upstream/kallithea Commit - r8082:6c381371

py3: fix non-ASCII URLs - decode unicode correctly before passing them to controllers as unicode strings...

Mads Kiilerich -

r8082:6c381371 default

parent child

kallithea/config/routing.py

0 +21 -1

             # -*- coding: utf-8 -*-
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU General Public License as published by
             # the Free Software Foundation, either version 3 of the License, or
             # (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             """
             Routes configuration
             The more specific and detailed routes should be defined first so they
             may take precedent over the more generic routes. For more information
             refer to the routes manual at http://routes.groovie.org/docs/
             """
-            from routes import Mapper
+            import routes
             from tg import request
+            from kallithea.lib.utils2 import safe_str
             # prefix for non repository related links needs to be prefixed with `/`
             ADMIN_PREFIX = '/_admin'
+            class Mapper(routes.Mapper):
+                """
+                Subclassed Mapper with routematch patched to decode "unicode" str url to
+                *real* unicode str before applying matches and invoking controller methods.
+                """
+                def routematch(self, url=None, environ=None):
+                    """
+                    routematch that also decode url from "fake bytes" to real unicode
+                    string before matching and invoking controllers.
+                    """
+                    # Process url like get_path_info does ... but PATH_INFO has already
+                    # been retrieved from environ and is passed, so - let's just use that
+                    # instead.
+                    url = safe_str(url.encode('latin1'))
+                    return super().routematch(url=url, environ=environ)
             def make_map(config):
                 """Create, configure and return the routes Mapper"""
                 rmap = Mapper(directory=config['paths']['controllers'],
                               always_scan=config['debug'])
                 rmap.minimization = False
                 rmap.explicit = False
                 from kallithea.lib.utils import is_valid_repo, is_valid_repo_group
                 def check_repo(environ, match_dict):
                     """
                     Check for valid repository for proper 404 handling.
                     Also, a bit of side effect modifying match_dict ...
                     """
                     if match_dict.get('f_path'):
                         # fix for multiple initial slashes that causes errors
                         match_dict['f_path'] = match_dict['f_path'].lstrip('/')
                     return is_valid_repo(match_dict['repo_name'], config['base_path'])
                 def check_group(environ, match_dict):
                     """
                     check for valid repository group for proper 404 handling
                     :param environ:
                     :param match_dict:
                     """
                     repo_group_name = match_dict.get('group_name')
                     return is_valid_repo_group(repo_group_name, config['base_path'])
                 def check_group_skip_path(environ, match_dict):
                     """
                     check for valid repository group for proper 404 handling, but skips
                     verification of existing path
                     :param environ:
                     :param match_dict:
                     """
                     repo_group_name = match_dict.get('group_name')
                     return is_valid_repo_group(repo_group_name, config['base_path'],
                                                skip_path_check=True)
                 def check_user_group(environ, match_dict):
                     """
                     check for valid user group for proper 404 handling
                     :param environ:
                     :param match_dict:
                     """
                     return True
                 def check_int(environ, match_dict):
                     return match_dict.get('id').isdigit()
                 #==========================================================================
                 # CUSTOM ROUTES HERE
                 #==========================================================================
                 # MAIN PAGE
                 rmap.connect('home', '/', controller='home')
                 rmap.connect('about', '/about', controller='home', action='about')
                 rmap.redirect('/favicon.ico', '/images/favicon.ico')
                 rmap.connect('repo_switcher_data', '/_repos', controller='home',
                              action='repo_switcher_data')
                 rmap.connect('users_and_groups_data', '/_users_and_groups', controller='home',
                              action='users_and_groups_data')
