Attachment 'security_string6.patch'

Download

   1 * looking for arch@arch.thinkmo.de--2003-archives/moin--main--1.5--patch-347 to compare with
   2 * comparing to arch@arch.thinkmo.de--2003-archives/moin--main--1.5--patch-347
   3 M  MoinMoin/auth.py
   4 M  MoinMoin/request.py
   5 M  MoinMoin/user.py
   6 M  MoinMoin/userform.py
   7 M  wiki/server/moin.cgi
   8 M  wiki/config/farmconfig.py
   9 
  10 * modified files
  11 
  12 --- orig/MoinMoin/auth.py
  13 +++ mod/MoinMoin/auth.py
  14 @@ -45,6 +45,7 @@
  15  
  16  import Cookie
  17  from MoinMoin import user
  18 +from MoinMoin.util import securitystring
  19  
  20  def moin_cookie(request, **kw):
  21      """ authenticate via the MOIN_ID cookie """
  22 @@ -58,13 +59,6 @@
  23              request.setCookie()
  24              return u, False
  25          return None, True
  26 -
  27 -    if kw.get('logout'):
  28 -        # clear the cookie in the browser and locally. Does not
  29 -        # check if we have a valid user logged, just make sure we
  30 -        # don't have one after this call.
  31 -        request.deleteCookie()
  32 -        return None, True
  33      
  34      try:
  35          cookie = Cookie.SimpleCookie(request.saved_cookie)
  36 @@ -72,13 +66,48 @@
  37          # ignore invalid cookies, else user can't relogin
  38          cookie = None
  39      if cookie and cookie.has_key('MOIN_ID'):
  40 -        u = user.User(request, id=cookie['MOIN_ID'].value,
  41 +        # Use security_string to handle the Cookie.
  42 +	# So. need to use 
  43 +	#     MoinMoin.util.securitystring.cal_security_userid modify
  44 +	#     to do cookie auth.
  45 +	# Need Pass the user_obj to cal_security_userid. 
  46 +	# Because the MoinMoin.util.securitystring.cal_security_userid
  47 +	#     need to do MoinMoin.user.getUserList, 
  48 +	#     and MoinMoin.user.User.load_from_id
  49 +	user_obj = user
  50 +        u = user.User(request, 
  51 +		# if can auth, then 
  52 +		#  MoinMoin.util.securitystring.cal_security_userid
  53 +		#  return the uid.
  54 +		# if cannot match any uid then return None.
  55 +	        id=securitystring.cal_security_userid(request, cookie['MOIN_ID'].value, user_obj),
  56                        auth_method='moin_cookie', auth_attribs=())
  57          if u.valid:
  58 -            return u, False
  59 +            if kw.get('logout'):
  60 +	        # Frankie: Why Does not check it?
  61 +		# Please see: http://moinmoin.wikiwikiweb.de/MoinMoinBugs/LogoutHandle
  62 +		#
  63 +                # clear the cookie in the browser and locally. Does not
  64 +                # check if we have a valid user logged, just make sure we
  65 +                # don't have one after this call.
  66 +                request.deleteCookie()
  67 +                # Frankie: When the user do global logout then change the
  68 +                # security_string. ( in here. All logout is global logout. )
  69 +                u.security_string = securitystring.gen(30)
  70 +                u.save()
  71 +                return None, True
  72 +	    else:
  73 +                return u, False
  74 +
  75 +        # If the brower don't have MOIN_ID cookie, just delete the cookie.
  76 +        if kw.get('logout'):
  77 +            request.deleteCookie()
  78 +            return None, True
  79 +	    
  80      return None, True
  81  
  82  
  83 +
  84  #
  85  #   idea: maybe we should call back to the request object like:
  86  #         username, password, authenticated, authtype = request.getUserPassAuth()
  87 
  88 
  89 --- orig/MoinMoin/request.py
  90 +++ mod/MoinMoin/request.py
  91 @@ -9,7 +9,7 @@
  92  
  93  import os, time, sys, cgi, StringIO
  94  from MoinMoin import config, wikiutil, user
  95 -from MoinMoin.util import MoinMoinNoFooter, IsWin9x
  96 +from MoinMoin.util import MoinMoinNoFooter, IsWin9x, securitystring
  97  
  98  # Timing ---------------------------------------------------------------
  99  
 100 @@ -1216,7 +1216,18 @@
 101          # Set the cookie
 102          from Cookie import SimpleCookie
 103          c = SimpleCookie()
 104 -        c['MOIN_ID'] = self.user.id
 105 +	# Modify the Cookie String Syntax.
 106 +	# Keep the self.user.id in Cookie.
 107 +	#   1. easy for auth.
 108 +	#   2. and don't need to care the 
 109 +	#       securitystring.make_security_key(security_string, self.user.id)
 110 +	#      is unique.
 111 +	# ':=:' is FrankieChow luck string. maybe you can change this to
 112 +	#   self.cfg.site_luck_string
 113 +	c['MOIN_ID'] = '%s%s%s' %(
 114 +	   securitystring.make_security_key(self.user.security_string, self.user.id),
 115 +	   ':=:',
 116 +	   self.user.id )
 117          c['MOIN_ID']['max-age'] = maxage
 118          if self.cfg.cookie_domain:
 119              c['MOIN_ID']['domain'] = self.cfg.cookie_domain
 120 
 121 
 122 --- orig/MoinMoin/user.py
 123 +++ mod/MoinMoin/user.py
 124 @@ -17,7 +17,7 @@
 125  PICKLE_PROTOCOL = pickle.HIGHEST_PROTOCOL
 126  
 127  from MoinMoin import config, caching, wikiutil
 128 -from MoinMoin.util import datetime, filesys
 129 +from MoinMoin.util import datetime, filesys, securitystring
 130  
 131  
