[Twisted-web] guard peculiarities (with workaround)

Douglas Bagnall twisted-web@twistedmatrix.com
Thu, 18 Dec 2003 02:43:08 +1300


This is a multi-part message in MIME format.
--------------030605000505090209000902
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit


hi,
Using guard in what I believe is a fairly standard way (pilfered from 
some example or another), I have been getting strange results when 
logging in for the first time. Every field in the login form was being 
treated as a doubly nested repr()'d list, eg "douglas" would come back 
as  ["['douglas']"]. As Moshe said, it looks like a [0] is missing 
somewhere, but AFAICT, my code floats above the level of form data, 
thanks I think to guard.UsernamePasswordWrapper.

Anyway, the problem appears when users/htmlers, wanting to reduce 
clicks, copy the form into unguarded pages.  It appears that guard needs 
an anonymous request before it will properly allow a login.

Here's the log, reformatted and annotated:


## get the unguarded page with the form in it

"GET / HTTP/1.1" 200 13663 "-"

## which submits correctly ('z' has empty password)
"GET /admin/perspective-init?
       username=z
       &password=
       &submit=Login
       HTTP/1.1" 302 528 "http://upstage.org.nz:8083/"

## ... and bounces about
"GET /admin/session-init/perspective-init?
       username=%5B%27z%27%5D
       &password=%5B%27%27%5D
       &submit=%5B%27Login%27%5D
       HTTP/1.1" 302 670 "http://upstage.org.nz:8083/"

## ...collecting square brackets...
"GET /admin/__session_key__9c06c9e61ee806d13c2d43a5088ab6a2/
       perspective-init?
       username=%5B%22%5B%27z%27%5D%22%5D
       &password=%5B%22%5B%27%27%5D%22%5D
       &submit=%5B%22%5B%27Login%27%5D%22%5D
       HTTP/1.1" 302 736 "http://upstage.org.nz:8083/"

##  until arriving at a login error page:
"GET /admin/perspective-init?
       username=%5B%27%5B%22%5B%5C%27z%5C%27%5D%22%5D%27%5D
       &password=%5B%27%5B%22%5B%5C%27%5C%27%5D%22%5D%27%5D
       &__session_just_started__=1
       &submit=%5B%27%5B%22%5B%5C%27Login%5C%27%5D%22%5D%27%5D
       HTTP/1.1" 200 1153 "http://upstage.org.nz:8083/"

## Trying again, another 302 response
"GET /admin/perspective-init?
       username=z
       &password=
       &submit=Login
       HTTP/1.1" 302 266 "http://upstage.org.nz:8083/"

## but the target page isn't logged, only the broken links it causes
"GET /admin/img/spacer.gif HTTP/1.1" 404 165 
"http://upstage.org.nz:8083/admin/"

Which led me to a tacky workaround -- the first request within the 
guarded realm comes from a spurious image link, priming it for form 
submission. Like so:

"GET / HTTP/1.1" 200 13752 "-"
"GET /admin/img/spacer.gif HTTP/1.1" 302 384
"GET /admin/session-init/img/spacer.gif HTTP/1.1" 302
"GET /admin/__session_key__2a0d[ ... ]/img/spacer.gif HTTP/1.1" 302
"GET /admin/img/spacer.gif?__session_just_started__=1 HTTP/1.1" 200 488

However, this seems a little ridiculous. Is there a good reason why 
people shouldn't be able to login first time?  On this site, some of the 
pages have to be plain unwoven html, with hard-coded forms and whatnot, 
so the people maintaining those pages can understand it.


cheers,

douglas


--------------030605000505090209000902
Content-Type: text/plain;
 name="extract.py"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
 filename="extract.py"