                 rmap.connect('rst_help',
                              "http://docutils.sourceforge.net/docs/user/rst/quickref.html",
                              _static=True)
                 rmap.connect('kallithea_project_url', "https://kallithea-scm.org/", _static=True)
                 rmap.connect('issues_url', 'https://bitbucket.org/conservancy/kallithea/issues', _static=True)
                 # ADMIN REPOSITORY ROUTES
                 with rmap.submapper(path_prefix=ADMIN_PREFIX,
                                     controller='admin/repos') as m:
                     m.connect("repos", "/repos",
                               action="create", conditions=dict(method=["POST"]))
                     m.connect("repos", "/repos",
                               conditions=dict(method=["GET"]))
                     m.connect("new_repo", "/create_repository",
                               action="create_repository", conditions=dict(method=["GET"]))
                     m.connect("update_repo", "/repos/{repo_name:.*?}",
                               action="update", conditions=dict(method=["POST"],
                               function=check_repo))
                     m.connect("delete_repo", "/repos/{repo_name:.*?}/delete",
                               action="delete", conditions=dict(method=["POST"]))
                 # ADMIN REPOSITORY GROUPS ROUTES
                 with rmap.submapper(path_prefix=ADMIN_PREFIX,
                                     controller='admin/repo_groups') as m:
                     m.connect("repos_groups", "/repo_groups",
                               action="create", conditions=dict(method=["POST"]))
                     m.connect("repos_groups", "/repo_groups",
                               conditions=dict(method=["GET"]))
                     m.connect("new_repos_group", "/repo_groups/new",
                               action="new", conditions=dict(method=["GET"]))
                     m.connect("update_repos_group", "/repo_groups/{group_name:.*?}",
                               action="update", conditions=dict(method=["POST"],
                                                                function=check_group))
                     m.connect("repos_group", "/repo_groups/{group_name:.*?}",
                               action="show", conditions=dict(method=["GET"],
                                                              function=check_group))
                     # EXTRAS REPO GROUP ROUTES
                     m.connect("edit_repo_group", "/repo_groups/{group_name:.*?}/edit",
                               action="edit",
                               conditions=dict(method=["GET"], function=check_group))
                     m.connect("edit_repo_group_advanced", "/repo_groups/{group_name:.*?}/edit/advanced",
                               action="edit_repo_group_advanced",
                               conditions=dict(method=["GET"], function=check_group))
                     m.connect("edit_repo_group_perms", "/repo_groups/{group_name:.*?}/edit/permissions",
                               action="edit_repo_group_perms",
                               conditions=dict(method=["GET"], function=check_group))
                     m.connect("edit_repo_group_perms_update", "/repo_groups/{group_name:.*?}/edit/permissions",
                               action="update_perms",
                               conditions=dict(method=["POST"], function=check_group))
                     m.connect("edit_repo_group_perms_delete", "/repo_groups/{group_name:.*?}/edit/permissions/delete",
                               action="delete_perms",
                               conditions=dict(method=["POST"], function=check_group))
                     m.connect("delete_repo_group", "/repo_groups/{group_name:.*?}/delete",
                               action="delete", conditions=dict(method=["POST"],
                                                                function=check_group_skip_path))
                 # ADMIN USER ROUTES
                 with rmap.submapper(path_prefix=ADMIN_PREFIX,
                                     controller='admin/users') as m:
                     m.connect("new_user", "/users/new",
                               action="create", conditions=dict(method=["POST"]))
                     m.connect("users", "/users",
                               conditions=dict(method=["GET"]))
                     m.connect("formatted_users", "/users.{format}",
                               conditions=dict(method=["GET"]))
                     m.connect("new_user", "/users/new",
                               action="new", conditions=dict(method=["GET"]))
                     m.connect("update_user", "/users/{id}",
                               action="update", conditions=dict(method=["POST"]))
                     m.connect("delete_user", "/users/{id}/delete",
                               action="delete", conditions=dict(method=["POST"]))
                     m.connect("edit_user", "/users/{id}/edit",
