Add CSRF protection, some bugfixes.

admin.py

@@ -1,7 +1,6 @@
 from google.appengine.ext import webapp
 from google.appengine.ext.webapp.util import run_wsgi_app
 
-import fix_path
 import config
 import post_deploy
 import handlers
@@ -26,7 +25,6 @@
 
 
 def main():
-  fix_path.fix_sys_path()
   run_wsgi_app(application)
 
 

appengine_config.py

@@ -0,0 +1,8 @@
+import os
+import sys
+
+from google.appengine.dist import use_library
+
+use_library('django', '1.2')
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), 'lib'))
+os.environ['DJANGO_SETTINGS_MODULE'] = 'settings'

deferred.py

@@ -27,10 +27,7 @@
 from google.appengine.ext import deferred
 from google.appengine.ext.webapp.util import run_wsgi_app
 
-import fix_path
-
 def main():
-  fix_path.fix_sys_path()
   run_wsgi_app(deferred.application)
 
 

generators.py

@@ -6,7 +6,6 @@
 from google.appengine.ext import db
 from google.appengine.ext import deferred
 
-import fix_path
 import config
 import markup
 import static

handlers.py

@@ -10,8 +10,9 @@
 import models
 import post_deploy
 import utils
+import xsrfutil
 
-from django import newforms as forms
+from django import forms
 from google.appengine.ext.db import djangoforms
 
 
@@ -85,13 +86,14 @@ def get(self, post):
           'body_markup': post and post.body_markup or config.default_markup,
         }))
 
+  @xsrfutil.xsrf_protect
   @with_post
   def post(self, post):
     form = PostForm(data=self.request.POST, instance=post,
                     initial={'draft': post and post.published is None})
     if form.is_valid():
       post = form.save(commit=False)
-      if form.clean_data['draft']:# Draft post
+      if form.cleaned_data['draft']:# Draft post
         post.published = datetime.datetime.max
         post.put()
       else:
@@ -102,11 +104,12 @@ def post(self, post):
         post.publish()
       self.render_to_response("published.html", {
           'post': post,
-          'draft': form.clean_data['draft']})
+          'draft': form.cleaned_data['draft']})
     else:
       self.render_form(form)
 
 class DeleteHandler(BaseHandler):
+  @xsrfutil.xsrf_protect
   @with_post
   def post(self, post):
     if post.path:# Published post
@@ -130,6 +133,7 @@ def get(self, post):
 
 
 class RegenerateHandler(BaseHandler):
+  @xsrfutil.xsrf_protect
   def post(self):
     deferred.defer(post_deploy.PostRegenerator().regenerate)
     deferred.defer(post_deploy.PageRegenerator().regenerate)
@@ -201,6 +205,7 @@ def get(self, page):
           'path': page and page.path or '/',
         }))
 
+  @xsrfutil.xsrf_protect
   @with_page
   def post(self, page):
     form = None
@@ -226,6 +231,7 @@ def post(self, page):
 
 
 class PageDeleteHandler(BaseHandler):
+  @xsrfutil.xsrf_protect
   @with_page
   def post(self, page):
     page.remove()

