You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by ke...@apache.org on 2017/08/04 13:52:40 UTC
allura git commit: Update ApacheAccessHandler.py to work with
antispam protection on login form
Repository: allura
Updated Branches:
refs/heads/master 02abc76d2 -> 4dea4d0cd
Update ApacheAccessHandler.py to work with antispam protection on login form
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/4dea4d0c
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/4dea4d0c
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/4dea4d0c
Branch: refs/heads/master
Commit: 4dea4d0cd69bdd3fd79015d86ff67eb7fe44b739
Parents: 02abc76
Author: Dave Brondsema <da...@brondsema.net>
Authored: Fri Jul 28 13:20:30 2017 -0400
Committer: Kenton Taylor <kt...@slashdotmedia.com>
Committed: Fri Aug 4 13:49:35 2017 +0000
----------------------------------------------------------------------
scripts/ApacheAccessHandler.py | 35 +++++++++++++++++++++++++++++++----
1 file changed, 31 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/4dea4d0c/scripts/ApacheAccessHandler.py
----------------------------------------------------------------------
diff --git a/scripts/ApacheAccessHandler.py b/scripts/ApacheAccessHandler.py
index 3d01f0c..942e5fc 100644
--- a/scripts/ApacheAccessHandler.py
+++ b/scripts/ApacheAccessHandler.py
@@ -54,6 +54,7 @@ this authorization code without Allura set up and configured on the git host.
from mod_python import apache
import os
import json
+import re
requests = None # will be imported on demand, to allow for virtualenv
@@ -124,9 +125,31 @@ def check_authentication(req):
if not username or not password:
return False
auth_url = req.get_options().get('ALLURA_AUTH_URL', 'https://127.0.0.1/auth/do_login')
+
+ # work through our own Antispam protection
+ auth_form_url = auth_url.replace('/do_login', '/')
+ auth_form_page = requests.get(auth_form_url, allow_redirects=False).text
+ auth_inputs = re.findall(r'(<input.*?>)', auth_form_page, re.I)
+ re_name = re.compile(r''' name=["']?(.*?)["' />]''')
+ re_value = re.compile(r''' value=["']?(.*?)["' />]''')
+ for i, input in enumerate(auth_inputs):
+ if 'password' in input:
+ password_field = re_name.search(input).group(1)
+ username_field = re_name.search(auth_inputs[i-1]).group(1)
+ if 'spinner' in input:
+ spinner_value = re_value.search(input).group(1)
+ honey1_field = re_name.search(auth_inputs[i+1]).group(1)
+ honey2_field = re_name.search(auth_inputs[i+2]).group(1)
+ if 'timestamp' in input:
+ timestamp_value = re_value.search(input).group(1)
+
r = requests.post(auth_url, allow_redirects=False, data={
- 'username': username,
- 'password': password,
+ username_field: username,
+ password_field: password,
+ 'timestamp': timestamp_value,
+ 'spinner': spinner_value,
+ honey1_field: '',
+ honey2_field: '',
'return_to': '/login_successful',
'_session_id': 'this-is-our-session',
}, cookies={
@@ -140,8 +163,12 @@ def check_authentication(req):
log(req, 'trying multifactor for user: %s' % username)
sess = requests.Session()
r = sess.post(auth_url, allow_redirects=False, data={
- 'username': username,
- 'password': password,
+ username_field: username,
+ password_field: password,
+ 'timestamp': timestamp_value,
+ 'spinner': spinner_value,
+ honey1_field: '',
+ honey2_field: '',
'return_to': '/login_successful',
'_session_id': 'this-is-our-session',
}, cookies={