diff options
-rw-r--r-- | askbot/__init__.py | 2 | ||||
-rw-r--r-- | askbot/deps/django_authopenid/util.py | 64 | ||||
-rw-r--r-- | askbot/doc/source/changelog.rst | 8 | ||||
-rw-r--r-- | askbot/skins/common/templates/authopenid/signin.html | 4 | ||||
-rw-r--r-- | askbot/skins/default/templates/close.html | 2 | ||||
-rw-r--r-- | askbot/skins/default/templates/question.html | 2 | ||||
-rw-r--r-- | askbot/skins/default/templates/question/question_card.html | 2 | ||||
-rw-r--r-- | askbot/skins/default/templates/question/sidebar.html | 2 | ||||
-rw-r--r-- | askbot/skins/default/templates/question_retag.html | 2 | ||||
-rw-r--r-- | askbot/skins/default/templates/question_widget.html | 2 | ||||
-rw-r--r-- | askbot/skins/default/templates/reopen.html | 2 | ||||
-rw-r--r-- | askbot/skins/default/templates/revisions.html | 2 | ||||
-rw-r--r-- | askbot/skins/default/templates/user_profile/user_recent.html | 2 | ||||
-rw-r--r-- | askbot/skins/default/templates/user_profile/user_stats.html | 6 | ||||
-rw-r--r-- | askbot/skins/default/templates/widgets/ask_form.html | 2 |
15 files changed, 68 insertions, 36 deletions
diff --git a/askbot/__init__.py b/askbot/__init__.py index 7b12329c..2989d660 100644 --- a/askbot/__init__.py +++ b/askbot/__init__.py @@ -9,7 +9,7 @@ import smtplib import sys import logging -VERSION = (0, 7, 37) +VERSION = (0, 7, 39) #keys are module names used by python imports, #values - the package qualifier to use for pip diff --git a/askbot/deps/django_authopenid/util.py b/askbot/deps/django_authopenid/util.py index 4468a6d2..28f6b2dd 100644 --- a/askbot/deps/django_authopenid/util.py +++ b/askbot/deps/django_authopenid/util.py @@ -29,7 +29,7 @@ try: except: from yadis import xri -import time, base64, hashlib, operator, logging +import time, base64, hmac, hashlib, operator, logging from models import Association, Nonce __all__ = ['OpenID', 'DjangoOpenIDStore', 'from_openid_response', 'clean_next'] @@ -787,30 +787,54 @@ class FacebookError(Exception): """ pass -def get_facebook_user_id(request): - try: - key = askbot_settings.FACEBOOK_KEY - secret = askbot_settings.FACEBOOK_SECRET +def urlsafe_b64decode(input): + length = len(input) + return base64.urlsafe_b64decode( + input.ljust(length + length % 4, '=') + ) - fb_cookie = request.COOKIES['fbs_%s' % key] - fb_response = dict(cgi.parse_qsl(fb_cookie)) +def parse_signed_facebook_request(signed_request, secret): + """ + Parse signed_request given by Facebook (usually via POST), + decrypt with app secret. - signature = None - payload = '' - for key in sorted(fb_response.keys()): - if key != 'sig': - payload += '%s=%s' % (key, fb_response[key]) + Arguments: + signed_request -- Facebook's signed request given through POST + secret -- Application's app_secret required to decrpyt signed_request - if 'sig' in fb_response: - if md5(payload + secret).hexdigest() != fb_response['sig']: - raise ValueError('signature does not match') - else: - raise ValueError('no signature in facebook response') + slightly edited copy from https://gist.github.com/1190267 + """ + + if "." in signed_request: + esig, payload = signed_request.split(".") + else: + return {} - if 'uid' not in fb_response: - raise ValueError('no user id in facebook response') + sig = urlsafe_b64decode(str(esig)) + data = simplejson.loads(urlsafe_b64decode(str(payload))) - return fb_response['uid'] + if not isinstance(data, dict): + raise ValueError("Pyload is not a json string!") + return {} + + if data["algorithm"].upper() == "HMAC-SHA256": + if hmac.new(str(secret), str(payload), hashlib.sha256).digest() == sig: + return data + else: + raise ValueError("Not HMAC-SHA256 encrypted!") + + return {} + +def get_facebook_user_id(request): + try: + key = askbot_settings.FACEBOOK_KEY + fb_cookie = request.COOKIES['fbsr_%s' % key] + if not fb_cookie: + raise ValueError('cannot access facebook cookie') + + secret = askbot_settings.FACEBOOK_SECRET + response = parse_signed_facebook_request(fb_cookie, secret) + return response['user_id'] except Exception, e: raise FacebookError(e) diff --git a/askbot/doc/source/changelog.rst b/askbot/doc/source/changelog.rst index ce18fe11..7751cba6 100644 --- a/askbot/doc/source/changelog.rst +++ b/askbot/doc/source/changelog.rst @@ -1,6 +1,14 @@ Changes in Askbot ================= +0.7.39 (Jan 11, 2012) +--------------------- +* restored facebook login after FB changed the procedure (Evgeny) + +0.7.38 (Jan 11, 2012) +--------------------- +* xss vulnerability fix, issue found by Radim Řehůřek (Evgeny) + 0.7.37 (Jan 8, 2012) -------------------- * added basic slugification treatment to question titles with diff --git a/askbot/skins/common/templates/authopenid/signin.html b/askbot/skins/common/templates/authopenid/signin.html index 4c894aa3..7fdbe203 100644 --- a/askbot/skins/common/templates/authopenid/signin.html +++ b/askbot/skins/common/templates/authopenid/signin.html @@ -11,14 +11,14 @@ {% endif %}
