Attachment 'security_string6.patch'
Download 1 * looking for arch@arch.thinkmo.de--2003-archives/moin--main--1.5--patch-347 to compare with
2 * comparing to arch@arch.thinkmo.de--2003-archives/moin--main--1.5--patch-347
3 M MoinMoin/auth.py
4 M MoinMoin/request.py
5 M MoinMoin/user.py
6 M MoinMoin/userform.py
7 M wiki/server/moin.cgi
8 M wiki/config/farmconfig.py
9
10 * modified files
11
12 --- orig/MoinMoin/auth.py
13 +++ mod/MoinMoin/auth.py
14 @@ -45,6 +45,7 @@
15
16 import Cookie
17 from MoinMoin import user
18 +from MoinMoin.util import securitystring
19
20 def moin_cookie(request, **kw):
21 """ authenticate via the MOIN_ID cookie """
22 @@ -58,13 +59,6 @@
23 request.setCookie()
24 return u, False
25 return None, True
26 -
27 - if kw.get('logout'):
28 - # clear the cookie in the browser and locally. Does not
29 - # check if we have a valid user logged, just make sure we
30 - # don't have one after this call.
31 - request.deleteCookie()
32 - return None, True
33
34 try:
35 cookie = Cookie.SimpleCookie(request.saved_cookie)
36 @@ -72,13 +66,48 @@
37 # ignore invalid cookies, else user can't relogin
38 cookie = None
39 if cookie and cookie.has_key('MOIN_ID'):
40 - u = user.User(request, id=cookie['MOIN_ID'].value,
41 + # Use security_string to handle the Cookie.
42 + # So. need to use
43 + # MoinMoin.util.securitystring.cal_security_userid modify
44 + # to do cookie auth.
45 + # Need Pass the user_obj to cal_security_userid.
46 + # Because the MoinMoin.util.securitystring.cal_security_userid
47 + # need to do MoinMoin.user.getUserList,
48 + # and MoinMoin.user.User.load_from_id
49 + user_obj = user
50 + u = user.User(request,
51 + # if can auth, then
52 + # MoinMoin.util.securitystring.cal_security_userid
53 + # return the uid.
54 + # if cannot match any uid then return None.
55 + id=securitystring.cal_security_userid(request, cookie['MOIN_ID'].value, user_obj),
56 auth_method='moin_cookie', auth_attribs=())
57 if u.valid:
58 - return u, False
59 + if kw.get('logout'):
60 + # Frankie: Why Does not check it?
61 + # Please see: http://moinmoin.wikiwikiweb.de/MoinMoinBugs/LogoutHandle
62 + #
63 + # clear the cookie in the browser and locally. Does not
64 + # check if we have a valid user logged, just make sure we
65 + # don't have one after this call.
66 + request.deleteCookie()
67 + # Frankie: When the user do global logout then change the
68 + # security_string. ( in here. All logout is global logout. )
69 + u.security_string = securitystring.gen(30)
70 + u.save()
71 + return None, True
72 + else:
73 + return u, False
74 +
75 + # If the brower don't have MOIN_ID cookie, just delete the cookie.
76 + if kw.get('logout'):
77 + request.deleteCookie()
78 + return None, True
79 +
80 return None, True
81
82
83 +
84 #
85 # idea: maybe we should call back to the request object like:
86 # username, password, authenticated, authtype = request.getUserPassAuth()
87
88
89 --- orig/MoinMoin/request.py
90 +++ mod/MoinMoin/request.py
91 @@ -9,7 +9,7 @@
92
93 import os, time, sys, cgi, StringIO
94 from MoinMoin import config, wikiutil, user
95 -from MoinMoin.util import MoinMoinNoFooter, IsWin9x
96 +from MoinMoin.util import MoinMoinNoFooter, IsWin9x, securitystring
97
98 # Timing ---------------------------------------------------------------
99
100 @@ -1216,7 +1216,18 @@
101 # Set the cookie
102 from Cookie import SimpleCookie
103 c = SimpleCookie()
104 - c['MOIN_ID'] = self.user.id
105 + # Modify the Cookie String Syntax.
106 + # Keep the self.user.id in Cookie.
107 + # 1. easy for auth.
108 + # 2. and don't need to care the
109 + # securitystring.make_security_key(security_string, self.user.id)
110 + # is unique.
111 + # ':=:' is FrankieChow luck string. maybe you can change this to
112 + # self.cfg.site_luck_string
113 + c['MOIN_ID'] = '%s%s%s' %(
114 + securitystring.make_security_key(self.user.security_string, self.user.id),
115 + ':=:',
116 + self.user.id )
117 c['MOIN_ID']['max-age'] = maxage
118 if self.cfg.cookie_domain:
119 c['MOIN_ID']['domain'] = self.cfg.cookie_domain
120
121
122 --- orig/MoinMoin/user.py
123 +++ mod/MoinMoin/user.py
124 @@ -17,7 +17,7 @@
125 PICKLE_PROTOCOL = pickle.HIGHEST_PROTOCOL
126
127 from MoinMoin import config, caching, wikiutil
128 -from MoinMoin.util import datetime, filesys
129 +from MoinMoin.util import datetime, filesys, securitystring
130
131
132 def getUserList(request):
133 @@ -214,6 +214,16 @@
134 self.auth_username = auth_username
135 self.auth_method = kw.get('auth_method', 'internal')
136 self.auth_attribs = kw.get('auth_attribs', ())
137 +
138 + # Add the default security_string.
