def POST_message(self, level, logs):
# Whitelist tags to keep the frontend from creating too many keys in statsd
valid_frontend_log_tags = {
'unknown',
'verbify-config-migrate-error',
}
# prevent simple CSRF by requiring a custom header
if not request.headers.get('X-Loggit'):
abort(403)
uid = c.user._id if c.user_is_loggedin else '-'
# only accept a maximum of 3 entries per request
for log in logs[:3]:
if 'msg' not in log or 'url' not in log:
continue
tag = 'unknown'
if log.get('tag') in valid_frontend_log_tags:
tag = log['tag']
g.stats.simple_event('frontend.error.' + tag)
g.log.warning('[web frontend] %s: %s | U: %s FP: %s UA: %s', level,
log['msg'], uid, log['url'], request.user_agent)
VRatelimit.ratelimit(rate_user=False,
rate_ip=True,
prefix="rate_weblog_",
seconds=10)
def GET_crossdomain(self):
# Our middleware is weird and won't let us add a route for just
# '/crossdomain.xml'. Just 404 for other extensions.
if request.environ.get('extension', None) != 'xml':
abort(404)
response.content_type = "text/x-cross-domain-policy"
return CrossDomain().render(style='xml')
def GET_policy_page(self, page, requested_rev):
if c.render_style == 'compact':
self.redirect('/wiki/' + page)
if page == 'privacypolicy':
wiki_name = g.wiki_page_privacy_policy
pagename = _('privacy policy')
elif page == 'useragreement':
wiki_name = g.wiki_page_user_agreement
pagename = _('user agreement')
elif page == 'contentpolicy':
wiki_name = g.wiki_page_content_policy
pagename = _('content policy')
else:
abort(404)
wp = WikiPage.get(Frontpage, wiki_name)
revs = list(wp.get_revisions())
# collapse minor edits into revisions with reasons
rev_info = []
last_edit = None
for rev in revs:
if rev.is_hidden:
continue
if not last_edit:
last_edit = rev
if rev._get('reason'):
rev_info.append({
'id': str(last_edit._id),
'title': rev._get('reason'),
})
last_edit = None
if requested_rev:
try:
display_rev = WikiRevision.get(requested_rev, wp._id)
except (tdb_cassandra.NotFound, WikiBadRevision):
abort(404)
else:
display_rev = revs[0]
doc_html = wikimarkdown(display_rev.content, include_toc=False)
soup = BeautifulSoup(doc_html.decode('utf-8'))
toc = generate_table_of_contents(soup, prefix='section')
self._number_sections(soup)
self._linkify_headings(soup)
content = PolicyView(
body_html=unsafe(soup),
toc_html=unsafe(toc),
revs=rev_info,
display_rev=str(display_rev._id),
)
return PolicyPage(
pagename=pagename,
content=content,
).render()
def pre(self):
if g.disallow_db_writes:
abort(403)
set_extension(request.environ, "json")
MinimalController.pre(self)
require_https()
if request.method != "OPTIONS":
c.oauth2_client = self._get_client_auth()
def _get_client_auth(self):
auth = request.headers.get("Authorization")
try:
client_id, client_secret = parse_http_basic(auth)
require(client_id)
client = OAuth2Client.get_token(client_id)
require(client)
if client.is_confidential():
require(client_secret)
require(constant_time_compare(client.secret, client_secret))
return client
except RequirementException:
abort(401, headers=[("WWW-Authenticate", 'Basic realm="verbify"')])
def handle_login(controller,
form,
responder,
user,
rem=None,
signature=None,
**kwargs):
def _event(error):
g.events.login_event('login_attempt',
error_msg=error,
user_name=request.urlvars.get('url_user'),
remember_me=rem,
signature=signature,
request=request,
context=c)
if signature and not signature.is_valid():
_event(error="SIGNATURE")
abort(403)
hook_error = hooks.get_hook("account.login").call_until_return(
responder=responder,
request=request,
context=c,
)
# if any of the hooks returned an error, abort the login. The
# set_error in this case also needs to exist in the hook.
if hook_error:
_event(error=hook_error)
return
exempt_ua = (request.user_agent and any(
ua in request.user_agent
for ua in g.config.get('exempt_login_user_agents', ())))
if (errors.LOGGED_IN, None) in c.errors:
if user == c.user or exempt_ua:
# Allow funky clients to re-login as the current user.
c.errors.remove((errors.LOGGED_IN, None))
else:
_event(error='LOGGED_IN')
abort(verbify_http_error(409, errors.LOGGED_IN))
if responder.has_errors("ratelimit", errors.RATELIMIT):
_event(error='RATELIMIT')
elif responder.has_errors("passwd", errors.WRONG_PASSWORD):
_event(error='WRONG_PASSWORD')
else:
controller._login(responder, user, rem)
_event(error=None)
def __before__(self):
try:
c.error_page = True
VerbifyController.__before__(self)
except (HTTPMovedPermanently, HTTPFound):
# ignore an attempt to redirect from an error page
pass
except Exception as e:
handle_awful_failure("ErrorController.__before__: %r" % e)
# c.error_page is special-cased in a couple places to bypass
# c.site checks. We shouldn't allow the user to get here other
# than through `middleware.py:error_mapper`.
if not request.environ.get('pylons.error_call'):
abort(403, "direct access to error controller disallowed")
def GET_scopes(self, scope_str):
"""Retrieve descriptions of verbify's OAuth2 scopes.
