[Twisted-web] guard peculiarities (with workaround)
Douglas Bagnall
twisted-web@twistedmatrix.com
Thu, 18 Dec 2003 02:43:08 +1300
This is a multi-part message in MIME format.
--------------030605000505090209000902
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
hi,
Using guard in what I believe is a fairly standard way (pilfered from
some example or another), I have been getting strange results when
logging in for the first time. Every field in the login form was being
treated as a doubly nested repr()'d list, eg "douglas" would come back
as ["['douglas']"]. As Moshe said, it looks like a [0] is missing
somewhere, but AFAICT, my code floats above the level of form data,
thanks I think to guard.UsernamePasswordWrapper.
Anyway, the problem appears when users/htmlers, wanting to reduce
clicks, copy the form into unguarded pages. It appears that guard needs
an anonymous request before it will properly allow a login.
Here's the log, reformatted and annotated:
## get the unguarded page with the form in it
"GET / HTTP/1.1" 200 13663 "-"
## which submits correctly ('z' has empty password)
"GET /admin/perspective-init?
username=z
&password=
&submit=Login
HTTP/1.1" 302 528 "http://upstage.org.nz:8083/"
## ... and bounces about
"GET /admin/session-init/perspective-init?
username=%5B%27z%27%5D
&password=%5B%27%27%5D
&submit=%5B%27Login%27%5D
HTTP/1.1" 302 670 "http://upstage.org.nz:8083/"
## ...collecting square brackets...
"GET /admin/__session_key__9c06c9e61ee806d13c2d43a5088ab6a2/
perspective-init?
username=%5B%22%5B%27z%27%5D%22%5D
&password=%5B%22%5B%27%27%5D%22%5D
&submit=%5B%22%5B%27Login%27%5D%22%5D
HTTP/1.1" 302 736 "http://upstage.org.nz:8083/"
## until arriving at a login error page:
"GET /admin/perspective-init?
username=%5B%27%5B%22%5B%5C%27z%5C%27%5D%22%5D%27%5D
&password=%5B%27%5B%22%5B%5C%27%5C%27%5D%22%5D%27%5D
&__session_just_started__=1
&submit=%5B%27%5B%22%5B%5C%27Login%5C%27%5D%22%5D%27%5D
HTTP/1.1" 200 1153 "http://upstage.org.nz:8083/"
## Trying again, another 302 response
"GET /admin/perspective-init?
username=z
&password=
&submit=Login
HTTP/1.1" 302 266 "http://upstage.org.nz:8083/"
## but the target page isn't logged, only the broken links it causes
"GET /admin/img/spacer.gif HTTP/1.1" 404 165
"http://upstage.org.nz:8083/admin/"
Which led me to a tacky workaround -- the first request within the
guarded realm comes from a spurious image link, priming it for form
submission. Like so:
"GET / HTTP/1.1" 200 13752 "-"
"GET /admin/img/spacer.gif HTTP/1.1" 302 384
"GET /admin/session-init/img/spacer.gif HTTP/1.1" 302
"GET /admin/__session_key__2a0d[ ... ]/img/spacer.gif HTTP/1.1" 302
"GET /admin/img/spacer.gif?__session_just_started__=1 HTTP/1.1" 200 488
However, this seems a little ridiculous. Is there a good reason why
people shouldn't be able to login first time? On this site, some of the
pages have to be plain unwoven html, with hard-coded forms and whatnot,
so the people maintaining those pages can understand it.
