Only accept 'token' in POST fields (stop using get_arg())

tahoe-lafs · Apr 25, 2016 · 01b09f3 · 01b09f3
1 parent afb7718
commit 01b09f3
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 7 deletions.
diff --git a/src/allmydata/test/test_web.py b/src/allmydata/test/test_web.py
@@ -5905,12 +5905,19 @@ def beforeRender(self, ctx):
         raise CompletelyUnhandledError("whoops")
 
 
+# XXX FIXME when we introduce "mock" as a dependency, these can
+# probably just be Mock instances
 @implementer(IRequest)
 class FakeRequest(object):
     def __init__(self):
         self.method = "POST"
+        self.fields = dict()
         self.args = dict()
-        self.fields = []
+
+
+class FakeField(object):
+    def __init__(self, *values):
+        self.value = list(values)
 
 
 class FakeClientWithToken(object):
@@ -5945,10 +5952,21 @@ def test_missing_token(self):
         self.assertEquals(exc.text, "Missing token")
         self.assertEquals(exc.code, 401)
 
+    def test_token_in_get_args(self):
+        req = FakeRequest()
+        req.args['token'] = 'z' * 32
+
+        exc = self.assertRaises(
+            common.WebError,
+            self.page.renderHTTP, req,
+        )
+        self.assertEquals(exc.text, "Do not pass 'token' as URL argument")
+        self.assertEquals(exc.code, 400)
+
     def test_invalid_token(self):
         wrong_token = 'b' * 32
         req = FakeRequest()
-        req.args['token'] = [wrong_token]
+        req.fields['token'] = FakeField(wrong_token)
 
         exc = self.assertRaises(
             common.WebError,
@@ -5959,7 +5977,7 @@ def test_invalid_token(self):
 
     def test_valid_token_no_t_arg(self):
         req = FakeRequest()
-        req.args['token'] = [self.client.token]
+        req.fields['token'] = FakeField(self.client.token)
 
         with self.assertRaises(common.WebError) as exc:
             self.page.renderHTTP(req)
@@ -5968,7 +5986,7 @@ def test_valid_token_no_t_arg(self):
 
     def test_valid_token_invalid_t_arg(self):
         req = FakeRequest()
-        req.args['token'] = [self.client.token]
+        req.fields['token'] = FakeField(self.client.token)
         req.args['t'] = 'not at all json'
 
         with self.assertRaises(common.WebError) as exc:
@@ -5978,7 +5996,7 @@ def test_valid_token_invalid_t_arg(self):
 
     def test_valid(self):
         req = FakeRequest()
-        req.args['token'] = [self.client.token]
+        req.fields['token'] = FakeField(self.client.token)
         req.args['t'] = ['json']
 
         result = self.page.renderHTTP(req)

diff --git a/src/allmydata/web/common.py b/src/allmydata/web/common.py
@@ -412,8 +412,13 @@ def renderHTTP(self, ctx):
         req = IRequest(ctx)
         if req.method != 'POST':
             raise server.UnsupportedMethod(('POST',))
-
-        token = get_arg(req, "token", None)
+        if req.args.get('token', False):
+            raise WebError("Do not pass 'token' as URL argument", http.BAD_REQUEST)
+        # not using get_arg() here because we *don't* want the token
+        # argument to work if you passed it as a GET-style argument
+        token = None
+        if req.fields and 'token' in req.fields:
+            token = req.fields['token'].value[0]
         if not token:
             raise WebError("Missing token", http.UNAUTHORIZED)
         if not timing_safe_compare(token, self.client.get_auth_token()):