From cd27a074dbe66de033b3bbf8d25eafc44578729e Mon Sep 17 00:00:00 2001
From: Evgeny Fadeev <evgeny.fadeev@gmail.com>
Date: Wed, 11 Jan 2012 01:03:10 -0300
Subject: xss vulnerability fix and new release

---
 askbot/__init__.py                                           | 2 +-
 askbot/doc/source/changelog.rst                              | 4 ++++
 askbot/skins/common/templates/authopenid/signin.html         | 4 ++--
 askbot/skins/default/templates/close.html                    | 2 +-
 askbot/skins/default/templates/question.html                 | 2 +-
 askbot/skins/default/templates/question/question_card.html   | 2 +-
 askbot/skins/default/templates/question/sidebar.html         | 2 +-
 askbot/skins/default/templates/question_retag.html           | 2 +-
 askbot/skins/default/templates/question_widget.html          | 2 +-
 askbot/skins/default/templates/reopen.html                   | 2 +-
 askbot/skins/default/templates/revisions.html                | 2 +-
 askbot/skins/default/templates/user_profile/user_recent.html | 2 +-
 askbot/skins/default/templates/user_profile/user_stats.html  | 6 +++---
 askbot/skins/default/templates/widgets/ask_form.html         | 2 +-
 14 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/askbot/__init__.py b/askbot/__init__.py
index 7b12329c..eba7d205 100644
--- a/askbot/__init__.py
+++ b/askbot/__init__.py
@@ -9,7 +9,7 @@ import smtplib
 import sys
 import logging
 
-VERSION = (0, 7, 37)
+VERSION = (0, 7, 38)
 
 #keys are module names used by python imports,
 #values - the package qualifier to use for pip
diff --git a/askbot/doc/source/changelog.rst b/askbot/doc/source/changelog.rst
index ce18fe11..bd67fd48 100644
--- a/askbot/doc/source/changelog.rst
+++ b/askbot/doc/source/changelog.rst
@@ -1,6 +1,10 @@
 Changes in Askbot
 =================
 
+0.7.38 (Jan 11, 2012)
+---------------------
+* xss vulnerability fix, issue found by Radim Řehůřek (Evgeny)
+
 0.7.37 (Jan 8, 2012)
 --------------------
 * added basic slugification treatment to question titles with 
diff --git a/askbot/skins/common/templates/authopenid/signin.html b/askbot/skins/common/templates/authopenid/signin.html
index 4c894aa3..7fdbe203 100644
--- a/askbot/skins/common/templates/authopenid/signin.html
+++ b/askbot/skins/common/templates/authopenid/signin.html
@@ -11,14 +11,14 @@
 {% endif %}
     {% if answer %}
         <div class="message">
-        {% trans title=answer.question.title, summary=answer.summary %}
+        {% trans title=answer.question.title|escape, summary=answer.summary|escape %}
         Your answer to {{title}} {{summary}} will be posted once you log in
         {% endtrans %}
         </div>
     {% endif %}
     {% if question %}
         <div class="message">
-        {% trans title=question.title, summary=question.summary %}Your question 
+        {% trans title=question.title|escape, summary=question.summary|escape %}Your question 
         {{title}} {{summary}} will be posted once you log in
         {% endtrans %}
         </div>
diff --git a/askbot/skins/default/templates/close.html b/askbot/skins/default/templates/close.html
index d8160865..bac2b3ee 100644
--- a/askbot/skins/default/templates/close.html
+++ b/askbot/skins/default/templates/close.html
@@ -4,7 +4,7 @@
 {% block content %}
 <h1>{% trans %}Close question{% endtrans %}</h1>
     <p>{% trans %}Close the question{% endtrans %}: <a href="{{ question.get_absolute_url() }}">
-    <strong>{{ question.get_question_title() }}</strong></a>
+    <strong>{{ question.get_question_title()|escape }}</strong></a>
     </p>
     <form id="fmclose" action="{% url close question.id %}" method="post" >{% csrf_token %}
         <p>
diff --git a/askbot/skins/default/templates/question.html b/askbot/skins/default/templates/question.html
index 7dc85d84..bfabd634 100644
--- a/askbot/skins/default/templates/question.html
+++ b/askbot/skins/default/templates/question.html
@@ -1,6 +1,6 @@
 {% extends "two_column_body.html" %}
 <!-- question.html -->
-{% block title %}{% spaceless %}{{ question.get_question_title() }}{% endspaceless %}{% endblock %}
+{% block title %}{% spaceless %}{{ question.get_question_title()|escape }}{% endspaceless %}{% endblock %}
 {% block meta_description %}
         <meta name="description" content="{{question.summary|striptags|escape}}" />
 {% endblock %}
diff --git a/askbot/skins/default/templates/question/question_card.html b/askbot/skins/default/templates/question/question_card.html
index 87f92209..3691a224 100644
--- a/askbot/skins/default/templates/question/question_card.html
+++ b/askbot/skins/default/templates/question/question_card.html
@@ -4,7 +4,7 @@
 </div>
 <div class="question-content">
 
