From e57e43c0de23078e342826bcbcaf3bf84ad62f93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= Date: Wed, 26 Apr 2017 15:14:33 +0200 Subject: [PATCH] sessions: store form tokens in external directory (#16048) --- tests/test_fields.py | 64 ++++++++++++++++++++++++------------------------- wcs/qommon/publisher.py | 9 +++++++ wcs/qommon/sessions.py | 27 +++++++++++++++++++++ 3 files changed, 68 insertions(+), 32 deletions(-) diff --git a/tests/test_fields.py b/tests/test_fields.py index 6a53ed2c..15573b0a 100644 --- a/tests/test_fields.py +++ b/tests/test_fields.py @@ -29,7 +29,7 @@ def teardown_module(module): def test_fill_admin_form(): for klass in fields.field_classes: - form = Form() + form = Form(use_tokens=False) klass().fill_admin_form(form) def test_get_admin_attributes(): @@ -38,7 +38,7 @@ def test_get_admin_attributes(): def test_add_to_form(): for klass in fields.field_classes: - form = Form() + form = Form(use_tokens=False) if klass is fields.PageField: with pytest.raises(AttributeError): klass(label='foo').add_to_form(form) @@ -119,34 +119,34 @@ def test_table(): def test_title(): field = fields.TitleField(label='Foobar') - form = Form() + form = Form(use_tokens=False) field.add_to_form(form) assert '

Foobar

' in str(form.render()) field = fields.TitleField(label='Foobar', extra_css_class='test') - form = Form() + form = Form(use_tokens=False) field.add_to_form(form) assert '

Foobar

' in str(form.render()) def test_subtitle(): field = fields.SubtitleField(label='Foobar') - form = Form() + form = Form(use_tokens=False) field.add_to_form(form) assert '

Foobar

' in str(form.render()) field = fields.SubtitleField(label='Foobar', extra_css_class='test') - form = Form() + form = Form(use_tokens=False) field.add_to_form(form) assert '

Foobar

' in str(form.render()) def test_comment(): field = fields.CommentField(label='Foobar') - form = Form() + form = Form(use_tokens=False) field.add_to_form(form) assert '

Foobar

' in str(form.render()) field = fields.CommentField(label='Foo\n\nBar\n\nBaz') - form = Form() + form = Form(use_tokens=False) field.add_to_form(form) assert '

Foo

\n

Bar

\n

Baz

' in str(form.render()) assert '
Foobar

' in str(form.render()) # test for proper escaping of substitution variables field = fields.CommentField(label='[foo]') - form = Form() + form = Form(use_tokens=False) field.add_to_form(form) assert '

1 < 3

' in str(form.render()) # test for html content field = fields.CommentField(label='

Foobar

') - form = Form() + form = Form(use_tokens=False) field.add_to_form(form) assert '

Foobar

' in str(form.render()) assert '
Bla bla bla') == 1 # --- assert str(form.render()).count('Bla bla bla') == 1 # --- assert str(form.render()).count('Bla bla bla') == 1 # --- assert str(form.render()).count('Bla bla bla') == 1 # --- assert str(form.render()).count('aa<' in str(form.render()) diff --git a/wcs/qommon/publisher.py b/wcs/qommon/publisher.py index 05918e26..fe9713a7 100644 --- a/wcs/qommon/publisher.py +++ b/wcs/qommon/publisher.py @@ -98,6 +98,9 @@ class QommonPublisher(Publisher, object): gettext = lambda self, message: message ngettext = lambda self, msgid1, msgid2, n: msgid1 + app_dir = None + form_tokens_dir = None + def get_root_url(self): if self.get_request(): return self.get_request().environ['SCRIPT_NAME'] + '/' @@ -511,6 +514,12 @@ class QommonPublisher(Publisher, object): except OSError, e: pass + self.form_tokens_dir = os.path.join(self.app_dir, 'form-tokens') + try: + os.mkdir(self.form_tokens_dir) + except OSError: # already exists + pass + def initialize_app_dir(self): '''If empty initialize the application directory with default configuration. Returns True if initialization has been done.''' diff --git a/wcs/qommon/sessions.py b/wcs/qommon/sessions.py index 7118cdab..67f58cae 100644 --- a/wcs/qommon/sessions.py +++ b/wcs/qommon/sessions.py @@ -127,9 +127,35 @@ class Session(QommonSession, CaptchaSession, StorableObject): session_id = property(get_session_id, set_session_id) + def get_form_token_filepath(self, token): + return os.path.join(get_publisher().form_tokens_dir, token) + + def create_form_token(self): + token = super(Session, self).create_form_token() + open(self.get_form_token_filepath(token), 'w').close() + return token + + def has_form_token(self, token): + has_form_token = super(Session, self).has_form_token(token) + if not os.path.exists(self.get_form_token_filepath(token)): + has_form_token = False + return has_form_token + def remove_form_token(self, token): super(Session, self).remove_form_token(token) self.store() + try: + os.unlink(self.get_form_token_filepath(token)) + except OSError: + pass + + def clean_form_tokens(self): + dirname = os.path.join(get_publisher().app_dir, 'form-tokens') + for token in self._form_tokens: + try: + os.unlink(os.path.join(dirname, token)) + except OSError: + pass def get_user(self): user_id = QuixoteSession.get_user(self) @@ -327,6 +353,7 @@ class StorageSessionManager(QommonSessionManager): if session: session.clean_tempfiles() + session.clean_form_tokens() def get_sessions_for_saml(self, name_identifier = Ellipsis, \ session_indexes = ()): -- 2.11.0