CiMgY3V0IGRvd24gYSBiaXQgZm9yIGNsYXJpdHkKCmRlZiB3ZWJzaXRlKCk6CiAgICAiIiJS
ZXR1cm5zIHRoZSB3ZWIgdHJlZS4iIiIKICAgIGRvY3Jvb3QgPSBzdGF0aWMuRmlsZShjb25m
aWcuSFRET0NTKQogICAgYWRtaW4gPSBhZG1pbldyYXBwZXIoY29uZmlnLkFETUlOKQogICAg
ZG9jcm9vdC5wdXRDaGlsZCgnYWRtaW4nLCBhZG1pbikKICAgIHJldHVybiBkb2Nyb290CgoK
Y2xhc3MgQWRtaW5SZWFsbToKICAgIF9faW1wbGVtZW50c19fID0gSVJlYWxtCiAgICBkZWYg
X19pbml0X18oc2VsZixhZG1pbl9kaXIpOgogICAgICAgIHNlbGYuYW5vblJlc291cmNlID0g
QWRtaW5Mb2dpblBhZ2UoKQoJc2VsZi5hZG1pbl9kaXIgPSBhZG1pbl9kaXIKICAgIGRlZiBy
ZXF1ZXN0QXZhdGFyKHNlbGYsIHVzZXJuYW1lLCBtaW5kLCAqaW50ZXJmYWNlcyk6CiAgICAg
ICAgaWYgSVJlc291cmNlIG5vdCBpbiBpbnRlcmZhY2VzOgogICAgICAgICAgICByYWlzZSBO
b3RJbXBsZW1lbnRlZEVycm9yKCJXVEYsIHRyaWVkIG5vbi13ZWIgbG9naW4iKQogICAgICAg
IGlmIHVzZXJuYW1lIGFuZCBwbGF5ZXJfZGljdFt1c2VybmFtZV0uY2FuX2FkbWluKCk6Cgkg
ICAgdHJlZSA9IHN0YXRpYy5GaWxlKHNlbGYuYWRtaW5fZGlyKQogICAgICAgICAgICB0cmVl
LnB1dENoaWxkKCduZXcnLCBBY3Rpb25EaXIobmV3X3RoaW5nLCB1c2VybmFtZSkpCiAgICAg
ICAgICAgIHRyZWUucHV0Q2hpbGQoJ2VkaXQnLCBBY3Rpb25EaXIoRWRpdFRoaW5ncywgdXNl
cm5hbWUpKQogICAgICAgICAgICB0cmVlLnB1dENoaWxkKCdtYW5hZ2UnLCBBY3Rpb25EaXIo
TWFuYWdlVGhpbmdzLCB1c2VybmFtZSkpICAgICAgICAgICAgCiAgICAgICAgICAgIHRyZWUu
cHV0Q2hpbGQoJ3NhdmVfdGhpbmcnLCBTd2ZDb252ZXJzaW9uV3JhcHBlcigpKQogICAgICAg
ICAgICB0cmVlLnB1dENoaWxkKCdzYXZlX3ZpZGVvJywgVmlkZW9UaGluZygpKQogICAgICAg
ICAgICB0cmVlLnB1dENoaWxkKCdpZCcsIFNlc3Npb25JRCh1c2VybmFtZSkpICAgICAgICAg
ICAgCiAgICAgICAgICAgIHRyZWUucHV0Q2hpbGQoJ2Vycm9yJyxBZG1pbkVycm9yKCdkZWxp
YmVyYXRlIGVycm9yJykpICAgICAgICAgICAgCiAgICAgICAgICAgIHJldHVybiAoSVJlc291
cmNlLCB0cmVlLCBsYW1iZGEgOiBOb25lKQoJZWxpZiB1c2VybmFtZTogI3BsYXllciwgYnV0
IG5vdCBhZG1pbi4KCSAgICBub250cmVlID0gc3RhdGljLkZpbGUoc2VsZi5hZG1pbl9kaXIg
KyAnbm9uYWRtaW4vJykKCSAgICBub250cmVlLnB1dENoaWxkKCdpZCcsIFNlc3Npb25JRCh1
c2VybmFtZSkpICAgICAgICAgICAgCgkgICAgcmV0dXJuIChJUmVzb3VyY2UsIG5vbnRyZWUs
IGxhbWJkYSA6IE5vbmUpCiAgICAgICAgZWxzZTogI2Fub24gLSB0aGUgYXVkaWVuY2UuCiAg
ICAgICAgICAgIHNlbGYuYW5vblJlc291cmNlLnB1dENoaWxkKCdpZCcsIFNlc3Npb25JRCgp
KQogICAgICAgICAgICByZXR1cm4gSVJlc291cmNlLCBzZWxmLmFub25SZXNvdXJjZSAsIGxh
bWJkYSA6IE5vbmUKICAgIAoJCQkKZGVmIGFkbWluV3JhcHBlcihhZG1pbl9kaXIpOgogICAg
cCA9IFBvcnRhbChBZG1pblJlYWxtKGFkbWluX2RpcikpCiAgICBwLnJlZ2lzdGVyQ2hlY2tl
cihBbGxvd0Fub255bW91c0FjY2VzcygpLCBJQW5vbnltb3VzKQogICAgcC5yZWdpc3RlckNo
ZWNrZXIoSW5NZW1vcnlVc2VybmFtZVBhc3N3b3JkRGF0YWJhc2VEb250VXNlKHo9JycpKQog
ICAgIyNwLnJlZ2lzdGVyQ2hlY2tlcihwbGF5ZXJfZGljdCkKICAgIHVwdyA9IGd1YXJkLlVz
ZXJuYW1lUGFzc3dvcmRXcmFwcGVyKHAsIGNhbGxiYWNrPWR1bWJSZWRpcmVjdCkKICAgIHIg
PSBndWFyZC5TZXNzaW9uV3JhcHBlcih1cHcpCiAgICByLnNlc3Npb25MaWZldGltZSA9IDYg
KiAzNjAwCiAgICByZXR1cm4gcgoK
--------------030605000505090209000902--