Fix download forgery
This commit is contained in:
rubenwardy
parent
3f666d2302
commit
ff2a74367f
|
|
@ -25,13 +25,15 @@ from flask_github import GitHub
|
|||
from flask_wtf.csrf import CsrfProtect
|
||||
from flask_flatpages import FlatPages
|
||||
from flask_babel import Babel
|
||||
import os
|
||||
import os, redis
|
||||
|
||||
app = Flask(__name__, static_folder="public/static")
|
||||
app.config["FLATPAGES_ROOT"] = "flatpages"
|
||||
app.config["FLATPAGES_EXTENSION"] = ".md"
|
||||
app.config.from_pyfile(os.environ["FLASK_CONFIG"])
|
||||
|
||||
r = redis.Redis.from_url(app.config["REDIS_URL"])
|
||||
|
||||
menu.Menu(app=app)
|
||||
markdown = Markdown(app, extensions=["fenced_code"], safe_mode=True, output_format="html5")
|
||||
github = GitHub(app)
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ from flask_user import *
|
|||
|
||||
from . import bp
|
||||
|
||||
from app.rediscache import has_key, set_key, make_download_key
|
||||
from app.models import *
|
||||
from app.tasks.importtasks import makeVCSRelease
|
||||
from app.utils import *
|
||||
|
|
@ -123,20 +124,18 @@ def download_release(package, id):
|
|||
if release is None or release.package != package:
|
||||
abort(404)
|
||||
|
||||
if release is None:
|
||||
if "application/zip" in request.accept_mimetypes and \
|
||||
not "text/html" in request.accept_mimetypes:
|
||||
return "", 204
|
||||
else:
|
||||
flash("No download available.", "error")
|
||||
return redirect(package.getDetailsURL())
|
||||
else:
|
||||
PackageRelease.query.filter_by(id=release.id).update({
|
||||
"downloads": PackageRelease.downloads + 1
|
||||
})
|
||||
db.session.commit()
|
||||
ip = request.headers.get("X-Forwarded-For") or request.remote_addr
|
||||
if ip is not None:
|
||||
key = make_download_key(ip, release.package)
|
||||
if not has_key(key):
|
||||
set_key(key, "true")
|
||||
|
||||
return redirect(release.url, code=300)
|
||||
PackageRelease.query.filter_by(id=release.id).update({
|
||||
"downloads": PackageRelease.downloads + 1
|
||||
})
|
||||
db.session.commit()
|
||||
|
||||
return redirect(release.url, code=300)
|
||||
|
||||
@bp.route("/packages/<author>/<name>/releases/<id>/", methods=["GET", "POST"])
|
||||
@login_required
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
from . import r
|
||||
|
||||
# This file acts as a facade between the releases code and redis,
|
||||
# and also means that the releases code avoids knowing about `app`
|
||||
|
||||
def make_download_key(ip, package):
|
||||
return ("{}/{}/{}").format(ip, package.author.username, package.name)
|
||||
|
||||
def set_key(key, v):
|
||||
r.set(key, v)
|
||||
|
||||
def has_key(key):
|
||||
return r.exists(key)
|
||||
|
|
@ -10,8 +10,9 @@ SQLALCHEMY_DATABASE_URI = "sqlite:///../db.sqlite"
|
|||
GITHUB_CLIENT_ID = ""
|
||||
GITHUB_CLIENT_SECRET = ""
|
||||
|
||||
CELERY_BROKER_URL='redis://localhost:6379'
|
||||
CELERY_RESULT_BACKEND='redis://localhost:6379'
|
||||
REDIS_URL='redis://redis:6379'
|
||||
CELERY_BROKER_URL='redis://redis:6379'
|
||||
CELERY_RESULT_BACKEND='redis://redis:6379'
|
||||
|
||||
USER_ENABLE_REGISTER = False
|
||||
USER_ENABLE_CHANGE_USERNAME = False
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ celery==4.1.1
|
|||
kombu==4.2.0
|
||||
GitPython~=2.1
|
||||
lxml~=4.2
|
||||
pillow~=5.3
|
||||
pillow~=6.2
|
||||
pyScss~=1.3
|
||||
redis==2.10.6
|
||||
psycopg2~=2.7
|
||||
|
|
|
|||
Loading…
Reference in New Issue