 132  def getUserList(request):
 133 @@ -214,6 +214,16 @@
 134          self.auth_username = auth_username
 135          self.auth_method = kw.get('auth_method', 'internal')
 136          self.auth_attribs = kw.get('auth_attribs', ())
 137 +
 138 +	# Add the default security_string.
 139 +	# Random create the user's security_string.
 140 +	# Beacues when the user pass the cookie,
 141 +	#   and it have c['MOIN_ID'] then it will have bug. 
 142 +	#   I think this is a security hole.
 143 +	#   But every request the securitystring is change.
 144 +	#   and Maybe the attacker's 30**256 times to done it.
 145 +	# Keep the code, it is simple on now.
 146 +	self.security_string = securitystring.gen(30)
 147                                         
 148          # create some vars automatically
 149          for tuple in self._cfg.user_form_fields:
 150 @@ -450,6 +460,12 @@
 151          # First try with default encoded password. Match only non empty
 152          # passwords. (require non empty enc_password)
 153          if self.enc_password and self.enc_password == data['enc_password']:
 154 +	    # If the user profile: It is create in moin-1.3 or old.
 155 +	    # then user profile have not security_string.
 156 +	    # MoinMoin will random create it.
 157 +	    if not data.has_key('security_string'):
 158 +	        data['security_string'] = securitystring.gen(30)
 159 +		return True, True
 160              return True, False
 161  
 162          # Try to match using one of pre 1.3 8 bit charsets
 163 @@ -483,6 +499,11 @@
 164                  # User password match - replace the user password in the
 165                  # file with self.password
 166                  data['enc_password'] = self.enc_password
 167 +	        # If the user profile: It is create in pro moin-1.3 or old.
 168 +	        # then user profile have not security_string.
 169 +	        # MoinMoin will random create it.
 170 +		if not data.has_key('security_string'):
 171 +		    data['security_string'] = securitystring.gen(30)
 172                  return True, True
 173  
 174          # No encoded password match, this must be wrong password
 175 
 176 
 177 --- orig/MoinMoin/userform.py
 178 +++ mod/MoinMoin/userform.py
 179 @@ -8,7 +8,7 @@
 180  
 181  import string, time, re
 182  from MoinMoin import user, util, wikiutil
 183 -from MoinMoin.util import web, mail, datetime
 184 +from MoinMoin.util import web, mail, datetime, securitystring
 185  from MoinMoin.widget import html
 186  
 187  _debug = 0
 188 @@ -78,6 +78,10 @@
 189                  theuser = user.User(self.request, uid)
 190                  if theuser.valid and theuser.email.lower() == email:
 191                      msg = theuser.mailAccountData()
 192 +		    # Change the security_string
 193 +		    #    When the user request the account_sendmail.
 194 +		    theuser.security_string = securitystring.gen(30)
 195 +		    theuser.save()
 196                      return wikiutil.escape(msg)
 197  
 198              return _("Found no account matching the given email address '%(email)s'!") % {'email': wikiutil.escape(email)}
 199 @@ -148,6 +152,8 @@
 200                      if thisuser.email == theuser.email and not thisuser.disabled:
 201                          return _("This email already belongs to somebody else.")
 202  
 203 +            # Before create the user's profile, create the user's security_string.
 204 +	    theuser.security_string = securitystring.gen(30)
 205              # save data
 206              theuser.save()
 207              if form.has_key('create_and_mail'):
 208 
 209 
 210 --- orig/wiki/config/farmconfig.py
 211 +++ mod/wiki/config/farmconfig.py
 212 @@ -49,6 +49,7 @@
 213      # Twisted server can now use the port, too.
 214      ("moinmaster",  r"^moinmaster.wikiwikiweb.de/.*$"),
 215      ("moinmoin",    r"^moinmoin.wikiwikiweb.de/.*$"),
 216 +    ("debug", r"^127.0.0.1/moin/moin.cgi.*$"),
 217  ]
 218  
 219  
 220 @@ -173,4 +174,3 @@
 221     
 222      # Enable graphical charts, requires gdchart.
 223      #chart_options = {'width': 600, 'height': 300}
 224 -
 225 
 226 
 227 --- orig/wiki/server/moin.cgi
 228 +++ mod/wiki/server/moin.cgi
 229 @@ -13,18 +13,20 @@
 230  
 231  # Path of the directory where wikiconfig.py is located.
 232  # YOU NEED TO CHANGE THIS TO MATCH YOUR SETUP.
 233 -sys.path.insert(0, '/path/to/wikiconfig')
 234 +#sys.path.insert(0, '/path/to/wikiconfig')
 235 +sys.path.insert(0, '/home/freak/tmp/moinmoin-dev/moin--main--1.5--patch-347/wiki/config')
 236  
 237  # Path to MoinMoin package, needed if you installed with --prefix=PREFIX
 238  # or if you did not use setup.py.
 239  ## sys.path.insert(0, 'PREFIX/lib/python2.3/site-packages')
 240 +sys.path.insert(0, '/home/freak/tmp/moinmoin-dev/moin--main--1.5--patch-347')
 241  
 242  # Path of the directory where farmconfig.py is located (if different).
 243  ## sys.path.insert(0, '/path/to/farmconfig')
 244  
 245  # Debug mode - show detailed error reports
 246 -## import os
 247 -## os.environ['MOIN_DEBUG'] = '1'
 248 +import os
 249 +os.environ['MOIN_DEBUG'] = '1'
 250  
 251  # This is used to profile MoinMoin (default disabled)
 252  hotshotProfiler = 0