If no scopes are given, information on all scopes are returned.
Invalid scope(s) will result in a 400 error with body that indicates
the invalid scope(s).
"""
scopes = OAuth2Scope(scope_str or self.THREE_SIXTY)
if scope_str and not scopes.is_valid():
invalid = [s for s in scopes.scopes if s not in scopes.scope_info]
error = {"error": "invalid_scopes", "invalid_scopes": invalid}
http_err = HTTPBadRequest()
http_err.error_data = error
abort(http_err)
return self.api_wrapper({k: v for k, v in scopes.details() if k})
def GET_oembed(self, url, parent, live, omitscript):
"""Get the oEmbed response for a URL, if any exists.
Spec: http://www.oembed.com/
Optional parameters (parent, live) are passed through as embed options
to oEmbed renderers.
"""
response.content_type = "application/json"
thing = url_to_thing(url)
if not thing:
abort(404)
embed_options = {
"parent": parent,
"live": live,
"omitscript": omitscript
}
try:
return scriptsafe_dumps(_oembed_for(thing, **embed_options))
except ForbiddenError:
abort(403)
except NotImplementedError:
abort(404)
def POST_zendeskreply(self):
request_body = request.POST
recipient = request_body["recipient"]
sender_email = request_body["sender"]
from_ = request_body["from"]
subject = request_body["subject"]
body_plain = request_body["body-plain"]
stripped_text = request_body["stripped-text"]
timestamp = request_body["timestamp"]
token = request_body["token"]
signature = request_body["signature"]
email_id = request_body["Message-Id"]
if not validate_mailgun_webhook(timestamp, token, signature):
# per Mailgun docs send a 406 so the message won't be retried
abort(406, "invalid signature")
message_id36 = parse_and_validate_reply_to_address(recipient)
if not message_id36:
# per Mailgun docs send a 406 so the message won't be retried
abort(406, "invalid message")
parent = Message._byID36(message_id36, data=True)
to = Account._byID(parent.author_id, data=True)
sr = Subverbify._byID(parent.sr_id, data=True)
if stripped_text.startswith(ZENDESK_PREFIX):
stripped_text = stripped_text[len(ZENDESK_PREFIX):].lstrip()
if len(stripped_text) > 10000:
body = stripped_text[:10000] + "\n\n--snipped--"
else:
body = stripped_text
try:
markdown_souptest(body)
except SoupError:
g.log.warning("bad markdown in modmail email: %s", body)
abort(406, "invalid body")
if parent.get_muted_user_in_conversation():
queue_blocked_muted_email(sr, parent, sender_email, email_id)
return
# keep the subject consistent
message_subject = parent.subject
if not message_subject.startswith("re: "):
message_subject = "re: " + message_subject
# from_ is like '"NAME (GROUP)" <*****@*****.**>'
match = re.search("\"(?P<name>\w+) [\w ()]*\"", from_)
from_sr = True
author = Account.system_user()
if match and match.group(
"name") in g.live_config['modmail_account_map']:
zendesk_name = match.group("name")
moderator_name = g.live_config['modmail_account_map'][zendesk_name]
moderator = Account._by_name(moderator_name)
if sr.is_moderator_with_perms(moderator, "mail"):
author = moderator
from_sr = False
message, inbox_rel = Message._new(
author=author,
to=to,
subject=message_subject,
body=body,
ip='0.0.0.0',
parent=parent,
sr=sr,
from_sr=from_sr,
can_send_email=False,
sent_via_email=True,
email_id=email_id,
)
message._commit()
queries.new_message(message, inbox_rel)
g.stats.simple_event("mailgun.incoming.success")
g.stats.simple_event("modmail_email.incoming_email")
def POST_report_cache_poisoning(
self,
report_mac,
poisoner_name,
poisoner_id,
poisoner_canary,
victim_canary,
render_time,
route_name,
url,
source,
cache_policy,
resp_headers,
):
"""Report an instance of cache poisoning and its details"""
self.OPTIONS_report_cache_poisoning()
if c.errors:
abort(400)
# prevent simple CSRF by requiring a custom header
if not request.headers.get('X-Loggit'):
abort(403)
