Verified Commit ebef8826 authored by Štěpán Henek's avatar Štěpán Henek 🌩

return 403 during incorrect logins

parent 895229f0
......@@ -45,10 +45,7 @@ logger = logging.getLogger("foris.common")
BASE_DIR = os.path.dirname(os.path.dirname(__file__))
def login():
session = bottle.request.environ["foris.session"]
next = bottle.request.POST.get("next")
def login(next, session):
if check_password(bottle.request.POST.get("password")):
# re-generate session to prevent session fixation
session.recreate()
......@@ -56,20 +53,14 @@ def login():
update_csrf_token(save_session=False)
session.save()
if next and is_safe_redirect(next, bottle.request.get_header('host')):
bottle.redirect(next)
# update contract status
current_state.backend.perform("about", "update_contract_status", {})
else:
messages.error(_("The password you entered was not valid."))
if next:
redirect = "/?next=%s" % next
if is_safe_redirect(redirect, bottle.request.get_header('host')):
bottle.redirect(redirect)
bottle.redirect(reverse("index"))
if next and is_safe_redirect(next, bottle.request.get_header('host')):
bottle.redirect(next)
else:
bottle.redirect(reverse("index"))
def logout():
......@@ -236,8 +227,8 @@ def init_default_app(index, include_static=False):
app = bottle.app()
app.install(CSRFPlugin())
app.route("/", name="index", callback=index)
app.route("/", method="POST", name="login", callback=index)
app.route("/lang/<lang:re:\w{2}>", name="change_lang", callback=change_lang)
app.route("/", method="POST", name="login", callback=login)
app.route("/logout", name="logout", callback=logout)
app.route("/reboot", name="reboot", callback=reboot)
if include_static:
......
......@@ -19,10 +19,10 @@ import base64
import logging
import time
from bottle import Bottle, request, template
from bottle import Bottle, request, template, response
import bottle
from foris.common import require_contract_valid
from foris.common import require_contract_valid, login
from foris.utils.translators import gettext_dummy as gettext, _
from foris.caches import lazy_cache
from foris.config_handlers import (
......@@ -708,17 +708,28 @@ def login_redirect():
@bottle.view("index")
def top_index():
session = bottle.request.environ['foris.session']
allowed_step_max, wizard_finished = get_wizard_progress(session)
if bottle.request.method == 'POST':
next = bottle.request.POST.get("next", None)
login(next, session)
# if login passes it will redirect to a proper page
# otherwise it contains next parameter
messages.error(_("The password you entered was not valid."))
response.status = 403
else:
next = bottle.request.GET.get("next", None)
allowed_step_max, wizard_finished = get_wizard_progress(session)
if allowed_step_max == 1:
if session.is_anonymous:
session.recreate()
session["user_authenticated"] = True
session.save()
if allowed_step_max == 1:
if session.is_anonymous:
session.recreate()
session["user_authenticated"] = True
session.save()
if session.get("user_authenticated"):
login_redirect()
if session.get("user_authenticated"):
login_redirect()
return dict(
luci_path="//%(host)s/%(path)s"
% {'host': bottle.request.get_header('host'), 'path': 'cgi-bin/luci'})
% {'host': bottle.request.get_header('host'), 'path': 'cgi-bin/luci'},
next=next
)
......@@ -35,7 +35,7 @@
%if user_authenticated():
<a href="{{ url("logout") }}">{{ trans("Log out") }}</a>
%else:
<form action="{{ request.fullpath }}" method="POST">
<form action="{{ request.fullpath }}{{ '?next=%s' % next if next else '' }}" method="POST">
<input type="hidden" name="csrf_token" value="{{ get_csrf_token() }}">
%if request.GET.get("next"):
<input type="hidden" name="next" value="{{ request.GET['next'] }}">
......
......@@ -14,12 +14,12 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from bottle import Bottle, template, request
from bottle import Bottle, template, request, response
import bottle
from ncclient.operations import RPCError, TimeoutExpiredError
import logging
from foris.common import require_contract_valid
from foris.common import require_contract_valid, login
from foris.config_handlers import base, lan, misc, updater, wan, wifi
from foris.nuci import client, filters
from foris.nuci.configurator import add_config_update, commit
......@@ -539,19 +539,28 @@ def login_redirect(step_num, wizard_finished=False):
@bottle.view("index")
def top_index():
session = bottle.request.environ['foris.session']
allowed_step_max, wizard_finished = get_wizard_progress(session)
if allowed_step_max == 1:
if session.is_anonymous:
session.recreate()
session["user_authenticated"] = True
if bottle.request.method == 'POST':
next = bottle.request.POST.get("next", None)
login(next, session)
# if login passes it will redirect to a proper page
# otherwise it contains next parameter
messages.error(_("The password you entered was not valid."))
response.status = 403
else:
session[WIZARD_NEXT_STEP_ALLOWED_KEY] = str(allowed_step_max)
session["wizard_finished"] = wizard_finished
allowed_step_max = int(allowed_step_max)
next = bottle.request.GET.get("next", None)
allowed_step_max, wizard_finished = get_wizard_progress(session)
if allowed_step_max == 1:
if session.is_anonymous:
session.recreate()
session["user_authenticated"] = True
else:
session[WIZARD_NEXT_STEP_ALLOWED_KEY] = str(allowed_step_max)
session["wizard_finished"] = wizard_finished
allowed_step_max = int(allowed_step_max)
session.save()
if session.get("user_authenticated"):
login_redirect(allowed_step_max, wizard_finished)
session.save()
if session.get("user_authenticated"):
login_redirect(allowed_step_max, wizard_finished)
return {}
return {"next": next}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment