summaryrefslogtreecommitdiffstats
path: root/py-bin
diff options
context:
space:
mode:
authoralice <alice@immerda.ch>2012-09-21 12:47:41 +0200
committeralice <alice@immerda.ch>2012-10-19 15:20:07 +0200
commit23ab03581259b016ada96a2f3aabdaae99a0d492 (patch)
tree8aae8c33b5f1fc310feda45afa55ac31e501edcb /py-bin
parentf21e3ae36909974e468b3d878034df0c7d5f57b5 (diff)
fixed foreign jid deletion security issue. introduced per-jid password change
Diffstat (limited to 'py-bin')
-rw-r--r--py-bin/jabberman.py29
-rw-r--r--py-bin/setup.py15
-rw-r--r--py-bin/templates/jman_setup_base.em3
-rw-r--r--py-bin/templates/set_pw_form.em1
-rw-r--r--py-bin/templates/setup_main.em6
5 files changed, 32 insertions, 22 deletions
diff --git a/py-bin/jabberman.py b/py-bin/jabberman.py
index 21d01c8..04d4cb4 100644
--- a/py-bin/jabberman.py
+++ b/py-bin/jabberman.py
@@ -94,6 +94,10 @@ class JabberDB:
user = self.get_web_user(user_id)
if (not user) or (not self.is_jid(jabber_id)):
return (False, "Zugriff verweigert.")
+
+ jids = self.select_jids(user_id)
+ if len(filter(lambda jabber_user: jabber_user.jid == jabber_id, jids)) <= 0:
+ return (False, "Zugriff verweigert.")
if check_only:
return (True, "Jabber darf geloescht werden.")
@@ -102,13 +106,16 @@ class JabberDB:
return (True, "Jabber Konto geloescht.")
- def change_primary_jid_password(self, user_id, password):
+ def change_jid_password(self, user_id, jabber_id, password):
user = self.get_web_user(user_id)
if not user:
return (False, "Zugriff verweigert.")
+
+ jids = self.select_jids(user_id)
+ if len(filter(lambda jabber_user: jabber_user.jid == jabber_id, jids)) <= 0:
+ return (False, "Zugriff verweigert.")
- primary_jid = user.get_primary_jid()
- self.update_jid(primary_jid, password)
+ self.update_jid(jabber_id, password)
return (True, "Passwort geaendert.")
def generate_web_user(self, email):
@@ -207,7 +214,6 @@ class JabberDB:
cur.execute("SELECT * FROM web_users")
rows = cur.fetchall()
- #FIXME: test this...
return map(lambda row: WebUser(row[0],row[1],row[2],row[3]), rows)
def __now(self):
@@ -298,17 +304,18 @@ class JabberManager:
return (True, status)
- def change_password(self, password):
+ def change_password(self, jid, password):
if not self.authenticated:
return (False, "Zugriff verweigert.")
user_id = self.current_user.email
- ok, status = self.jadb.change_primary_jid_password(user_id, password)
- if ok:
- self.__set_session(user_id, password = password)
- else:
- self.__clear_session()
- return (False, status)
+ ok, status = self.jadb.change_jid_password(user_id, jid, password)
+ if jid == self.current_user.get_primary_jid():
+ if ok:
+ self.__set_session(user_id, password = password)
+ else:
+ self.__clear_session()
+ return (False, status)
return (True, "Passwort erfolgreich geaendert.")
