commit c6d2a2f9c38a9ae3fe4a55711fc5cd6b2da59902
parent 209e719c8e922f9d333c76fa1e4e5ea84622b7eb
Author: parazyd <parazyd@dyne.org>
Date: Tue, 22 Jan 2019 17:15:48 +0100
Add some wishful security and lint.
Diffstat:
M | diaspora.py | | | 71 | ++++++++++++++++++++++++++++++++++++++--------------------------------- |
M | utils.py | | | 10 | +++++++--- |
2 files changed, 45 insertions(+), 36 deletions(-)
diff --git a/diaspora.py b/diaspora.py
@@ -97,7 +97,7 @@ def login():
User login route.
"""
if request.method == 'POST':
- if request.form['42']:
+ if request.form.get('42'):
return render_template('fail.html', msg='You robot!')
username = request.form['username']
@@ -126,6 +126,9 @@ def login():
@app.route('/changepass', methods=['GET', 'POST'])
@login_required
def changepass():
+ """
+ Route for changing passwords.
+ """
user = find_user_by_email(current_user.username)
if request.method != 'POST':
@@ -135,11 +138,11 @@ def changepass():
return render_template('fail.html', msg='You robot!')
old_in_db = user['password']
- old_in_pg = request.form['oldpassword']
- new_in_pg = request.form['newpassword']
+ old_in_pg = request.form.get('oldpassword')
+ new_in_pg = request.form.get('newpassword')
if not old_in_pg or not new_in_pg:
return render_template('fail.html',
- 'Please input both old and new passwords!')
+ msg='Please input both old and new passwords!')
old_hashed = hashpw(old_in_pg.encode(), old_in_db)
if old_hashed == old_in_db:
@@ -184,9 +187,9 @@ def sendmsg():
"""
Route for sending a single message.
"""
- send_message(request.form['Id'], request.form['Message'],
- request.form['Us'])
- return redirect('/messages?from=%s' % request.form['Id'])
+ send_message(request.form.get('Id'), request.form.get('Message'),
+ request.form.get('Us'))
+ return redirect('/messages?from=%s' % request.form.get('Id'))
@app.route('/write', methods=['GET', 'POST'])
@@ -197,18 +200,18 @@ def write():
if request.method != 'POST':
return render_template('write.html')
- if request.form['42']:
+ if request.form.get('42'):
return render_template('fail.html', msg='Are you a robot?')
delkey = randomstring(32)
storyargs = [
None,
- request.form['Name'],
- request.form['Embark'],
- request.form['Disembark'],
- request.form['Email'],
- request.form['City'],
- request.form['Story'],
+ request.form.get('Name', 'Anonymous writer'),
+ request.form.get('Embark', 'nn'),
+ request.form.get('Disembark', 'nn'),
+ request.form.get('Email'),
+ request.form.get('City'),
+ request.form.get('Story', 'foobar'),
int(time()),
0,
delkey,
@@ -218,10 +221,12 @@ def write():
sql_insert(storyargs)
new_account = False
- if request.form['Email']:
- new_account = make_profile(request.form['Name'], request.form['Email'])
+ if request.form.get('Email'):
+ new_account = make_profile(request.form.get('Name', 'Anonymous user'),
+ request.form.get('Email'))
- return render_template('success_write.html', delkey=delkey, new=new_account)
+ return render_template('success_write.html', delkey=delkey,
+ new=new_account)
@app.route('/edit', methods=['GET', 'POST'])
@@ -240,15 +245,16 @@ def edit():
return render_template('fail.html', msg='No story with this story id.')
vals = [
- ('name', request.form['Name']),
- ('embark', request.form['Embark']),
- ('disembark', request.form['Disembark']),
- ('email', request.form['Email']),
- ('city', request.form['City']),
- ('story', request.form['Story']),
- ('abstract', request.form['Abstract']),
+ ('name', request.form.get('Name', 'Anonymous user')),
+ ('embark', request.form.get('Embark', 'nn')),
+ ('disembark', request.form('Disembark', 'nn')),
+ ('email', request.form.get('Email')),
+ ('city', request.form.get('City')),
+ ('story', request.form.get('Story', 'foo')),
+ ('abstract', request.form.get('Abstract', 'foo')),
]
- sql_update_row_where(vals, 'id', request.form['Id'])
+ if request.form.get('Id'):
+ sql_update_row_where(vals, 'id', request.form.get('Id'))
return render_template('success.html', msg='Story redacted!')
@@ -393,17 +399,16 @@ def users():
if request.method == 'POST':
vals = []
- if request.form['password']:
+ if request.form.get('password'):
vals.append(('password',
- hashpw(request.form['password'].encode(),
+ hashpw(request.form.get('password').encode(),
gensalt())))
- if request.form['cap']:
- vals.append(('cap', request.form['cap']))
-
- if vals:
- sql_update_row_where(vals, 'id', request.form['id'], table='users')
+ if request.form.get('cap'):
+ vals.append(('cap', request.form.get('cap')))
- print(vals)
+ if vals and request.form.get('id'):
+ sql_update_row_where(vals, 'id', request.form.get('id'),
+ table='users')
if request.args.get('delid'):
delete_user(request.args.get('delid'))
diff --git a/utils.py b/utils.py
@@ -28,8 +28,7 @@ from time import gmtime, strftime, time
from bcrypt import gensalt, hashpw
from flask import Markup
-from db import (sql_select_col_where, sql_insert, sql_delete_row_where,
- sql_select_col)
+from db import (sql_select_col_where, sql_insert, sql_delete_row_where)
COUNTRYMAP = {}
@@ -225,7 +224,7 @@ def make_profile(name, email):
Helper function to generate and insert a profile into the database.
"""
if sql_select_col_where('email', 'email', email, table='users'):
- return
+ return None
plain_pw = randomstring(24)
@@ -316,6 +315,8 @@ def send_message(id_to, msg, id_us):
"""
Function for sending/recieving a message.
"""
+ if not id_to or not msg or not id_us:
+ return
ours = find_user_by_id(id_us)
if not ours:
return
@@ -359,6 +360,9 @@ def send_message(id_to, msg, id_us):
def delete_user(user_id):
+ """
+ Deletes a user and their messages directory.
+ """
user = find_user_by_id(user_id)
rmtree(join('messages', user['email']), ignore_errors=True)
sql_delete_row_where('id', user_id, table='users')