summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--askbot/__init__.py2
-rw-r--r--askbot/deps/django_authopenid/util.py64
-rw-r--r--askbot/doc/source/changelog.rst8
-rw-r--r--askbot/skins/common/templates/authopenid/signin.html4
-rw-r--r--askbot/skins/default/templates/close.html2
-rw-r--r--askbot/skins/default/templates/question.html2
-rw-r--r--askbot/skins/default/templates/question/question_card.html2
-rw-r--r--askbot/skins/default/templates/question/sidebar.html2
-rw-r--r--askbot/skins/default/templates/question_retag.html2
-rw-r--r--askbot/skins/default/templates/question_widget.html2
-rw-r--r--askbot/skins/default/templates/reopen.html2
-rw-r--r--askbot/skins/default/templates/revisions.html2
-rw-r--r--askbot/skins/default/templates/user_profile/user_recent.html2
-rw-r--r--askbot/skins/default/templates/user_profile/user_stats.html6
-rw-r--r--askbot/skins/default/templates/widgets/ask_form.html2
15 files changed, 68 insertions, 36 deletions
diff --git a/askbot/__init__.py b/askbot/__init__.py
index 7b12329c..2989d660 100644
--- a/askbot/__init__.py
+++ b/askbot/__init__.py
@@ -9,7 +9,7 @@ import smtplib
import sys
import logging
-VERSION = (0, 7, 37)
+VERSION = (0, 7, 39)
#keys are module names used by python imports,
#values - the package qualifier to use for pip
diff --git a/askbot/deps/django_authopenid/util.py b/askbot/deps/django_authopenid/util.py
index 4468a6d2..28f6b2dd 100644
--- a/askbot/deps/django_authopenid/util.py
+++ b/askbot/deps/django_authopenid/util.py
@@ -29,7 +29,7 @@ try:
except:
from yadis import xri
-import time, base64, hashlib, operator, logging
+import time, base64, hmac, hashlib, operator, logging
from models import Association, Nonce
__all__ = ['OpenID', 'DjangoOpenIDStore', 'from_openid_response', 'clean_next']
@@ -787,30 +787,54 @@ class FacebookError(Exception):
"""
pass
-def get_facebook_user_id(request):
- try:
- key = askbot_settings.FACEBOOK_KEY
- secret = askbot_settings.FACEBOOK_SECRET
+def urlsafe_b64decode(input):
+ length = len(input)
+ return base64.urlsafe_b64decode(
+ input.ljust(length + length % 4, '=')
+ )
- fb_cookie = request.COOKIES['fbs_%s' % key]
- fb_response = dict(cgi.parse_qsl(fb_cookie))
+def parse_signed_facebook_request(signed_request, secret):
+ """
+ Parse signed_request given by Facebook (usually via POST),
+ decrypt with app secret.
- signature = None
- payload = ''
- for key in sorted(fb_response.keys()):
- if key != 'sig':
- payload += '%s=%s' % (key, fb_response[key])
+ Arguments:
+ signed_request -- Facebook's signed request given through POST
+ secret -- Application's app_secret required to decrpyt signed_request
- if 'sig' in fb_response:
- if md5(payload + secret).hexdigest() != fb_response['sig']:
- raise ValueError('signature does not match')
- else:
- raise ValueError('no signature in facebook response')
+ slightly edited copy from https://gist.github.com/1190267
+ """
+
+ if "." in signed_request:
+ esig, payload = signed_request.split(".")
+ else:
+ return {}
- if 'uid' not in fb_response:
- raise ValueError('no user id in facebook response')
+ sig = urlsafe_b64decode(str(esig))
+ data = simplejson.loads(urlsafe_b64decode(str(payload)))
- return fb_response['uid']
+ if not isinstance(data, dict):
+ raise ValueError("Pyload is not a json string!")
+ return {}
+
+ if data["algorithm"].upper() == "HMAC-SHA256":
+ if hmac.new(str(secret), str(payload), hashlib.sha256).digest() == sig:
+ return data
+ else:
+ raise ValueError("Not HMAC-SHA256 encrypted!")
