You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by ke...@apache.org on 2017/08/04 13:52:40 UTC
allura git commit: Update ApacheAccessHandler.py to work with antispam protection on login form

Repository: allura
Updated Branches:
  refs/heads/master 02abc76d2 -> 4dea4d0cd


Update ApacheAccessHandler.py to work with antispam protection on login form


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/4dea4d0c
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/4dea4d0c
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/4dea4d0c

Branch: refs/heads/master
Commit: 4dea4d0cd69bdd3fd79015d86ff67eb7fe44b739
Parents: 02abc76
Author: Dave Brondsema <da...@brondsema.net>
Authored: Fri Jul 28 13:20:30 2017 -0400
Committer: Kenton Taylor <kt...@slashdotmedia.com>
Committed: Fri Aug 4 13:49:35 2017 +0000

----------------------------------------------------------------------
 scripts/ApacheAccessHandler.py | 35 +++++++++++++++++++++++++++++++----
 1 file changed, 31 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/4dea4d0c/scripts/ApacheAccessHandler.py
----------------------------------------------------------------------
diff --git a/scripts/ApacheAccessHandler.py b/scripts/ApacheAccessHandler.py
index 3d01f0c..942e5fc 100644
--- a/scripts/ApacheAccessHandler.py
+++ b/scripts/ApacheAccessHandler.py
@@ -54,6 +54,7 @@ this authorization code without Allura set up and configured on the git host.
 from mod_python import apache
 import os
 import json
+import re
 
 
 requests = None  # will be imported on demand, to allow for virtualenv
@@ -124,9 +125,31 @@ def check_authentication(req):
     if not username or not password:
         return False
     auth_url = req.get_options().get('ALLURA_AUTH_URL', 'https://127.0.0.1/auth/do_login')
+
+    # work through our own Antispam protection
+    auth_form_url = auth_url.replace('/do_login', '/')
+    auth_form_page = requests.get(auth_form_url, allow_redirects=False).text
+    auth_inputs = re.findall(r'(<input.*?>)', auth_form_page, re.I)
+    re_name = re.compile(r''' name=["']?(.*?)["' />]''')
+    re_value = re.compile(r''' value=["']?(.*?)["' />]''')
+    for i, input in enumerate(auth_inputs):
+        if 'password' in input:
+            password_field = re_name.search(input).group(1)
+            username_field = re_name.search(auth_inputs[i-1]).group(1)
+        if 'spinner' in input:
+            spinner_value = re_value.search(input).group(1)
+            honey1_field = re_name.search(auth_inputs[i+1]).group(1)
+            honey2_field = re_name.search(auth_inputs[i+2]).group(1)
+        if 'timestamp' in input:
+            timestamp_value = re_value.search(input).group(1)
+
     r = requests.post(auth_url, allow_redirects=False, data={
-        'username': username,
-        'password': password,
+        username_field: username,
+        password_field: password,
+        'timestamp': timestamp_value,
+        'spinner': spinner_value,
+        honey1_field: '',
+        honey2_field: '',
         'return_to': '/login_successful',
         '_session_id': 'this-is-our-session',
     }, cookies={
@@ -140,8 +163,12 @@ def check_authentication(req):
         log(req, 'trying multifactor for user: %s' % username)
         sess = requests.Session()
         r = sess.post(auth_url, allow_redirects=False, data={
-            'username': username,
-            'password': password,
+            username_field: username,
+            password_field: password,
+            'timestamp': timestamp_value,
+            'spinner': spinner_value,
+            honey1_field: '',
+            honey2_field: '',
             'return_to': '/login_successful',
             '_session_id': 'this-is-our-session',
         }, cookies={