-    <h1><a href="{{ question.get_absolute_url() }}">{{ question.get_question_title() }}</a></h1>
+    <h1><a href="{{ question.get_absolute_url() }}">{{ question.get_question_title()|escape }}</a></h1>
     {% include "question/question_tags.html" %}
     <div id="question-table" {% if question.deleted %}class="deleted"{%endif%}>
         <div class="question-body">
diff --git a/askbot/skins/default/templates/question/sidebar.html b/askbot/skins/default/templates/question/sidebar.html
index 918c7662..f5c3273d 100644
--- a/askbot/skins/default/templates/question/sidebar.html
+++ b/askbot/skins/default/templates/question/sidebar.html
@@ -64,7 +64,7 @@
         <div class="questions-related">
             {% for question in similar_questions.data() %}
             <p>
-                <a href="{{ question.get_absolute_url() }}">{{ question.get_question_title() }}</a>
+                <a href="{{ question.get_absolute_url() }}">{{ question.get_question_title()|escape }}</a>
             </p>
             {% endfor %}
         </div>
diff --git a/askbot/skins/default/templates/question_retag.html b/askbot/skins/default/templates/question_retag.html
index 883dc3aa..e5632820 100644
--- a/askbot/skins/default/templates/question_retag.html
+++ b/askbot/skins/default/templates/question_retag.html
@@ -5,7 +5,7 @@
 <h1>{% trans %}Change tags{% endtrans %} [<a href="{{ question.get_absolute_url() }}">{% trans %}back{% endtrans %}</a>]</h1>
 <form id="fmretag" action="{% url retag_question question.id %}" method="post" >{% csrf_token %}
     <h2>
-        {{ question.get_question_title() }}
+        {{ question.get_question_title()|escape }}
     </h2>
     <div id="description" class="edit-content-html">
         {{ question.html }}
diff --git a/askbot/skins/default/templates/question_widget.html b/askbot/skins/default/templates/question_widget.html
index bb883c71..89e56898 100644
--- a/askbot/skins/default/templates/question_widget.html
+++ b/askbot/skins/default/templates/question_widget.html
@@ -12,7 +12,7 @@
         <ul>
             {% for question in questions %}
                 <li><a href="{{settings.APP_URL}}{{ question.get_absolute_url() }}">
-                  {{ question.title }}</a></li>
+                  {{ question.title|escape }}</a></li>
             {% endfor %}
         </ul>
     </div> 
diff --git a/askbot/skins/default/templates/reopen.html b/askbot/skins/default/templates/reopen.html
index d68e8bdc..b287da6f 100644
--- a/askbot/skins/default/templates/reopen.html
+++ b/askbot/skins/default/templates/reopen.html
@@ -5,7 +5,7 @@
 <h1>{% trans %}Reopen question{% endtrans %}</h1>
 <p>{% trans %}Title{% endtrans %}: 
     <a href="{{ question.get_absolute_url() }}">
-        <span class="big">{{ question.get_question_title() }}</span>
+        <span class="big">{{ question.get_question_title()|escape }}</span>
     </a>
 </p>
 <p>{% trans %}This question has been closed by 
diff --git a/askbot/skins/default/templates/revisions.html b/askbot/skins/default/templates/revisions.html
index 7fb985e2..f86a37ff 100644
--- a/askbot/skins/default/templates/revisions.html
+++ b/askbot/skins/default/templates/revisions.html
@@ -30,7 +30,7 @@
                 <td width="200px" style="vertical-align:middle">
                     {% if revision.summary %}
                         <div class="summary">
-                            <span>{{ revision.summary }}</span>
+                            <span>{{ revision.summary|escape }}</span>
                         </div>
                     {% endif %}
                     {% if request.user|can_edit_post(post) %}
diff --git a/askbot/skins/default/templates/user_profile/user_recent.html b/askbot/skins/default/templates/user_profile/user_recent.html
index cbd59202..502af7b6 100644
--- a/askbot/skins/default/templates/user_profile/user_recent.html
+++ b/askbot/skins/default/templates/user_profile/user_recent.html
@@ -17,7 +17,7 @@