+
+ return {}
+
+def get_facebook_user_id(request):
+ try:
+ key = askbot_settings.FACEBOOK_KEY
+ fb_cookie = request.COOKIES['fbsr_%s' % key]
+ if not fb_cookie:
+ raise ValueError('cannot access facebook cookie')
+
+ secret = askbot_settings.FACEBOOK_SECRET
+ response = parse_signed_facebook_request(fb_cookie, secret)
+ return response['user_id']
except Exception, e:
raise FacebookError(e)
diff --git a/askbot/doc/source/changelog.rst b/askbot/doc/source/changelog.rst
index ce18fe11..7751cba6 100644
--- a/askbot/doc/source/changelog.rst
+++ b/askbot/doc/source/changelog.rst
@@ -1,6 +1,14 @@
Changes in Askbot
=================
+0.7.39 (Jan 11, 2012)
+---------------------
+* restored facebook login after FB changed the procedure (Evgeny)
+
+0.7.38 (Jan 11, 2012)
+---------------------
+* xss vulnerability fix, issue found by Radim Řehůřek (Evgeny)
+
0.7.37 (Jan 8, 2012)
--------------------
* added basic slugification treatment to question titles with
diff --git a/askbot/skins/common/templates/authopenid/signin.html b/askbot/skins/common/templates/authopenid/signin.html
index 4c894aa3..7fdbe203 100644
--- a/askbot/skins/common/templates/authopenid/signin.html
+++ b/askbot/skins/common/templates/authopenid/signin.html
@@ -11,14 +11,14 @@
{% endif %}
{% if answer %}
<div class="message">
- {% trans title=answer.question.title, summary=answer.summary %}
+ {% trans title=answer.question.title|escape, summary=answer.summary|escape %}
Your answer to {{title}} {{summary}} will be posted once you log in
{% endtrans %}
</div>
{% endif %}
{% if question %}
<div class="message">
- {% trans title=question.title, summary=question.summary %}Your question
+ {% trans title=question.title|escape, summary=question.summary|escape %}Your question
{{title}} {{summary}} will be posted once you log in
{% endtrans %}
</div>
diff --git a/askbot/skins/default/templates/close.html b/askbot/skins/default/templates/close.html
index d8160865..bac2b3ee 100644
--- a/askbot/skins/default/templates/close.html
+++ b/askbot/skins/default/templates/close.html
@@ -4,7 +4,7 @@
{% block content %}
<h1>{% trans %}Close question{% endtrans %}</h1>
<p>{% trans %}Close the question{% endtrans %}: <a href="{{ question.get_absolute_url() }}">
- <strong>{{ question.get_question_title() }}</strong></a>
+ <strong>{{ question.get_question_title()|escape }}</strong></a>
</p>
<form id="fmclose" action="{% url close question.id %}" method="post" >{% csrf_token %}
<p>
diff --git a/askbot/skins/default/templates/question.html b/askbot/skins/default/templates/question.html
index 7dc85d84..bfabd634 100644
--- a/askbot/skins/default/templates/question.html
+++ b/askbot/skins/default/templates/question.html
@@ -1,6 +1,6 @@
{% extends "two_column_body.html" %}
<!-- question.html -->
-{% block title %}{% spaceless %}{{ question.get_question_title() }}{% endspaceless %}{% endblock %}
+{% block title %}{% spaceless %}{{ question.get_question_title()|escape }}{% endspaceless %}{% endblock %}
{% block meta_description %}
<meta name="description" content="{{question.summary|striptags|escape}}" />
{% endblock %}
diff --git a/askbot/skins/default/templates/question/question_card.html b/askbot/skins/default/templates/question/question_card.html
index 87f92209..3691a224 100644
--- a/askbot/skins/default/templates/question/question_card.html
+++ b/askbot/skins/default/templates/question/question_card.html
@@ -4,7 +4,7 @@
</div>
<div class="question-content">
- <h1><a href="{{ question.get_absolute_url() }}">{{ question.get_question_title() }}</a></h1>
+ <h1><a href="{{ question.get_absolute_url() }}">{{ question.get_question_title()|escape }}</a></h1>
{% include "question/question_tags.html" %}
<div id="question-table" {% if question.deleted %}class="deleted"{%endif%}>
<div class="question-body">
diff --git a/askbot/skins/default/templates/question/sidebar.html b/askbot/skins/default/templates/question/sidebar.html
index 918c7662..f5c3273d 100644
--- a/askbot/skins/default/templates/question/sidebar.html
+++ b/askbot/skins/default/templates/question/sidebar.html
@@ -64,7 +64,7 @@
<div class="questions-related">
{% for question in similar_questions.data() %}
<p>
- <a href="{{ question.get_absolute_url() }}">{{ question.get_question_title() }}</a>
+ <a href="{{ question.get_absolute_url() }}">{{ question.get_question_title()|escape }}</a>
</p>
{% endfor %}
</div>
diff --git a/askbot/skins/default/templates/question_retag.html b/askbot/skins/default/templates/question_retag.html
index 883dc3aa..e5632820 100644
--- a/askbot/skins/default/templates/question_retag.html
+++ b/askbot/skins/default/templates/question_retag.html
@@ -5,7 +5,7 @@
<h1>{% trans %}Change tags{% endtrans %} [<a href="{{ question.get_absolute_url() }}">{% trans %}back{% endtrans %}</a>]</h1>
<form id="fmretag" action="{% url retag_question question.id %}" method="post" >{% csrf_token %}
<h2>
- {{ question.get_question_title() }}