                               action="edit", conditions=dict(method=["GET"]))
                     # EXTRAS USER ROUTES
                     m.connect("edit_user_advanced", "/users/{id}/edit/advanced",
                               action="edit_advanced", conditions=dict(method=["GET"]))
                     m.connect("edit_user_api_keys", "/users/{id}/edit/api_keys",
                               action="edit_api_keys", conditions=dict(method=["GET"]))
                     m.connect("edit_user_api_keys_update", "/users/{id}/edit/api_keys",
                               action="add_api_key", conditions=dict(method=["POST"]))
                     m.connect("edit_user_api_keys_delete", "/users/{id}/edit/api_keys/delete",
                               action="delete_api_key", conditions=dict(method=["POST"]))
                     m.connect("edit_user_ssh_keys", "/users/{id}/edit/ssh_keys",
                               action="edit_ssh_keys", conditions=dict(method=["GET"]))
                     m.connect("edit_user_ssh_keys", "/users/{id}/edit/ssh_keys",
                               action="ssh_keys_add", conditions=dict(method=["POST"]))
                     m.connect("edit_user_ssh_keys_delete", "/users/{id}/edit/ssh_keys/delete",
                               action="ssh_keys_delete", conditions=dict(method=["POST"]))
                     m.connect("edit_user_perms", "/users/{id}/edit/permissions",
                               action="edit_perms", conditions=dict(method=["GET"]))
                     m.connect("edit_user_perms_update", "/users/{id}/edit/permissions",
                               action="update_perms", conditions=dict(method=["POST"]))
                     m.connect("edit_user_emails", "/users/{id}/edit/emails",
                               action="edit_emails", conditions=dict(method=["GET"]))
                     m.connect("edit_user_emails_update", "/users/{id}/edit/emails",
                               action="add_email", conditions=dict(method=["POST"]))
                     m.connect("edit_user_emails_delete", "/users/{id}/edit/emails/delete",
                               action="delete_email", conditions=dict(method=["POST"]))
                     m.connect("edit_user_ips", "/users/{id}/edit/ips",
                               action="edit_ips", conditions=dict(method=["GET"]))
                     m.connect("edit_user_ips_update", "/users/{id}/edit/ips",
                               action="add_ip", conditions=dict(method=["POST"]))
                     m.connect("edit_user_ips_delete", "/users/{id}/edit/ips/delete",
                               action="delete_ip", conditions=dict(method=["POST"]))
                 # ADMIN USER GROUPS REST ROUTES
                 with rmap.submapper(path_prefix=ADMIN_PREFIX,
                                     controller='admin/user_groups') as m:
                     m.connect("users_groups", "/user_groups",
                               action="create", conditions=dict(method=["POST"]))
                     m.connect("users_groups", "/user_groups",
                               conditions=dict(method=["GET"]))
                     m.connect("new_users_group", "/user_groups/new",
                               action="new", conditions=dict(method=["GET"]))
                     m.connect("update_users_group", "/user_groups/{id}",
                               action="update", conditions=dict(method=["POST"]))
                     m.connect("delete_users_group", "/user_groups/{id}/delete",
                               action="delete", conditions=dict(method=["POST"]))
                     m.connect("edit_users_group", "/user_groups/{id}/edit",
                               action="edit", conditions=dict(method=["GET"]),
                               function=check_user_group)
                     # EXTRAS USER GROUP ROUTES
                     m.connect("edit_user_group_default_perms", "/user_groups/{id}/edit/default_perms",
                               action="edit_default_perms", conditions=dict(method=["GET"]))
                     m.connect("edit_user_group_default_perms_update", "/user_groups/{id}/edit/default_perms",
                               action="update_default_perms", conditions=dict(method=["POST"]))
                     m.connect("edit_user_group_perms", "/user_groups/{id}/edit/perms",
                               action="edit_perms", conditions=dict(method=["GET"]))
                     m.connect("edit_user_group_perms_update", "/user_groups/{id}/edit/perms",
                               action="update_perms", conditions=dict(method=["POST"]))
                     m.connect("edit_user_group_perms_delete", "/user_groups/{id}/edit/perms/delete",
                               action="delete_perms", conditions=dict(method=["POST"]))
                     m.connect("edit_user_group_advanced", "/user_groups/{id}/edit/advanced",
                               action="edit_advanced", conditions=dict(method=["GET"]))
                     m.connect("edit_user_group_members", "/user_groups/{id}/edit/members",