139 + # Random create the user's security_string.
140 + # Beacues when the user pass the cookie,
141 + # and it have c['MOIN_ID'] then it will have bug.
142 + # I think this is a security hole.
143 + # But every request the securitystring is change.
144 + # and Maybe the attacker's 30**256 times to done it.
145 + # Keep the code, it is simple on now.
146 + self.security_string = securitystring.gen(30)
147
148 # create some vars automatically
149 for tuple in self._cfg.user_form_fields:
150 @@ -450,6 +460,12 @@
151 # First try with default encoded password. Match only non empty
152 # passwords. (require non empty enc_password)
153 if self.enc_password and self.enc_password == data['enc_password']:
154 + # If the user profile: It is create in moin-1.3 or old.
155 + # then user profile have not security_string.
156 + # MoinMoin will random create it.
157 + if not data.has_key('security_string'):
158 + data['security_string'] = securitystring.gen(30)
159 + return True, True
160 return True, False
161
162 # Try to match using one of pre 1.3 8 bit charsets
163 @@ -483,6 +499,11 @@
164 # User password match - replace the user password in the
165 # file with self.password
166 data['enc_password'] = self.enc_password
167 + # If the user profile: It is create in pro moin-1.3 or old.
168 + # then user profile have not security_string.
169 + # MoinMoin will random create it.
170 + if not data.has_key('security_string'):
171 + data['security_string'] = securitystring.gen(30)
172 return True, True
173
174 # No encoded password match, this must be wrong password
175
176
177 --- orig/MoinMoin/userform.py
178 +++ mod/MoinMoin/userform.py
179 @@ -8,7 +8,7 @@
180
181 import string, time, re
182 from MoinMoin import user, util, wikiutil
183 -from MoinMoin.util import web, mail, datetime
184 +from MoinMoin.util import web, mail, datetime, securitystring
185 from MoinMoin.widget import html
186
187 _debug = 0
188 @@ -78,6 +78,10 @@
189 theuser = user.User(self.request, uid)
190 if theuser.valid and theuser.email.lower() == email:
191 msg = theuser.mailAccountData()
192 + # Change the security_string
193 + # When the user request the account_sendmail.
194 + theuser.security_string = securitystring.gen(30)
195 + theuser.save()
196 return wikiutil.escape(msg)
197
198 return _("Found no account matching the given email address '%(email)s'!") % {'email': wikiutil.escape(email)}
199 @@ -148,6 +152,8 @@
200 if thisuser.email == theuser.email and not thisuser.disabled:
201 return _("This email already belongs to somebody else.")
202
203 + # Before create the user's profile, create the user's security_string.
204 + theuser.security_string = securitystring.gen(30)
205 # save data
206 theuser.save()
207 if form.has_key('create_and_mail'):
208
209
210 --- orig/wiki/config/farmconfig.py
211 +++ mod/wiki/config/farmconfig.py
212 @@ -49,6 +49,7 @@
213 # Twisted server can now use the port, too.
214 ("moinmaster", r"^moinmaster.wikiwikiweb.de/.*$"),
215 ("moinmoin", r"^moinmoin.wikiwikiweb.de/.*$"),
216 + ("debug", r"^127.0.0.1/moin/moin.cgi.*$"),
217 ]
218
219
220 @@ -173,4 +174,3 @@
221
222 # Enable graphical charts, requires gdchart.
223 #chart_options = {'width': 600, 'height': 300}
224 -
225
226
227 --- orig/wiki/server/moin.cgi
228 +++ mod/wiki/server/moin.cgi
229 @@ -13,18 +13,20 @@
230
231 # Path of the directory where wikiconfig.py is located.
232 # YOU NEED TO CHANGE THIS TO MATCH YOUR SETUP.
233 -sys.path.insert(0, '/path/to/wikiconfig')
234 +#sys.path.insert(0, '/path/to/wikiconfig')
235 +sys.path.insert(0, '/home/freak/tmp/moinmoin-dev/moin--main--1.5--patch-347/wiki/config')
236
237 # Path to MoinMoin package, needed if you installed with --prefix=PREFIX
238 # or if you did not use setup.py.
239 ## sys.path.insert(0, 'PREFIX/lib/python2.3/site-packages')
240 +sys.path.insert(0, '/home/freak/tmp/moinmoin-dev/moin--main--1.5--patch-347')
241
242 # Path of the directory where farmconfig.py is located (if different).
243 ## sys.path.insert(0, '/path/to/farmconfig')
244
245 # Debug mode - show detailed error reports
246 -## import os
247 -## os.environ['MOIN_DEBUG'] = '1'
248 +import os
249 +os.environ['MOIN_DEBUG'] = '1'
250
251 # This is used to profile MoinMoin (default disabled)
252 hotshotProfiler = 0
Attached Files
To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.You are not allowed to attach a file to this page.