    data['security_string'] = securitystring.gen(30)
 166                  return True, True
 167  
 168          # No encoded password match, this must be wrong password
 169 
 170 
 171 --- orig/MoinMoin/userform.py
 172 +++ mod/MoinMoin/userform.py
 173 @@ -8,7 +8,7 @@
 174  
 175  import string, time, re
 176  from MoinMoin import user, util, wikiutil
 177 -from MoinMoin.util import web, mail, datetime
 178 +from MoinMoin.util import web, mail, datetime, securitystring
 179  from MoinMoin.widget import html
 180  
 181  _debug = 0
 182 @@ -78,6 +78,10 @@
 183                  theuser = user.User(self.request, uid)
 184                  if theuser.valid and theuser.email.lower() == email:
 185                      msg = theuser.mailAccountData()
 186 +		    # Change the security_string
 187 +		    #    When the user request the account_sendmail.
 188 +		    theuser.security_string = securitystring.gen(30)
 189 +		    theuser.save()
 190                      return wikiutil.escape(msg)
 191  
 192              return _("Found no account matching the given email address '%(email)s'!") % {'email': wikiutil.escape(email)}
 193 @@ -148,6 +152,8 @@
 194                      if thisuser.email == theuser.email and not thisuser.disabled:
 195                          return _("This email already belongs to somebody else.")
 196  
 197 +            # Before create the user's profile, create the user's security_string.
 198 +	    theuser.security_string = securitystring.gen(30)
 199              # save data
 200              theuser.save()
 201              if form.has_key('create_and_mail'):
 202 @@ -207,6 +213,24 @@
 203                  email = form.get('email', [theuser.email])[0]
 204                  theuser.email = email.strip()
 205  
 206 +            # Try to record the security_string in UserPreferences form.
 207 +            theuser.security_string = form.get('security_string', [''])[0]
 208 +	    # If the user send the security_string, check it is all ascii.
 209 +	    #  Because the hmac class just can handle the ascii data.
 210 +	    if theuser.security_string:
 211 +	        try: 
 212 +		    theuser.security_string.encode('ascii')
 213 +		except:
 214 +	            return _("""
 215 +Please use ASCII string modify the security_string.
 216 +		    """)
 217 +		# setCookie when the user input's security_string isn't same of the user's datafile.
 218 +		if not theuser.security_string == self.request.user.security_string:
 219 +		    self.request.user.security_string = theuser.security_string
 220 +	            self.request.setCookie()
 221 +		else:  
 222 +		    pass
 223 +
 224              # Require email
 225              if not theuser.email:
 226                  return _("Please provide your email address. If you lose your"
 227 @@ -271,7 +295,7 @@
 228              already_handled = ['name', 'password', 'password2', 'email',
 229                                 'aliasname', 'edit_rows', 'editor_default',
 230                                 'editor_ui', 'tz_offset', 'datetime_fmt',
 231 -                               'theme_name', 'language']
 232 +                               'theme_name', 'language', 'security_string']
 233              for field in self.cfg.user_form_fields:
 234                  key = field[0]
 235                  if ((key in self.cfg.user_form_disable)
 236 
 237 
 238 --- orig/wiki/config/farmconfig.py
 239 +++ mod/wiki/config/farmconfig.py
 240 @@ -49,6 +49,7 @@
 241      # Twisted server can now use the port, too.
 242      ("moinmaster",  r"^moinmaster.wikiwikiweb.de/.*$"),
 243      ("moinmoin",    r"^moinmoin.wikiwikiweb.de/.*$"),
 244 +    ("debug", r"^127.0.0.1/moin/moin.cgi.*$"),
 245  ]
 246  
 247  
 248 @@ -173,4 +174,3 @@
 249     
 250      # Enable graphical charts, requires gdchart.
 251      #chart_options = {'width': 600, 'height': 300}
 252 -
 253 
 254 
 255 --- orig/wiki/server/moin.cgi
 256 +++ mod/wiki/server/moin.cgi
 257 @@ -13,18 +13,20 @@
 258  
 259  # Path of the directory where wikiconfig.py is located.
 260  # YOU NEED TO CHANGE THIS TO MATCH YOUR SETUP.
 261 -sys.path.insert(0, '/path/to/wikiconfig')
 262 +#sys.path.insert(0, '/path/to/wikiconfig')
 263 +sys.path.insert(0, '/home/freak/tmp/moinmoin-dev/moin--main--1.5--patch-347/wiki/config')
 264  
 265  # Path to MoinMoin package, needed if you installed with --prefix=PREFIX
 266  # or if you did not use setup.py.
 267  ## sys.path.insert(0, 'PREFIX/lib/python2.3/site-packages')
 268 +sys.path.insert(0, '/home/freak/tmp/moinmoin-dev/moin--main--1.5--patch-347')
 269  
 270  # Path of the directory where farmconfig.py is located (if different).
 271  ## sys.path.insert(0, '/path/to/farmconfig')
 272  
 273  # Debug mode - show detailed error reports
 274 -## import os
 275 -## os.environ['MOIN_DEBUG'] = '1'
 276 +import os
 277 +os.environ['MOIN_DEBUG'] = '1'
 278  
 279  # This is used to profile MoinMoin (default disabled)
 280  hotshotProfiler = 0