                               action="edit_members", conditions=dict(method=["GET"]))
                 # ADMIN PERMISSIONS ROUTES
                 with rmap.submapper(path_prefix=ADMIN_PREFIX,
                                     controller='admin/permissions') as m:
                     m.connect("admin_permissions", "/permissions",
                               action="permission_globals", conditions=dict(method=["POST"]))
                     m.connect("admin_permissions", "/permissions",
                               action="permission_globals", conditions=dict(method=["GET"]))
                     m.connect("admin_permissions_ips", "/permissions/ips",
                               action="permission_ips", conditions=dict(method=["GET"]))
                     m.connect("admin_permissions_perms", "/permissions/perms",
                               action="permission_perms", conditions=dict(method=["GET"]))
                 # ADMIN DEFAULTS ROUTES
                 with rmap.submapper(path_prefix=ADMIN_PREFIX,
                                     controller='admin/defaults') as m:
                     m.connect('defaults', '/defaults')
                     m.connect('defaults_update', 'defaults/{id}/update',
                               action="update", conditions=dict(method=["POST"]))
                 # ADMIN AUTH SETTINGS
                 rmap.connect('auth_settings', '%s/auth' % ADMIN_PREFIX,
                              controller='admin/auth_settings', action='auth_settings',
                              conditions=dict(method=["POST"]))
                 rmap.connect('auth_home', '%s/auth' % ADMIN_PREFIX,
                              controller='admin/auth_settings')
                 # ADMIN SETTINGS ROUTES
                 with rmap.submapper(path_prefix=ADMIN_PREFIX,
                                     controller='admin/settings') as m:
                     m.connect("admin_settings", "/settings",
                               action="settings_vcs", conditions=dict(method=["POST"]))
                     m.connect("admin_settings", "/settings",
                               action="settings_vcs", conditions=dict(method=["GET"]))
                     m.connect("admin_settings_mapping", "/settings/mapping",
                               action="settings_mapping", conditions=dict(method=["POST"]))
                     m.connect("admin_settings_mapping", "/settings/mapping",
                               action="settings_mapping", conditions=dict(method=["GET"]))
                     m.connect("admin_settings_global", "/settings/global",
                               action="settings_global", conditions=dict(method=["POST"]))
                     m.connect("admin_settings_global", "/settings/global",
                               action="settings_global", conditions=dict(method=["GET"]))
                     m.connect("admin_settings_visual", "/settings/visual",
                               action="settings_visual", conditions=dict(method=["POST"]))
                     m.connect("admin_settings_visual", "/settings/visual",
                               action="settings_visual", conditions=dict(method=["GET"]))
                     m.connect("admin_settings_email", "/settings/email",
                               action="settings_email", conditions=dict(method=["POST"]))
                     m.connect("admin_settings_email", "/settings/email",
                               action="settings_email", conditions=dict(method=["GET"]))
                     m.connect("admin_settings_hooks", "/settings/hooks",
                               action="settings_hooks", conditions=dict(method=["POST"]))
                     m.connect("admin_settings_hooks_delete", "/settings/hooks/delete",
                               action="settings_hooks", conditions=dict(method=["POST"]))
                     m.connect("admin_settings_hooks", "/settings/hooks",
                               action="settings_hooks", conditions=dict(method=["GET"]))
                     m.connect("admin_settings_search", "/settings/search",
                               action="settings_search", conditions=dict(method=["POST"]))
                     m.connect("admin_settings_search", "/settings/search",
                               action="settings_search", conditions=dict(method=["GET"]))
                     m.connect("admin_settings_system", "/settings/system",
                               action="settings_system", conditions=dict(method=["POST"]))
                     m.connect("admin_settings_system", "/settings/system",
                               action="settings_system", conditions=dict(method=["GET"]))
                 # ADMIN MY ACCOUNT
                 with rmap.submapper(path_prefix=ADMIN_PREFIX,
                                     controller='admin/my_account') as m:
                     m.connect("my_account", "/my_account",
                               action="my_account", conditions=dict(method=["GET"]))
                     m.connect("my_account", "/my_account",