                         {% if act.related_object_type == 'question' %}{# question #}
                             {% for question in questions %}{# could also create a new dict #}
                                 {% if question.question_id == act.obj %}
-                                    (<a title="{{question.summary|collapse}}" 
+                                    (<a title="{{question.summary|collapse|escape}}" 
                                       href="{% url question question.question_id %}{{question.title|slugify}}">{% trans %}source{% endtrans %}</a>)
                                 {% endif %}   
                             {% endfor %}   
diff --git a/askbot/skins/default/templates/user_profile/user_stats.html b/askbot/skins/default/templates/user_profile/user_stats.html
index 2551015c..d74ecf77 100644
--- a/askbot/skins/default/templates/user_profile/user_stats.html
+++ b/askbot/skins/default/templates/user_profile/user_stats.html
@@ -18,7 +18,7 @@
         <div class="user-stats-table">
             {% for answered_question in answered_questions %}
             <div class="answer-summary">
-                <a title="{{answered_question.summary|collapse}}" 
+                <a title="{{answered_question.summary|collapse|escape}}" 
                     href="{% url question answered_question.id %}{{answered_question.title|slugify}}#{{answered_question.answer_id}}">
                     <span class="answer-votes {% if answered_question.accepted %}answered-accepted{% endif %}" 
                           title="{% trans answer_score=answered_question.answer_score %}the answer has been voted for {{ answer_score }} times{% endtrans %} {% if answered_question.accepted %}{% trans %}this answer has been selected as correct{% endtrans %}{%endif%}">
@@ -27,7 +27,7 @@
                 </a>
                 <div class="answer-link">
                     {% spaceless %}
-                    <a href="{% url question answered_question.id %}{{answered_question.title|slugify}}#{{answered_question.answer_id}}">{{answered_question.title}}</a> 
+                    <a href="{% url question answered_question.id %}{{answered_question.title|slugify}}#{{answered_question.answer_id}}">{{answered_question.title|escape}}</a> 
                     {% endspaceless %}
                     {% if answered_question.comment_count %}
                     <span>
@@ -119,7 +119,7 @@
                                         <a 
                                             title="{{ award.content_object.get_snippet()|collapse }}"
                                             href="{{ award.content_object.get_absolute_url() }}"
-                                        >{% if award.content_type == answer_type %}{% trans %}Answer to:{% endtrans %}{% endif %} {{ award.content_object.get_origin_post().title }}</a>
+                                        >{% if award.content_type == answer_type %}{% trans %}Answer to:{% endtrans %}{% endif %} {{ award.content_object.get_origin_post().title|escape }}</a>
                                     </li>
                                     {% endif %}
                                 {% endfor %}
diff --git a/askbot/skins/default/templates/widgets/ask_form.html b/askbot/skins/default/templates/widgets/ask_form.html
index 18196d93..17dc89f5 100644
--- a/askbot/skins/default/templates/widgets/ask_form.html
+++ b/askbot/skins/default/templates/widgets/ask_form.html
@@ -14,7 +14,7 @@
                 {% endif %}
             {% endif %}
             <input id="id_title" class="questionTitleInput" name="title" autocomplete="off"
-                value="{% if form.initial.title %}{{form.initial.title}}{% endif %}"/>
+                value="{% if form.initial.title %}{{form.initial.title|escape}}{% endif %}"/>
             <span class="form-error">{{ form.title.errors }}</span>
         </div>
         <div class="title-desc">
-- 
cgit v1.2.3-1-g7c22