cheers,
douglas
--------------030605000505090209000902
Content-Type: text/plain;
name="extract.py"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename="extract.py"
CiMgY3V0IGRvd24gYSBiaXQgZm9yIGNsYXJpdHkKCmRlZiB3ZWJzaXRlKCk6CiAgICAiIiJS
ZXR1cm5zIHRoZSB3ZWIgdHJlZS4iIiIKICAgIGRvY3Jvb3QgPSBzdGF0aWMuRmlsZShjb25m
aWcuSFRET0NTKQogICAgYWRtaW4gPSBhZG1pbldyYXBwZXIoY29uZmlnLkFETUlOKQogICAg
ZG9jcm9vdC5wdXRDaGlsZCgnYWRtaW4nLCBhZG1pbikKICAgIHJldHVybiBkb2Nyb290CgoK
Y2xhc3MgQWRtaW5SZWFsbToKICAgIF9faW1wbGVtZW50c19fID0gSVJlYWxtCiAgICBkZWYg
X19pbml0X18oc2VsZixhZG1pbl9kaXIpOgogICAgICAgIHNlbGYuYW5vblJlc291cmNlID0g
QWRtaW5Mb2dpblBhZ2UoKQoJc2VsZi5hZG1pbl9kaXIgPSBhZG1pbl9kaXIKICAgIGRlZiBy
ZXF1ZXN0QXZhdGFyKHNlbGYsIHVzZXJuYW1lLCBtaW5kLCAqaW50ZXJmYWNlcyk6CiAgICAg
ICAgaWYgSVJlc291cmNlIG5vdCBpbiBpbnRlcmZhY2VzOgogICAgICAgICAgICByYWlzZSBO
b3RJbXBsZW1lbnRlZEVycm9yKCJXVEYsIHRyaWVkIG5vbi13ZWIgbG9naW4iKQogICAgICAg
IGlmIHVzZXJuYW1lIGFuZCBwbGF5ZXJfZGljdFt1c2VybmFtZV0uY2FuX2FkbWluKCk6Cgkg
ICAgdHJlZSA9IHN0YXRpYy5GaWxlKHNlbGYuYWRtaW5fZGlyKQogICAgICAgICAgICB0cmVl
LnB1dENoaWxkKCduZXcnLCBBY3Rpb25EaXIobmV3X3RoaW5nLCB1c2VybmFtZSkpCiAgICAg
ICAgICAgIHRyZWUucHV0Q2hpbGQoJ2VkaXQnLCBBY3Rpb25EaXIoRWRpdFRoaW5ncywgdXNl
cm5hbWUpKQogICAgICAgICAgICB0cmVlLnB1dENoaWxkKCdtYW5hZ2UnLCBBY3Rpb25EaXIo
TWFuYWdlVGhpbmdzLCB1c2VybmFtZSkpICAgICAgICAgICAgCiAgICAgICAgICAgIHRyZWUu
cHV0Q2hpbGQoJ3NhdmVfdGhpbmcnLCBTd2ZDb252ZXJzaW9uV3JhcHBlcigpKQogICAgICAg
ICAgICB0cmVlLnB1dENoaWxkKCdzYXZlX3ZpZGVvJywgVmlkZW9UaGluZygpKQogICAgICAg
ICAgICB0cmVlLnB1dENoaWxkKCdpZCcsIFNlc3Npb25JRCh1c2VybmFtZSkpICAgICAgICAg
ICAgCiAgICAgICAgICAgIHRyZWUucHV0Q2hpbGQoJ2Vycm9yJyxBZG1pbkVycm9yKCdkZWxp
YmVyYXRlIGVycm9yJykpICAgICAgICAgICAgCiAgICAgICAgICAgIHJldHVybiAoSVJlc291
cmNlLCB0cmVlLCBsYW1iZGEgOiBOb25lKQoJZWxpZiB1c2VybmFtZTogI3BsYXllciwgYnV0
IG5vdCBhZG1pbi4KCSAgICBub250cmVlID0gc3RhdGljLkZpbGUoc2VsZi5hZG1pbl9kaXIg
KyAnbm9uYWRtaW4vJykKCSAgICBub250cmVlLnB1dENoaWxkKCdpZCcsIFNlc3Npb25JRCh1
c2VybmFtZSkpICAgICAgICAgICAgCgkgICAgcmV0dXJuIChJUmVzb3VyY2UsIG5vbnRyZWUs
IGxhbWJkYSA6IE5vbmUpCiAgICAgICAgZWxzZTogI2Fub24gLSB0aGUgYXVkaWVuY2UuCiAg
ICAgICAgICAgIHNlbGYuYW5vblJlc291cmNlLnB1dENoaWxkKCdpZCcsIFNlc3Npb25JRCgp
KQogICAgICAgICAgICByZXR1cm4gSVJlc291cmNlLCBzZWxmLmFub25SZXNvdXJjZSAsIGxh
bWJkYSA6IE5vbmUKICAgIAoJCQkKZGVmIGFkbWluV3JhcHBlcihhZG1pbl9kaXIpOgogICAg
cCA9IFBvcnRhbChBZG1pblJlYWxtKGFkbWluX2RpcikpCiAgICBwLnJlZ2lzdGVyQ2hlY2tl
cihBbGxvd0Fub255bW91c0FjY2VzcygpLCBJQW5vbnltb3VzKQogICAgcC5yZWdpc3RlckNo
ZWNrZXIoSW5NZW1vcnlVc2VybmFtZVBhc3N3b3JkRGF0YWJhc2VEb250VXNlKHo9JycpKQog
ICAgIyNwLnJlZ2lzdGVyQ2hlY2tlcihwbGF5ZXJfZGljdCkKICAgIHVwdyA9IGd1YXJkLlVz
ZXJuYW1lUGFzc3dvcmRXcmFwcGVyKHAsIGNhbGxiYWNrPWR1bWJSZWRpcmVjdCkKICAgIHIg
PSBndWFyZC5TZXNzaW9uV3JhcHBlcih1cHcpCiAgICByLnNlc3Npb25MaWZldGltZSA9IDYg
KiAzNjAwCiAgICByZXR1cm4gcgoK
--------------030605000505090209000902--