                               action="my_account", conditions=dict(method=["POST"]))
                     m.connect("my_account_password", "/my_account/password",
                               action="my_account_password", conditions=dict(method=["GET"]))
                     m.connect("my_account_password", "/my_account/password",
                               action="my_account_password", conditions=dict(method=["POST"]))
                     m.connect("my_account_repos", "/my_account/repos",
                               action="my_account_repos", conditions=dict(method=["GET"]))
                     m.connect("my_account_watched", "/my_account/watched",
                               action="my_account_watched", conditions=dict(method=["GET"]))
                     m.connect("my_account_perms", "/my_account/perms",
                               action="my_account_perms", conditions=dict(method=["GET"]))
                     m.connect("my_account_emails", "/my_account/emails",
                               action="my_account_emails", conditions=dict(method=["GET"]))
                     m.connect("my_account_emails", "/my_account/emails",
                               action="my_account_emails_add", conditions=dict(method=["POST"]))
                     m.connect("my_account_emails_delete", "/my_account/emails/delete",
                               action="my_account_emails_delete", conditions=dict(method=["POST"]))
                     m.connect("my_account_api_keys", "/my_account/api_keys",
                               action="my_account_api_keys", conditions=dict(method=["GET"]))
                     m.connect("my_account_api_keys", "/my_account/api_keys",
                               action="my_account_api_keys_add", conditions=dict(method=["POST"]))
                     m.connect("my_account_api_keys_delete", "/my_account/api_keys/delete",
                               action="my_account_api_keys_delete", conditions=dict(method=["POST"]))
                     m.connect("my_account_ssh_keys", "/my_account/ssh_keys",
                               action="my_account_ssh_keys", conditions=dict(method=["GET"]))
                     m.connect("my_account_ssh_keys", "/my_account/ssh_keys",
                               action="my_account_ssh_keys_add", conditions=dict(method=["POST"]))
                     m.connect("my_account_ssh_keys_delete", "/my_account/ssh_keys/delete",
                               action="my_account_ssh_keys_delete", conditions=dict(method=["POST"]))
                 # ADMIN GIST
                 with rmap.submapper(path_prefix=ADMIN_PREFIX,
                                     controller='admin/gists') as m:
                     m.connect("gists", "/gists",
                               action="create", conditions=dict(method=["POST"]))
                     m.connect("gists", "/gists",
                               conditions=dict(method=["GET"]))
                     m.connect("new_gist", "/gists/new",
                               action="new", conditions=dict(method=["GET"]))
                     m.connect("gist_delete", "/gists/{gist_id}/delete",
                               action="delete", conditions=dict(method=["POST"]))
                     m.connect("edit_gist", "/gists/{gist_id}/edit",
                               action="edit", conditions=dict(method=["GET", "POST"]))
                     m.connect("edit_gist_check_revision", "/gists/{gist_id}/edit/check_revision",
                               action="check_revision", conditions=dict(method=["POST"]))
                     m.connect("gist", "/gists/{gist_id}",
                               action="show", conditions=dict(method=["GET"]))
                     m.connect("gist_rev", "/gists/{gist_id}/{revision}",
                               revision="tip",
                               action="show", conditions=dict(method=["GET"]))
                     m.connect("formatted_gist", "/gists/{gist_id}/{revision}/{format}",
                               revision="tip",
                               action="show", conditions=dict(method=["GET"]))
                     m.connect("formatted_gist_file", "/gists/{gist_id}/{revision}/{format}/{f_path:.*}",
                               revision='tip',
                               action="show", conditions=dict(method=["GET"]))
                 # ADMIN MAIN PAGES
                 with rmap.submapper(path_prefix=ADMIN_PREFIX,
                                     controller='admin/admin') as m:
                     m.connect('admin_home', '')
                     m.connect('admin_add_repo', '/add_repo/{new_repo:[a-z0-9. _-]*}',
                               action='add_repo')
                 #==========================================================================
                 # API V2
                 #==========================================================================
                 with rmap.submapper(path_prefix=ADMIN_PREFIX, controller='api/api',
                                     action='_dispatch') as m:
