oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Workaround for UiPassword cookie issues with sandboxed iframes

Browse source
This commit is contained in:
shortcutme 2020-05-03 03:59:09 +02:00
parent 439f8fc476
commit 36d96d484e
No known key found for this signature in database
GPG key ID: 5B63BAE6CB9613AE
1 changed files with 53 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

65
plugins/disabled-UiPassword/UiPasswordPlugin.py
View file

@ -14,6 +14,7 @@ plugin_dir = os.path.dirname(__file__)
if "sessions" not in locals().keys(): # To keep sessions between module reloads if "sessions" not in locals().keys(): # To keep sessions between module reloads
sessions = {} sessions = {}
whitelisted_client_ids = {}
def showPasswordAdvice(password): def showPasswordAdvice(password):
@ -28,8 +29,26 @@ def showPasswordAdvice(password):
@PluginManager.registerTo("UiRequest") @PluginManager.registerTo("UiRequest")
class UiRequestPlugin(object): class UiRequestPlugin(object):
sessions = sessions sessions = sessions
whitelisted_client_ids = whitelisted_client_ids
last_cleanup = time.time() last_cleanup = time.time()
def getClientId(self):
return self.env["REMOTE_ADDR"] + " - " + self.env["HTTP_USER_AGENT"]
def whitelistClientId(self, session_id=None):
if not session_id:
session_id = self.getCookies().get("session_id")
client_id = self.getClientId()
if client_id in self.whitelisted_client_ids:
self.whitelisted_client_ids[client_id]["updated"] = time.time()
return False
self.whitelisted_client_ids[client_id] = {
"added": time.time(),
"updated": time.time(),
"session_id": session_id
}
def route(self, path): def route(self, path):
# Restict Ui access by ip # Restict Ui access by ip
if config.ui_restrict and self.env['REMOTE_ADDR'] not in config.ui_restrict: if config.ui_restrict and self.env['REMOTE_ADDR'] not in config.ui_restrict:
@ -42,10 +61,22 @@ class UiRequestPlugin(object):
self.cleanup() self.cleanup()
# Validate session # Validate session
session_id = self.getCookies().get("session_id") session_id = self.getCookies().get("session_id")
if session_id not in self.sessions: # Invalid session id, display login if session_id not in self.sessions and self.getClientId() not in self.whitelisted_client_ids:
# Invalid session id and not whitelisted ip: display login
return self.actionLogin() return self.actionLogin()
return super(UiRequestPlugin, self).route(path) return super(UiRequestPlugin, self).route(path)
def actionWrapper(self, path, *args, **kwargs):
if config.ui_password and self.isWrapperNecessary(path):
session_id = self.getCookies().get("session_id")
if session_id not in self.sessions:
# We only accept cookie based auth on wrapper
return self.actionLogin()
else:
self.whitelistClientId()
return super().actionWrapper(path, *args, **kwargs)
# Action: Login # Action: Login
@helper.encodeResponse @helper.encodeResponse
def actionLogin(self): def actionLogin(self):
@ -53,13 +84,14 @@ class UiRequestPlugin(object):
self.sendHeader() self.sendHeader()
posted = self.getPosted() posted = self.getPosted()
if posted: # Validate http posted data if posted: # Validate http posted data
if self.checkPassword(posted.get("password")): if self.sessionCheckPassword(posted.get("password")):
# Valid password, create session # Valid password, create session
session_id = self.randomString(26) session_id = self.randomString(26)
self.sessions[session_id] = { self.sessions[session_id] = {
"added": time.time(), "added": time.time(),
"keep": posted.get("keep") "keep": posted.get("keep")
} }
self.whitelistClientId(session_id)
# Redirect to homepage or referer # Redirect to homepage or referer
url = self.env.get("HTTP_REFERER", "") url = self.env.get("HTTP_REFERER", "")
@ -74,20 +106,26 @@ class UiRequestPlugin(object):
template = template.replace("{result}", "bad_password") template = template.replace("{result}", "bad_password")
yield template yield template
def checkPassword(self, password):
return password == config.ui_password
def randomString(self, nchars): def randomString(self, nchars):
return ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase + string.digits) for _ in range(nchars)) return ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase + string.digits) for _ in range(nchars))
@classmethod def sessionCheckPassword(self, password):
def cleanup(cls): return password == config.ui_password
cls.last_cleanup = time.time()
for session_id, session in list(cls.sessions.items()): def sessionDelete(self, session_id):
del self.sessions[session_id]
for client_id in list(self.whitelisted_client_ids):
if self.whitelisted_client_ids[client_id]["session_id"] == session_id:
del self.whitelisted_client_ids[client_id]
def sessionCleanup(self):
self.last_cleanup = time.time()
for session_id, session in list(self.sessions.items()):
if session["keep"] and time.time() - session["added"] > 60 * 60 * 24 * 60: # Max 60days for keep sessions if session["keep"] and time.time() - session["added"] > 60 * 60 * 24 * 60: # Max 60days for keep sessions
del(cls.sessions[session_id]) self.sessionDelete(session_id)
elif not session["keep"] and time.time() - session["added"] > 60 * 60 * 24: # Max 24h for non-keep sessions elif not session["keep"] and time.time() - session["added"] > 60 * 60 * 24: # Max 24h for non-keep sessions
del(cls.sessions[session_id]) self.sessionDelete(session_id)
# Action: Display sessions # Action: Display sessions
@helper.encodeResponse @helper.encodeResponse
@ -95,6 +133,8 @@ class UiRequestPlugin(object):
self.sendHeader() self.sendHeader()
yield "<pre>" yield "<pre>"
yield json.dumps(self.sessions, indent=4) yield json.dumps(self.sessions, indent=4)
yield "\r\n"
yield json.dumps(self.whitelisted_client_ids, indent=4)
# Action: Logout # Action: Logout
@helper.encodeResponse @helper.encodeResponse
@ -103,7 +143,8 @@ class UiRequestPlugin(object):
session_id = self.getCookies().get("session_id") session_id = self.getCookies().get("session_id")
if not self.env.get("HTTP_REFERER") or session_id == self.get.get("session_id"): if not self.env.get("HTTP_REFERER") or session_id == self.get.get("session_id"):
if session_id in self.sessions: if session_id in self.sessions:
del self.sessions[session_id] self.sessionDelete(session_id)
self.start_response('301 Redirect', [ self.start_response('301 Redirect', [
('Location', "/"), ('Location', "/"),
('Set-Cookie', "session_id=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT") ('Set-Cookie', "session_id=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")