{% if answer %}
<div class="message">
- {% trans title=answer.question.title, summary=answer.summary %}
+ {% trans title=answer.question.title|escape, summary=answer.summary|escape %}
Your answer to {{title}} {{summary}} will be posted once you log in
{% endtrans %}
</div>
{% endif %}
{% if question %}
<div class="message">
- {% trans title=question.title, summary=question.summary %}Your question
+ {% trans title=question.title|escape, summary=question.summary|escape %}Your question
{{title}} {{summary}} will be posted once you log in
{% endtrans %}
</div>
diff --git a/askbot/skins/default/templates/close.html b/askbot/skins/default/templates/close.html index d8160865..bac2b3ee 100644 --- a/askbot/skins/default/templates/close.html +++ b/askbot/skins/default/templates/close.html @@ -4,7 +4,7 @@ {% block content %} <h1>{% trans %}Close question{% endtrans %}</h1> <p>{% trans %}Close the question{% endtrans %}: <a href="{{ question.get_absolute_url() }}"> - <strong>{{ question.get_question_title() }}</strong></a> + <strong>{{ question.get_question_title()|escape }}</strong></a> </p> <form id="fmclose" action="{% url close question.id %}" method="post" >{% csrf_token %} <p> diff --git a/askbot/skins/default/templates/question.html b/askbot/skins/default/templates/question.html index 7dc85d84..bfabd634 100644 --- a/askbot/skins/default/templates/question.html +++ b/askbot/skins/default/templates/question.html @@ -1,6 +1,6 @@ {% extends "two_column_body.html" %} <!-- question.html --> -{% block title %}{% spaceless %}{{ question.get_question_title() }}{% endspaceless %}{% endblock %} +{% block title %}{% spaceless %}{{ question.get_question_title()|escape }}{% endspaceless %}{% endblock %} {% block meta_description %} <meta name="description" content="{{question.summary|striptags|escape}}" /> {% endblock %} diff --git a/askbot/skins/default/templates/question/question_card.html b/askbot/skins/default/templates/question/question_card.html index 87f92209..3691a224 100644 --- a/askbot/skins/default/templates/question/question_card.html +++ b/askbot/skins/default/templates/question/question_card.html @@ -4,7 +4,7 @@ </div> <div class="question-content"> - <h1><a href="{{ question.get_absolute_url() }}">{{ question.get_question_title() }}</a></h1> + <h1><a href="{{ question.get_absolute_url() }}">{{ question.get_question_title()|escape }}</a></h1> {% include "question/question_tags.html" %} <div id="question-table" {% if question.deleted %}class="deleted"{%endif%}> <div class="question-body"> diff --git a/askbot/skins/default/templates/question/sidebar.html b/askbot/skins/default/templates/question/sidebar.html index 918c7662..f5c3273d 100644 --- a/askbot/skins/default/templates/question/sidebar.html +++ b/askbot/skins/default/templates/question/sidebar.html @@ -64,7 +64,7 @@ <div class="questions-related"> {% for question in similar_questions.data() %} <p> - <a href="{{ question.get_absolute_url() }}">{{ question.get_question_title() }}</a> + <a href="{{ question.get_absolute_url() }}">{{ question.get_question_title()|escape }}</a> </p> {% endfor %} </div> diff --git a/askbot/skins/default/templates/question_retag.html b/askbot/skins/default/templates/question_retag.html index 883dc3aa..e5632820 100644 --- a/askbot/skins/default/templates/question_retag.html +++ b/askbot/skins/default/templates/question_retag.html @@ -5,7 +5,7 @@ <h1>{% trans %}Change tags{% endtrans %} [<a href="{{ question.get_absolute_url() }}">{% trans %}back{% endtrans %}</a>]</h1> <form id="fmretag" action="{% url retag_question question.id %}" method="post" >{% csrf_token %} <h2> - {{ question.get_question_title() }} + {{ question.get_question_title()|escape }} </h2> <div id="description" class="edit-content-html"> {{ question.html }} diff --git a/askbot/skins/default/templates/question_widget.html b/askbot/skins/default/templates/question_widget.html index bb883c71..89e56898 100644 --- a/askbot/skins/default/templates/question_widget.html +++ b/askbot/skins/default/templates/question_widget.html @@ -12,7 +12,7 @@ <ul> {% for question