                     m.connect('api', '/api')
                 # USER JOURNAL
                 rmap.connect('journal', '%s/journal' % ADMIN_PREFIX,
                              controller='journal')
                 rmap.connect('journal_rss', '%s/journal/rss' % ADMIN_PREFIX,
                              controller='journal', action='journal_rss')
                 rmap.connect('journal_atom', '%s/journal/atom' % ADMIN_PREFIX,
                              controller='journal', action='journal_atom')
                 rmap.connect('public_journal', '%s/public_journal' % ADMIN_PREFIX,
                              controller='journal', action="public_journal")
                 rmap.connect('public_journal_rss', '%s/public_journal/rss' % ADMIN_PREFIX,
                              controller='journal', action="public_journal_rss")
                 rmap.connect('public_journal_rss_old', '%s/public_journal_rss' % ADMIN_PREFIX,
                              controller='journal', action="public_journal_rss")
                 rmap.connect('public_journal_atom',
                              '%s/public_journal/atom' % ADMIN_PREFIX, controller='journal',
                              action="public_journal_atom")
                 rmap.connect('public_journal_atom_old',
                              '%s/public_journal_atom' % ADMIN_PREFIX, controller='journal',
                              action="public_journal_atom")
                 rmap.connect('toggle_following', '%s/toggle_following' % ADMIN_PREFIX,
                              controller='journal', action='toggle_following',
                              conditions=dict(method=["POST"]))
                 # SEARCH
                 rmap.connect('search', '%s/search' % ADMIN_PREFIX, controller='search',)
                 rmap.connect('search_repo_admin', '%s/search/{repo_name:.*}' % ADMIN_PREFIX,
                              controller='search',
                              conditions=dict(function=check_repo))
                 rmap.connect('search_repo', '/{repo_name:.*?}/search',
                              controller='search',
                              conditions=dict(function=check_repo),
                              )
                 # LOGIN/LOGOUT/REGISTER/SIGN IN
                 rmap.connect('session_csrf_secret_token', '%s/session_csrf_secret_token' % ADMIN_PREFIX, controller='login', action='session_csrf_secret_token')
                 rmap.connect('login_home', '%s/login' % ADMIN_PREFIX, controller='login')
                 rmap.connect('logout_home', '%s/logout' % ADMIN_PREFIX, controller='login',
                              action='logout')
                 rmap.connect('register', '%s/register' % ADMIN_PREFIX, controller='login',
                              action='register')
                 rmap.connect('reset_password', '%s/password_reset' % ADMIN_PREFIX,
                              controller='login', action='password_reset')
                 rmap.connect('reset_password_confirmation',
                              '%s/password_reset_confirmation' % ADMIN_PREFIX,
                              controller='login', action='password_reset_confirmation')
                 # FEEDS
                 rmap.connect('rss_feed_home', '/{repo_name:.*?}/feed/rss',
                             controller='feed', action='rss',
                             conditions=dict(function=check_repo))
                 rmap.connect('atom_feed_home', '/{repo_name:.*?}/feed/atom',
                             controller='feed', action='atom',
                             conditions=dict(function=check_repo))
                 #==========================================================================
                 # REPOSITORY ROUTES
                 #==========================================================================
                 rmap.connect('repo_creating_home', '/{repo_name:.*?}/repo_creating',
                             controller='admin/repos', action='repo_creating')
                 rmap.connect('repo_check_home', '/{repo_name:.*?}/repo_check_creating',
                             controller='admin/repos', action='repo_check')
                 rmap.connect('summary_home', '/{repo_name:.*?}',
                             controller='summary',
                             conditions=dict(function=check_repo))
                 # must be here for proper group/repo catching
                 rmap.connect('repos_group_home', '/{group_name:.*}',
                             controller='admin/repo_groups', action="show_by_name",
                             conditions=dict(function=check_group))
                 rmap.connect('repo_stats_home', '/{repo_name:.*?}/statistics',
                             controller='summary', action='statistics',
                             conditions=dict(function=check_repo))
                 rmap.connect('repo_size', '/{repo_name:.*?}/repo_size',
                             controller='summary', action='repo_size',
                             conditions=dict(function=check_repo))
