Only accept 'token' in POST fields (stop using get_arg())

2025-01-31 08:25:35 +00:00 · 2016-04-25 16:15:45 -06:00 · 2016-04-25 16:15:45 -06:00 · 01b09f3bac
commit 01b09f3bac
parent afb7718f89
2 changed files with 30 additions and 7 deletions
--- a/src/allmydata/test/test_web.py
+++ b/src/allmydata/test/test_web.py
@ -5905,12 +5905,19 @@ class ErrorBoom(rend.Page):
        raise CompletelyUnhandledError("whoops")


+# XXX FIXME when we introduce "mock" as a dependency, these can
+# probably just be Mock instances
@implementer(IRequest)
 class FakeRequest(object):
    def __init__(self):
        self.method = "POST"
+        self.fields = dict()
        self.args = dict()
-        self.fields = []
+
+
+class FakeField(object):
+    def __init__(self, *values):
+        self.value = list(values)


 class FakeClientWithToken(object):
@ -5945,10 +5952,21 @@ class TestTokenOnlyApi(unittest.TestCase):
        self.assertEquals(exc.text, "Missing token")
        self.assertEquals(exc.code, 401)

+    def test_token_in_get_args(self):
+        req = FakeRequest()
+        req.args['token'] = 'z' * 32
+
+        exc = self.assertRaises(
+            common.WebError,
+            self.page.renderHTTP, req,
+        )
+        self.assertEquals(exc.text, "Do not pass 'token' as URL argument")
+        self.assertEquals(exc.code, 400)
+
    def test_invalid_token(self):
        wrong_token = 'b' * 32
        req = FakeRequest()
-        req.args['token'] = [wrong_token]
+        req.fields['token'] = FakeField(wrong_token)

        exc = self.assertRaises(
            common.WebError,
@ -5959,7 +5977,7 @@ class TestTokenOnlyApi(unittest.TestCase):

    def test_valid_token_no_t_arg(self):
        req = FakeRequest()
-        req.args['token'] = [self.client.token]
+        req.fields['token'] = FakeField(self.client.token)

        with self.assertRaises(common.WebError) as exc:
            self.page.renderHTTP(req)
@ -5968,7 +5986,7 @@ class TestTokenOnlyApi(unittest.TestCase):

    def test_valid_token_invalid_t_arg(self):
        req = FakeRequest()
-        req.args['token'] = [self.client.token]
+        req.fields['token'] = FakeField(self.client.token)
        req.args['t'] = 'not at all json'

        with self.assertRaises(common.WebError) as exc:
@ -5978,7 +5996,7 @@ class TestTokenOnlyApi(unittest.TestCase):

    def test_valid(self):
        req = FakeRequest()
-        req.args['token'] = [self.client.token]
+        req.fields['token'] = FakeField(self.client.token)
        req.args['t'] = ['json']

        result = self.page.renderHTTP(req)
--- a/src/allmydata/web/common.py
+++ b/src/allmydata/web/common.py
@ -412,8 +412,13 @@ class TokenOnlyWebApi(rend.Page):
        req = IRequest(ctx)
        if req.method != 'POST':
            raise server.UnsupportedMethod(('POST',))
-
-        token = get_arg(req, "token", None)
+        if req.args.get('token', False):
+            raise WebError("Do not pass 'token' as URL argument", http.BAD_REQUEST)
+        # not using get_arg() here because we *don't* want the token
+        # argument to work if you passed it as a GET-style argument
+        token = None
+        if req.fields and 'token' in req.fields:
+            token = req.fields['token'].value[0]
        if not token:
            raise WebError("Missing token", http.UNAUTHORIZED)
        if not timing_safe_compare(token, self.client.get_auth_token()):