Attached Files

To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.
  • [get | view] (2005-12-29 12:11:24, 10.1 KB) [[attachment:security_string.patch]]
  • [get | view] (2006-01-07 08:59:28, 10.0 KB) [[attachment:security_string11.patch]]
  • [get | view] (2006-01-07 11:50:10, 11.4 KB) [[attachment:security_string13.patch]]
  • [get | view] (2006-01-08 01:35:46, 11.6 KB) [[attachment:security_string15.patch]]
  • [get | view] (2006-01-09 00:05:23, 11.6 KB) [[attachment:security_string16.patch]]
  • [get | view] (2006-01-21 11:44:21, 11.9 KB) [[attachment:security_string17.patch]]
  • [get | view] (2005-12-30 06:26:38, 8.9 KB) [[attachment:security_string6.patch]]
  • [get | view] (2005-12-30 09:14:39, 7.0 KB) [[attachment:security_string7.patch]]
  • [get | view] (2006-01-05 11:04:41, 10.6 KB) [[attachment:security_string8.patch]]
  • [get | view] (2006-01-04 15:03:44, 4.1 KB) [[attachment:securitystring.old.py]]
  • [get | view] (2006-01-04 15:04:58, 4.1 KB) [[attachment:securitystring.py]]
 All files | Selected Files: delete move to page copy to page

You are not allowed to attach a file to this page.