                 rmap.connect('repo_refs_data', '/{repo_name:.*?}/refs-data',
                              controller='home', action='repo_refs_data')
                 rmap.connect('changeset_home', '/{repo_name:.*?}/changeset/{revision:.*}',
                             controller='changeset', revision='tip',
                             conditions=dict(function=check_repo))
                 rmap.connect('changeset_children', '/{repo_name:.*?}/changeset_children/{revision}',
                             controller='changeset', revision='tip', action="changeset_children",
                             conditions=dict(function=check_repo))
                 rmap.connect('changeset_parents', '/{repo_name:.*?}/changeset_parents/{revision}',
                             controller='changeset', revision='tip', action="changeset_parents",
                             conditions=dict(function=check_repo))
                 # repo edit options
                 rmap.connect("edit_repo", "/{repo_name:.*?}/settings",
                              controller='admin/repos', action="edit",
                              conditions=dict(method=["GET"], function=check_repo))
                 rmap.connect("edit_repo_perms", "/{repo_name:.*?}/settings/permissions",
                              controller='admin/repos', action="edit_permissions",
                              conditions=dict(method=["GET"], function=check_repo))
                 rmap.connect("edit_repo_perms_update", "/{repo_name:.*?}/settings/permissions",
                              controller='admin/repos', action="edit_permissions_update",
                              conditions=dict(method=["POST"], function=check_repo))
                 rmap.connect("edit_repo_perms_revoke", "/{repo_name:.*?}/settings/permissions/delete",
                              controller='admin/repos', action="edit_permissions_revoke",
                              conditions=dict(method=["POST"], function=check_repo))
                 rmap.connect("edit_repo_fields", "/{repo_name:.*?}/settings/fields",
                              controller='admin/repos', action="edit_fields",
                              conditions=dict(method=["GET"], function=check_repo))
                 rmap.connect('create_repo_fields', "/{repo_name:.*?}/settings/fields/new",
                              controller='admin/repos', action="create_repo_field",
                              conditions=dict(method=["POST"], function=check_repo))
                 rmap.connect('delete_repo_fields', "/{repo_name:.*?}/settings/fields/{field_id}/delete",
                              controller='admin/repos', action="delete_repo_field",
                              conditions=dict(method=["POST"], function=check_repo))
                 rmap.connect("edit_repo_advanced", "/{repo_name:.*?}/settings/advanced",
                              controller='admin/repos', action="edit_advanced",
                              conditions=dict(method=["GET"], function=check_repo))
                 rmap.connect("edit_repo_advanced_journal", "/{repo_name:.*?}/settings/advanced/journal",
                              controller='admin/repos', action="edit_advanced_journal",
                              conditions=dict(method=["POST"], function=check_repo))
                 rmap.connect("edit_repo_advanced_fork", "/{repo_name:.*?}/settings/advanced/fork",
                              controller='admin/repos', action="edit_advanced_fork",
                              conditions=dict(method=["POST"], function=check_repo))
                 rmap.connect("edit_repo_caches", "/{repo_name:.*?}/settings/caches",
                              controller='admin/repos', action="edit_caches",
                              conditions=dict(method=["GET"], function=check_repo))
                 rmap.connect("update_repo_caches", "/{repo_name:.*?}/settings/caches",
                              controller='admin/repos', action="edit_caches",
                              conditions=dict(method=["POST"], function=check_repo))
                 rmap.connect("edit_repo_remote", "/{repo_name:.*?}/settings/remote",
                              controller='admin/repos', action="edit_remote",
                              conditions=dict(method=["GET"], function=check_repo))
                 rmap.connect("edit_repo_remote_update", "/{repo_name:.*?}/settings/remote",
                              controller='admin/repos', action="edit_remote",
                              conditions=dict(method=["POST"], function=check_repo))
                 rmap.connect("edit_repo_statistics", "/{repo_name:.*?}/settings/statistics",
                              controller='admin/repos', action="edit_statistics",
                              conditions=dict(method=["GET"], function=check_repo))
                 rmap.connect("edit_repo_statistics_update", "/{repo_name:.*?}/settings/statistics",
                              controller='admin/repos', action="edit_statistics",
                              conditions=dict(method=["POST"], function=check_repo))