diff --git a/py-bin/setup.py b/py-bin/setup.py
index fc521c6..8e489ec 100644
--- a/py-bin/setup.py
+++ b/py-bin/setup.py
@@ -10,22 +10,24 @@ class SetupMixIn:
paras = dict(user_id=str(user.email), jabber_id=str(user.get_primary_jid()))
- acc_list = map(self.__get_delete_tuple, self.jman.get_extra_account_list(user.email))
+ acc_list = map(self.__get_jid_tuple, self.jman.get_extra_account_list(user.email))
self.render_template(req, "setup_main.em", paras, dict(account_list=acc_list))
setup_main.web_callable = True
- def __get_delete_tuple(self, account):
- url = self.make_url([("cmd","delete_account_ask"), ("account",account.jid)])
- return (html_encode(account.jid), url)
+ def __get_jid_tuple(self, account):
+ deleteUrl = self.make_url([("cmd","delete_account_ask"), ("account",account.jid)])
+ changePwUrl = self.make_url([("cmd","set_pw_form"), ("account",account.jid)])
+ return (html_encode(account.jid), deleteUrl, changePwUrl)
def set_pw_form(self, req):
user = self.__authenticate(req)
if not user:
return
+ jid = req.params.get("account", "")
last_error = req.params.get("error", "")
self.render_template(req, "set_pw_form.em",
- dict(user_id=str(user.email), error=last_error))
+ dict(user_id=str(user.email), jid=jid, error=last_error))
set_pw_form.web_callable = True
def set_pw_process(self, req):
@@ -33,6 +35,7 @@ class SetupMixIn:
if not user:
return
+ jid = req.params.get("jid", "")
password = req.params.get("password", "")
password2 = req.params.get("password2", "")
@@ -42,7 +45,7 @@ class SetupMixIn:
self.redirect_to(req, url)
return
- self.jman.change_password(password)
+ self.jman.change_password(jid, password)
self.__redirect_to_main(req)
set_pw_process.web_callable = True
diff --git a/py-bin/templates/jman_setup_base.em b/py-bin/templates/jman_setup_base.em
index 329c3b3..a74cd4e 100644
--- a/py-bin/templates/jman_setup_base.em
+++ b/py-bin/templates/jman_setup_base.em
@@ -4,7 +4,6 @@
<div id="userbar">
@[if "user_id" in locals()]
<i>@user_id</i>&nbsp;&nbsp;|&nbsp;
- <a href="main.py?cmd=set_pw_form">Passwort ändern</a>&nbsp;&nbsp;|&nbsp;
<a href="main.py?cmd=logout">Ausloggen</a>
@[end if]
</div>
@@ -15,4 +14,4 @@
@[if "error" in locals() and error != ""] <p>Fehler: <b>@error</b></p> @[end if]
@em_child_content
</div>
- \ No newline at end of file
+
diff --git a/py-bin/templates/set_pw_form.em b/py-bin/templates/set_pw_form.em
index 7e7a3b7..beb9e1e 100644
--- a/py-bin/templates/set_pw_form.em
+++ b/py-bin/templates/set_pw_form.em
@@ -20,6 +20,7 @@
<p>Passwort: <input type="password" name="password"/></p>
<p>Passwort bestätigen: <input type="password" name="password2"/></p>
<p><input type="reset" value="Zurücksetzen"/>
+ <input type="hidden" name="jid" value="@jid"/></p>
<input type="submit" name="submitted" value="Passwort setzen"/></p>
</form>
diff --git a/py-bin/templates/setup_main.em b/py-bin/templates/setup_main.em
index 3109f4b..4919255 100644
--- a/py-bin/templates/setup_main.em
+++ b/py-bin/templates/setup_main.em
@@ -4,8 +4,8 @@
<p>Jabber Konten: [<a href="main.py?cmd=add_account_form">Hinzufügen</a>]</p>
<ul>
<li><b><i>@jabber_id</i></b> (Standard)</li>
- @[for jabber_id, url in account_list]
- <li><i>@jabber_id</i> [<a href="@url">Löschen</a>]</li>
+ @[for jabber_id, deleteUrl, changePwUrl in account_list]
+ <li><i>@jabber_id</i> [<a href="@deleteUrl">Löschen</a>] [<a href="@changePwUrl">Passwort ändern</a>]</li>
@[end for]
</ul>
@@ -19,4 +19,4 @@
@[end if]
<p>Eine ausführliche Erklärung zu den Adressen findest du in der
<a href="main.py?cmd=help">Hilfe</a>.
-</p> \ No newline at end of file
+</p>