+ {{ question.get_question_title()|escape }}
</h2>
<div id="description" class="edit-content-html">
{{ question.html }}
diff --git a/askbot/skins/default/templates/question_widget.html b/askbot/skins/default/templates/question_widget.html
index bb883c71..89e56898 100644
--- a/askbot/skins/default/templates/question_widget.html
+++ b/askbot/skins/default/templates/question_widget.html
@@ -12,7 +12,7 @@
<ul>
{% for question in questions %}
<li><a href="{{settings.APP_URL}}{{ question.get_absolute_url() }}">
- {{ question.title }}</a></li>
+ {{ question.title|escape }}</a></li>
{% endfor %}
</ul>
</div>
diff --git a/askbot/skins/default/templates/reopen.html b/askbot/skins/default/templates/reopen.html
index d68e8bdc..b287da6f 100644
--- a/askbot/skins/default/templates/reopen.html
+++ b/askbot/skins/default/templates/reopen.html
@@ -5,7 +5,7 @@
<h1>{% trans %}Reopen question{% endtrans %}</h1>
<p>{% trans %}Title{% endtrans %}:
<a href="{{ question.get_absolute_url() }}">
- <span class="big">{{ question.get_question_title() }}</span>
+ <span class="big">{{ question.get_question_title()|escape }}</span>
</a>
</p>
<p>{% trans %}This question has been closed by
diff --git a/askbot/skins/default/templates/revisions.html b/askbot/skins/default/templates/revisions.html
index 7fb985e2..f86a37ff 100644
--- a/askbot/skins/default/templates/revisions.html
+++ b/askbot/skins/default/templates/revisions.html
@@ -30,7 +30,7 @@
<td width="200px" style="vertical-align:middle">
{% if revision.summary %}
<div class="summary">
- <span>{{ revision.summary }}</span>
+ <span>{{ revision.summary|escape }}</span>
</div>
{% endif %}
{% if request.user|can_edit_post(post) %}
diff --git a/askbot/skins/default/templates/user_profile/user_recent.html b/askbot/skins/default/templates/user_profile/user_recent.html
index cbd59202..502af7b6 100644
--- a/askbot/skins/default/templates/user_profile/user_recent.html
+++ b/askbot/skins/default/templates/user_profile/user_recent.html
@@ -17,7 +17,7 @@
{% if act.related_object_type == 'question' %}{# question #}
{% for question in questions %}{# could also create a new dict #}
{% if question.question_id == act.obj %}
- (<a title="{{question.summary|collapse}}"
+ (<a title="{{question.summary|collapse|escape}}"
href="{% url question question.question_id %}{{question.title|slugify}}">{% trans %}source{% endtrans %}</a>)
{% endif %}
{% endfor %}
diff --git a/askbot/skins/default/templates/user_profile/user_stats.html b/askbot/skins/default/templates/user_profile/user_stats.html
index 2551015c..d74ecf77 100644
--- a/askbot/skins/default/templates/user_profile/user_stats.html
+++ b/askbot/skins/default/templates/user_profile/user_stats.html
@@ -18,7 +18,7 @@
<div class="user-stats-table">
{% for answered_question in answered_questions %}
<div class="answer-summary">
- <a title="{{answered_question.summary|collapse}}"
+ <a title="{{answered_question.summary|collapse|escape}}"
href="{% url question answered_question.id %}{{answered_question.title|slugify}}#{{answered_question.answer_id}}">
<span class="answer-votes {% if answered_question.accepted %}answered-accepted{% endif %}"
title="{% trans answer_score=answered_question.answer_score %}the answer has been voted for {{ answer_score }} times{% endtrans %} {% if answered_question.accepted %}{% trans %}this answer has been selected as correct{% endtrans %}{%endif%}">
@@ -27,7 +27,7 @@
</a>
<div class="answer-link">
{% spaceless %}
- <a href="{% url question answered_question.id %}{{answered_question.title|slugify}}#{{answered_question.answer_id}}">{{answered_question.title}}</a>
+ <a href="{% url question answered_question.id %}{{answered_question.title|slugify}}#{{answered_question.answer_id}}">{{answered_question.title|escape}}</a>
{% endspaceless %}
{% if answered_question.comment_count %}
<span>
@@ -119,7 +119,7 @@
<a
title="{{ award.content_object.get_snippet()|collapse }}"
href="{{ award.content_object.get_absolute_url() }}"
- >{% if award.content_type == answer_type %}{% trans %}Answer to:{% endtrans %}{% endif %} {{ award.content_object.get_origin_post().title }}</a>
+ >{% if award.content_type == answer_type %}{% trans %}Answer to:{% endtrans %}{% endif %} {{ award.content_object.get_origin_post().title|escape }}</a>
</li>
{% endif %}
{% endfor %}
diff --git a/askbot/skins/default/templates/widgets/ask_form.html b/askbot/skins/default/templates/widgets/ask_form.html
index 18196d93..17dc89f5 100644
--- a/askbot/skins/default/templates/widgets/ask_form.html
+++ b/askbot/skins/default/templates/widgets/ask_form.html
@@ -14,7 +14,7 @@
{% endif %}
{% endif %}
<input id="id_title" class="questionTitleInput" name="title" autocomplete="off"
- value="{% if form.initial.title %}{{form.initial.title}}{% endif %}"/>
+ value="{% if form.initial.title %}{{form.initial.title|escape}}{% endif %}"/>
<span class="form-error">{{ form.title.errors }}</span>
</div>
<div class="title-desc">