From abce97feacaff96a6881746f038e82f3f35566a9 Mon Sep 17 00:00:00 2001
From: Evgeny Fadeev <evgeny.fadeev@gmail.com>
Date: Wed, 11 Jan 2012 02:16:48 -0300
Subject: fixed facebook login

---
 askbot/__init__.py                    |  2 +-
 askbot/deps/django_authopenid/util.py | 64 ++++++++++++++++++++++++-----------
 askbot/doc/source/changelog.rst       |  4 +++
 3 files changed, 49 insertions(+), 21 deletions(-)

diff --git a/askbot/__init__.py b/askbot/__init__.py
index eba7d205..2989d660 100644
--- a/askbot/__init__.py
+++ b/askbot/__init__.py
@@ -9,7 +9,7 @@ import smtplib
 import sys
 import logging
 
-VERSION = (0, 7, 38)
+VERSION = (0, 7, 39)
 
 #keys are module names used by python imports,
 #values - the package qualifier to use for pip
diff --git a/askbot/deps/django_authopenid/util.py b/askbot/deps/django_authopenid/util.py
index 4468a6d2..28f6b2dd 100644
--- a/askbot/deps/django_authopenid/util.py
+++ b/askbot/deps/django_authopenid/util.py
@@ -29,7 +29,7 @@ try:
 except:
     from yadis import xri
 
-import time, base64, hashlib, operator, logging
+import time, base64, hmac, hashlib, operator, logging
 from models import Association, Nonce
 
 __all__ = ['OpenID', 'DjangoOpenIDStore', 'from_openid_response', 'clean_next']
@@ -787,30 +787,54 @@ class FacebookError(Exception):
     """
     pass
 
-def get_facebook_user_id(request):
-    try:
-        key = askbot_settings.FACEBOOK_KEY
-        secret = askbot_settings.FACEBOOK_SECRET
+def urlsafe_b64decode(input):
+    length = len(input)
+    return base64.urlsafe_b64decode(
+        input.ljust(length + length % 4, '=')
+    )
 
-        fb_cookie = request.COOKIES['fbs_%s' % key]
-        fb_response = dict(cgi.parse_qsl(fb_cookie))
+def parse_signed_facebook_request(signed_request, secret):
+    """
+    Parse signed_request given by Facebook (usually via POST),
+    decrypt with app secret.
 
-        signature = None
-        payload = ''
-        for key in sorted(fb_response.keys()):
-            if key != 'sig':
-                payload += '%s=%s' % (key, fb_response[key])
+    Arguments:
+    signed_request -- Facebook's signed request given through POST
+    secret -- Application's app_secret required to decrpyt signed_request
 
-        if 'sig' in fb_response:
-            if md5(payload + secret).hexdigest() != fb_response['sig']:
-                raise ValueError('signature does not match')
-        else:
-            raise ValueError('no signature in facebook response')
+    slightly edited copy from https://gist.github.com/1190267
+    """
+
+    if "." in signed_request:
+        esig, payload = signed_request.split(".")
+    else:
+        return {}
 
-        if 'uid' not in fb_response:
-            raise ValueError('no user id in facebook response')
+    sig = urlsafe_b64decode(str(esig))
+    data = simplejson.loads(urlsafe_b64decode(str(payload)))
 
-        return fb_response['uid'] 
+    if not isinstance(data, dict):
+        raise ValueError("Pyload is not a json string!")
+        return {}
+
+    if data["algorithm"].upper() == "HMAC-SHA256":
+        if hmac.new(str(secret), str(payload), hashlib.sha256).digest() == sig:
+            return data
+    else:
+        raise ValueError("Not HMAC-SHA256 encrypted!")
+
+    return {}
+
+def get_facebook_user_id(request):
+    try:
+        key = askbot_settings.FACEBOOK_KEY
+        fb_cookie = request.COOKIES['fbsr_%s' % key]
+        if not fb_cookie:
+            raise ValueError('cannot access facebook cookie')
+
+        secret = askbot_settings.FACEBOOK_SECRET
+        response = parse_signed_facebook_request(fb_cookie, secret)
+        return response['user_id']
     except Exception, e:
         raise FacebookError(e)
 
diff --git a/askbot/doc/source/changelog.rst b/askbot/doc/source/changelog.rst
index bd67fd48..7751cba6 100644
--- a/askbot/doc/source/changelog.rst
+++ b/askbot/doc/source/changelog.rst
@@ -1,6 +1,10 @@
 Changes in Askbot
 =================
 
+0.7.39 (Jan 11, 2012)
+---------------------
+* restored facebook login after FB changed the procedure (Evgeny)
+
 0.7.38 (Jan 11, 2012)
 ---------------------
 * xss vulnerability fix, issue found by Radim Řehůřek (Evgeny)
-- 
cgit v1.2.3-1-g7c22