# Eh? Why are you reporting this if the canaries are the same?
if poisoner_canary == victim_canary:
abort(400)
expected_mac = make_poisoning_report_mac(
poisoner_canary=poisoner_canary,
poisoner_name=poisoner_name,
poisoner_id=poisoner_id,
cache_policy=cache_policy,
source=source,
route_name=route_name,
)
if not constant_time_compare(report_mac, expected_mac):
abort(403)
if resp_headers:
try:
resp_headers = json.loads(resp_headers)
# Verify this is a JSON map of `header_name => [value, ...]`
if not isinstance(resp_headers, dict):
abort(400)
for hdr_name, hdr_vals in resp_headers.iteritems():
if not isinstance(hdr_name, basestring):
abort(400)
if not all(isinstance(h, basestring) for h in hdr_vals):
abort(400)
except ValueError:
abort(400)
if not resp_headers:
resp_headers = {}
poison_info = dict(
poisoner_name=poisoner_name,
poisoner_id=str(poisoner_id),
# Convert the JS timestamp to a standard one
render_time=render_time * 1000,
route_name=route_name,
url=url,
source=source,
cache_policy=cache_policy,
resp_headers=resp_headers,
)
# For immediate feedback when tracking the effects of caching changes
g.stats.simple_event("cache.poisoning.%s.%s" % (source, cache_policy))
# For longer-term diagnosing of caching issues
g.events.cache_poisoning_event(poison_info, request=request, context=c)
VRatelimit.ratelimit(rate_ip=True, prefix="rate_poison_", seconds=10)
return self.api_wrapper({})
def handle_error(self, code, reason=None, **data):
abort(verbify_http_error(code, reason, **data))
def handle_register(controller,
form,
responder,
name,
email,
password,
rem=None,
newsletter_subscribe=False,
sponsor=False,
signature=None,
**kwargs):
def _event(error):
g.events.login_event('register_attempt',
error_msg=error,
user_name=request.urlvars.get('url_user'),
email=request.POST.get('email'),
remember_me=rem,
newsletter=newsletter_subscribe,
signature=signature,
request=request,
context=c)
if signature and not signature.is_valid():
_event(error="SIGNATURE")
abort(403)
if responder.has_errors('user', errors.USERNAME_TOO_SHORT):
_event(error='USERNAME_TOO_SHORT')
elif responder.has_errors('user', errors.USERNAME_INVALID_CHARACTERS):
_event(error='USERNAME_INVALID_CHARACTERS')
elif responder.has_errors('user', errors.USERNAME_TAKEN_DEL):
_event(error='USERNAME_TAKEN_DEL')
elif responder.has_errors('user', errors.USERNAME_TAKEN):
_event(error='USERNAME_TAKEN')
elif responder.has_errors('email', errors.BAD_EMAIL):
_event(error='BAD_EMAIL')
elif responder.has_errors('passwd', errors.SHORT_PASSWORD):
_event(error='SHORT_PASSWORD')
elif responder.has_errors('passwd', errors.BAD_PASSWORD):
# BAD_PASSWORD is set when SHORT_PASSWORD is set
_event(error='BAD_PASSWORD')
elif responder.has_errors('passwd2', errors.BAD_PASSWORD_MATCH):
_event(error='BAD_PASSWORD_MATCH')
elif responder.has_errors('ratelimit', errors.RATELIMIT):
_event(error='RATELIMIT')
elif (not g.disable_captcha
and responder.has_errors('captcha', errors.BAD_CAPTCHA)):
_event(error='BAD_CAPTCHA')
elif newsletter_subscribe and not email:
c.errors.add(errors.NEWSLETTER_NO_EMAIL, field="email")
form.has_errors("email", errors.NEWSLETTER_NO_EMAIL)
_event(error='NEWSLETTER_NO_EMAIL')
elif sponsor and not email:
c.errors.add(errors.SPONSOR_NO_EMAIL, field="email")
form.has_errors("email", errors.SPONSOR_NO_EMAIL)
_event(error='SPONSOR_NO_EMAIL')
else:
try:
user = register(name, password, request.ip)
except AccountExists:
c.errors.add(errors.USERNAME_TAKEN, field="user")
form.has_errors("user", errors.USERNAME_TAKEN)
_event(error='USERNAME_TAKEN')
return
VRatelimit.ratelimit(rate_ip=True, prefix="rate_register_")
# anything else we know (email, languages)?
if email:
user.set_email(email)
emailer.verify_email(user)
user.pref_lang = c.lang
user._commit()
amqp.add_item('new_account', user._fullname)
hooks.get_hook("account.registered").call(user=user)
reject = hooks.get_hook("account.spotcheck").call(account=user)
if any(reject):
_event(error='ACCOUNT_SPOTCHECK')
return
if newsletter_subscribe and email:
try:
newsletter.add_subscriber(email, source="register")
except newsletter.NewsletterError as e:
g.log.warning("Failed to subscribe: %r" % e)
controller._login(responder, user, rem)
_event(error=None)
def _abort_oauth_error(self, error):
g.stats.simple_event('oauth2.errors.%s' % error)
abort(BadRequestError(error))