Permalink
Browse files

fixed CSRF in admin enabled/disable. thanks Nerendra Bhati

  • Loading branch information...
mdipierro committed May 4, 2016
1 parent 735d79c commit 4bd002aee978813bc664cf186ef38ff4e8bbe1cd
@@ -533,8 +533,8 @@ def delete():
redirect(URL(sender, anchor=request.vars.id2))
return dict(dialog=dialog, filename=filename)


def enable():
if not URL.verify(request, hmac_key=session.hmac_key): raise HTTP(401)
app = get_app()
filename = os.path.join(apath(app, r=request), 'DISABLED')
if is_gae:
@@ -4,6 +4,7 @@
from gluon import portalocker
from gluon.admin import apath
from gluon.fileutils import read_file
from gluon.utils import web2py_uuid
# ###########################################################
# ## make sure administrator is on localhost or https
# ###########################################################
@@ -49,15 +50,18 @@
def verify_password(password):
session.pam_user = None
if DEMO_MODE:
return True
ret = True
elif not _config.get('password'):
return False
ret - False
elif _config['password'].startswith('pam_user:'):
session.pam_user = _config['password'][9:].strip()
import gluon.contrib.pam
return gluon.contrib.pam.authenticate(session.pam_user, password)
ret = gluon.contrib.pam.authenticate(session.pam_user, password)
else:
return _config['password'] == CRYPT()(password)[0]
ret = _config['password'] == CRYPT()(password)[0]
if ret:
session.hmac_key = web2py_uuid()
return ret


# ###########################################################
@@ -56,7 +56,7 @@ <h4 class="editableapp">{{=A(a,_href=URL(a,'default','index'))}}</h4>
{{pass}}
</ul>
</div>
{{=button_enable(URL('enable',args=a), a) if a!='admin' else ''}}
{{=button_enable(URL('enable',args=a, hmac_key=session.hmac_key), a) if a!='admin' else ''}}
</td>
</tr>
{{pass}}
@@ -68,7 +68,7 @@ header, main, footer {display:block; with:100%} /* IE fix */
input:not([type]), input:not([type=checkbox]):not([type=radio]):not([type=button]):not([type=submit]), [type=file]:before {outline:none; padding:0.5em 1em; margin:0.5px; border-bottom:1px solid #ddd; width:100%}
textarea {width:100%; border:1px solid #ddd; padding:4px 8px; outline:none; outline:none}
select {-webkit-appearance:none; outline:none; padding:0.5em 1em; border-radius:0; margin:0.5px; border-bottom:1px solid #ddd; width:100%;background-color:transparent}
input, textarea, select, button {font-size:12px}
input, textarea, select, button, .btn {font-size:12px}
input:not([type]):hover, input:not([type=checkbox]):not([type=radio]):not([type=button]):not([type=submit]):hover, select:hover, textarea:hover {background-color:#fbf6d9; transition:background-color 1s ease}
input:invalid, input.error {background:#cc1f00;color:white}

@@ -115,8 +115,9 @@ def deploy(appname=None, all=False):
"""fab -H username@host deploy:appname,all"""
appname = appname or os.path.split(os.getcwd())[-1]
appfolder = applications+'/'+appname
if os.path.exists('_update.zip'):
os.unlink('_update.zip')
zipfile = os.path.join(appfolder, '_update.zip')
if os.path.exists(zipfile):
os.unlink(zipfile)

backup = mkdir_or_backup(appname)

0 comments on commit 4bd002a

Please sign in to comment.