lib/xsrfutil.py

@@ -0,0 +1,187 @@
+#!/usr/bin/python2.5
+#
+# Copyright 2010 the Melange authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Helper methods for creating & verifying XSRF tokens for AppEngine."""
+
+__authors__ = [
+  '"Doug Coker" <dcoker@google.com>',
+  '"Joe Gregorio" <jcgregorio@google.com>',
+  'dfa@websec.at',
+]
+
+
+import base64
+import binascii
+import hmac
+import os  # for urandom
+import time
+
+from google.appengine.api import memcache
+from google.appengine.api import users
+from google.appengine.ext import db
+
+# String used instead of user id when there is no user. Not that it makes sense
+# to protect unauthenticated functionality from XSRF.
+ANONYMOUS_USER = 'anonymous'
+
+# Delimiter character
+DELIMITER = ':'
+
+# 24 hours in seconds
+DEFAULT_TIMEOUT_SECS = 1*60*60*24
+
+def generate_token(key, user_id, path="", when=None):
+  """Generates a URL-safe token for the given user, action, time tuple.
+
+  Args:
+    key: secret key to use.
+    user_id: the user ID of the authenticated user.
+    path: The path the token should be valid for.
+    when: the time in seconds since the epoch at which the user was
+      authorized for this action. If not set the current time is used.
+
+  Returns:
+    A string XSRF protection token.
+  """
+  when = when or int(time.time())
+  digester = hmac.new(str(key))
+  digester.update(str(user_id))
+  digester.update(DELIMITER)
+  digester.update(str(path))
+  digester.update(DELIMITER)
+  digester.update(str(when))
+  digest = digester.digest()
+
+  token = base64.urlsafe_b64encode('%s%s%d' % (digest,
+                                               DELIMITER,
+                                               when))
+  return token
+
+
+def validate_token(key, token, user_id, path="", current_time=None,
+                   timeout=DEFAULT_TIMEOUT_SECS):
+  """Validates that the given token authorizes the user for the action.
+
+  Tokens are invalid if the time of issue is too old or if the token
+  does not match what generateToken outputs (i.e. the token was forged).
+
+  Args:
+    key: secret key to use.
+    token: a string of the token generated by generateToken.
+    user_id: the user ID of the authenticated user.
+    path: The path the token was received on.
+    current_time: Time at which the token was received (defaults to now)
+    timeout: How long your tokens are valid in seconds before they time out
+      (defaults to DEFAULT_TIMEOUT_SECS)
+
+  Returns:
+    A boolean - True if the user is authorized for the action, False
+    otherwise.
+  """
+  if not token:
+    return False
+  try:
+    decoded = base64.urlsafe_b64decode(str(token))
+    token_time = long(decoded.split(DELIMITER)[-1])
+  except (TypeError, ValueError):
+    return False
+  if current_time is None:
+    current_time = time.time()
+  # If the token is too old it's not valid.
+  if current_time - token_time > timeout:
+    return False
+
+  # The given token should match the generated one with the same time.
+  expected_token = generate_token(key, user_id, path=path, when=token_time)
+  if token != expected_token:
+    return False
+
+  return True
+
+
+def xsrf_protect(func):
+  """Decorator to protect webapp2's get and post functions from XSRF.
+
+  Decorating a function with @xsrf_protect will verify that a valid XSRF token
+  has been submitted through the xsrf parameter. Both GET and POST parameters
+  are accepted.
+
+  If no token or an invalid token is received, the decorated function is not
+  called and a 403 error will be issued.
+  """
+  def decorate(self, *args, **kwargs):
+    path = os.environ.get('PATH_INFO', '/')
+    token = self.request.get('xsrf', None)
+    if not token:
+      self.error(403)
+      return
+
+    user = ANONYMOUS_USER
+    if users.get_current_user():
+      user = users.get_current_user().user_id()
+    if not validate_token(XsrfSecret.get(), token, user, path):
+      self.error(403)
+      return
+
+    return func(self, *args, **kwargs)
+
+  return decorate
+
+
+def xsrf_token(path=None):
+  """Generates an XSRF token for the given path.
+
+  This function is mostly supposed to be used as a filter for a templating
+  system, so that tokens can be conveniently generated directly in the
+  template.
+
+  Args:
+    path: The path the token should be valid for. By default, the path of the
+      current request.
+  """
+  if not path:
+    path = os.environ.get('PATH_INFO')
+  user = ANONYMOUS_USER
+  if users.get_current_user():
+    user = users.get_current_user().user_id()
+  return generate_token(XsrfSecret.get(), user, path)
+
+
+class XsrfSecret(db.Model):
+  """Model for datastore to store the XSRF secret."""
+  secret = db.StringProperty(required=True)
+
+  @staticmethod
+  def get():
+    """Retrieves the XSRF secret.
+
+    Tries to retrieve the XSRF secret from memcache, and if that fails, falls
+    back to getting it out of datastore. Note that the secret should not be
+    changed, as that would result in all issued tokens becoming invalid.
+    """
+    secret = memcache.get('xsrf_secret')
+    if not secret:
+      xsrf_secret = XsrfSecret.all().get()
+      if not xsrf_secret:
+        # hmm, nothing found? We need to generate a secret for xsrf protection.
+        secret = binascii.b2a_hex(os.urandom(16))
+        xsrf_secret = XsrfSecret(secret=secret)
+        xsrf_secret.put()
+
+      secret = xsrf_secret.secret
+      memcache.set('xsrf_secret', secret)
+
+    return secret

markup.py

@@ -25,10 +25,6 @@
 import config
 import utils
 
-# Fix sys.path
-import fix_path
-fix_path.fix_sys_path()
-
 # Import markup module from lib/
 import markdown
 import markdown_processor

migrate.py

@@ -11,7 +11,6 @@
 from google.appengine.ext import deferred
 
 import config
-import fix_path
 import models
 import post_deploy
 

static.py

@@ -10,7 +10,6 @@
 from google.appengine.ext.webapp import template
 from google.appengine.ext.webapp.util import run_wsgi_app
 
-import fix_path
 import aetycoon
 import config
 import utils
@@ -75,7 +74,7 @@ def set(path, body, content_type, indexed=True, **kwargs):
   defaults.update(kwargs)
   content = StaticContent(
       key_name=path,
-      body=body,
+      body=str(body),
       content_type=content_type,
       indexed=indexed,
       **defaults)
@@ -180,7 +179,6 @@ def get(self, path):
 
 
 def main():
-  fix_path.fix_sys_path()
   run_wsgi_app(application)
 
 

themes/default/admin/edit.html

@@ -6,6 +6,7 @@ <h2>{% if form.instance %}Edit{% else %}New{% endif %} Post</h2>
     <table>
       {{form}}
     </table>
+    <input type="hidden" name="xsrf" value="{{ ''|xsrf_token }}">
     <input type="submit" value="Submit post" />
   </form>
 {% endblock %}

themes/default/admin/editpage.html

@@ -6,6 +6,7 @@ <h2>{% if form.instance %}Edit{% else %}New{% endif %} Page</h2>
     <table>
       {{form}}
     </table>
+    <input type="hidden" name="xsrf" value="{{ ''|xsrf_token }}">
     <input type="submit" value="Submit page" />
   </form>
 {% endblock %}