in questions %} <li><a href="{{settings.APP_URL}}{{ question.get_absolute_url() }}"> - {{ question.title }}</a></li> + {{ question.title|escape }}</a></li> {% endfor %} </ul> </div> diff --git a/askbot/skins/default/templates/reopen.html b/askbot/skins/default/templates/reopen.html index d68e8bdc..b287da6f 100644 --- a/askbot/skins/default/templates/reopen.html +++ b/askbot/skins/default/templates/reopen.html @@ -5,7 +5,7 @@ <h1>{% trans %}Reopen question{% endtrans %}</h1> <p>{% trans %}Title{% endtrans %}: <a href="{{ question.get_absolute_url() }}"> - <span class="big">{{ question.get_question_title() }}</span> + <span class="big">{{ question.get_question_title()|escape }}</span> </a> </p> <p>{% trans %}This question has been closed by diff --git a/askbot/skins/default/templates/revisions.html b/askbot/skins/default/templates/revisions.html index 7fb985e2..f86a37ff 100644 --- a/askbot/skins/default/templates/revisions.html +++ b/askbot/skins/default/templates/revisions.html @@ -30,7 +30,7 @@ <td width="200px" style="vertical-align:middle"> {% if revision.summary %} <div class="summary"> - <span>{{ revision.summary }}</span> + <span>{{ revision.summary|escape }}</span> </div> {% endif %} {% if request.user|can_edit_post(post) %} diff --git a/askbot/skins/default/templates/user_profile/user_recent.html b/askbot/skins/default/templates/user_profile/user_recent.html index cbd59202..502af7b6 100644 --- a/askbot/skins/default/templates/user_profile/user_recent.html +++ b/askbot/skins/default/templates/user_profile/user_recent.html @@ -17,7 +17,7 @@ {% if act.related_object_type == 'question' %}{# question #} {% for question in questions %}{# could also create a new dict #} {% if question.question_id == act.obj %} - (<a title="{{question.summary|collapse}}" + (<a title="{{question.summary|collapse|escape}}" href="{% url question question.question_id %}{{question.title|slugify}}">{% trans %}source{% endtrans %}</a>) {% endif %} {% endfor %} diff --git a/askbot/skins/default/templates/user_profile/user_stats.html b/askbot/skins/default/templates/user_profile/user_stats.html index 2551015c..d74ecf77 100644 --- a/askbot/skins/default/templates/user_profile/user_stats.html +++ b/askbot/skins/default/templates/user_profile/user_stats.html @@ -18,7 +18,7 @@ <div class="user-stats-table"> {% for answered_question in answered_questions %} <div class="answer-summary"> - <a title="{{answered_question.summary|collapse}}" + <a title="{{answered_question.summary|collapse|escape}}" href="{% url question answered_question.id %}{{answered_question.title|slugify}}#{{answered_question.answer_id}}"> <span class="answer-votes {% if answered_question.accepted %}answered-accepted{% endif %}" title="{% trans answer_score=answered_question.answer_score %}the answer has been voted for {{ answer_score }} times{% endtrans %} {% if answered_question.accepted %}{% trans %}this answer has been selected as correct{% endtrans %}{%endif%}"> @@ -27,7 +27,7 @@ </a> <div class="answer-link"> {% spaceless %} - <a href="{% url question answered_question.id %}{{answered_question.title|slugify}}#{{answered_question.answer_id}}">{{answered_question.title}}</a> + <a href="{% url question answered_question.id %}{{answered_question.title|slugify}}#{{answered_question.answer_id}}">{{answered_question.title|escape}}</a> {% endspaceless %} {% if answered_question.comment_count %} <span> @@ -119,7 +119,7 @@ <a title="{{ award.content_object.get_snippet()|collapse }}" href="{{ award.content_object.get_absolute_url() }}" - >{% if award.content_type == answer_type %}{% trans %}Answer to:{% endtrans %}{% endif %} {{ award.content_object.get_origin_post().title }}</a> + >{% if award.content_type == answer_type %}{% trans %}Answer to:{% endtrans %}{% endif %} {{ award.content_object.get_origin_post().title|escape }}</a> </li> {% endif %} {% endfor %} diff --git a/askbot/skins/default/templates/widgets/ask_form.html b/askbot/skins/default/templates/widgets/ask_form.html index 18196d93..17dc89f5 100644 --- a/askbot/skins/default/templates/widgets/ask_form.html +++ b/askbot/skins/default/templates/widgets/ask_form.html @@ -14,7 +14,7 @@ {% endif %} {% endif %} <input id="id_title" class="questionTitleInput" name="title" autocomplete="off" - value="{% if form.initial.title %}{{form.initial.title}}{% endif %}"/> + value="{% if form.initial.title %}{{form.initial.title|escape}}{% endif %}"/> <span class="form-error">{{ form.title.errors }}</span> </div> <div class="title-desc"> |