                 # still working url for backward compat.
                 rmap.connect('raw_changeset_home_depraced',
                              '/{repo_name:.*?}/raw-changeset/{revision}',
                              controller='changeset', action='changeset_raw',
                              revision='tip', conditions=dict(function=check_repo))
                 ## new URLs
                 rmap.connect('changeset_raw_home',
                              '/{repo_name:.*?}/changeset-diff/{revision}',
                              controller='changeset', action='changeset_raw',
                              revision='tip', conditions=dict(function=check_repo))
                 rmap.connect('changeset_patch_home',
                              '/{repo_name:.*?}/changeset-patch/{revision}',
                              controller='changeset', action='changeset_patch',
                              revision='tip', conditions=dict(function=check_repo))
                 rmap.connect('changeset_download_home',
                              '/{repo_name:.*?}/changeset-download/{revision}',
                              controller='changeset', action='changeset_download',
                              revision='tip', conditions=dict(function=check_repo))
                 rmap.connect('changeset_comment',
                              '/{repo_name:.*?}/changeset-comment/{revision}',
                             controller='changeset', revision='tip', action='comment',
                             conditions=dict(function=check_repo))
                 rmap.connect('changeset_comment_delete',
                              '/{repo_name:.*?}/changeset-comment/{comment_id}/delete',
                             controller='changeset', action='delete_comment',
                             conditions=dict(function=check_repo, method=["POST"]))
                 rmap.connect('changeset_info', '/changeset_info/{repo_name:.*?}/{revision}',
                              controller='changeset', action='changeset_info')
                 rmap.connect('compare_home',
                              '/{repo_name:.*?}/compare',
                              controller='compare',
                              conditions=dict(function=check_repo))
                 rmap.connect('compare_url',
                              '/{repo_name:.*?}/compare/{org_ref_type}@{org_ref_name:.*?}...{other_ref_type}@{other_ref_name:.*?}',
                              controller='compare', action='compare',
                              conditions=dict(function=check_repo),
                              requirements=dict(
                                         org_ref_type='(branch|book|tag|rev|__other_ref_type__)',
                                         other_ref_type='(branch|book|tag|rev|__org_ref_type__)')
                              )
                 rmap.connect('pullrequest_home',
                              '/{repo_name:.*?}/pull-request/new', controller='pullrequests',
                              conditions=dict(function=check_repo,
                                                              method=["GET"]))
                 rmap.connect('pullrequest_repo_info',
                              '/{repo_name:.*?}/pull-request-repo-info',
                              controller='pullrequests', action='repo_info',
                              conditions=dict(function=check_repo, method=["GET"]))
                 rmap.connect('pullrequest',
                              '/{repo_name:.*?}/pull-request/new', controller='pullrequests',
                              action='create', conditions=dict(function=check_repo,
                                                               method=["POST"]))
                 rmap.connect('pullrequest_show',
                              '/{repo_name:.*?}/pull-request/{pull_request_id:\\d+}{extra:(/.*)?}', extra='',
                              controller='pullrequests',
                              action='show', conditions=dict(function=check_repo,
                                                             method=["GET"]))
                 rmap.connect('pullrequest_post',
                              '/{repo_name:.*?}/pull-request/{pull_request_id}',
                              controller='pullrequests',
                              action='post', conditions=dict(function=check_repo,
                                                             method=["POST"]))
                 rmap.connect('pullrequest_delete',
                              '/{repo_name:.*?}/pull-request/{pull_request_id}/delete',
                              controller='pullrequests',
                              action='delete', conditions=dict(function=check_repo,
                                                               method=["POST"]))
                 rmap.connect('pullrequest_show_all',
                              '/{repo_name:.*?}/pull-request',
                              controller='pullrequests',
                              action='show_all', conditions=dict(function=check_repo,
                                                             method=["GET"]))
                 rmap.connect('my_pullrequests',
                              '/my_pullrequests',
                              controller='pullrequests',
                              action='show_my', conditions=dict(method=["GET"]))
                 rmap.connect('pullrequest_comment',
                              '/{repo_name:.*?}/pull-request-comment/{pull_request_id}',
                              controller='pullrequests',
                              action='comment', conditions=dict(function=check_repo,
                                                             method=["POST"]))
                 rmap.connect('pullrequest_comment_delete',
                              '/{repo_name:.*?}/pull-request-comment/{comment_id}/delete',
                             controller='pullrequests', action='delete_comment',
                             conditions=dict(function=check_repo, method=["POST"]))
                 rmap.connect('summary_home_summary', '/{repo_name:.*?}/summary',
                             controller='summary', conditions=dict(function=check_repo))
                 rmap.connect('changelog_home', '/{repo_name:.*?}/changelog',
                             controller='changelog', conditions=dict(function=check_repo))
                 rmap.connect('changelog_file_home', '/{repo_name:.*?}/changelog/{revision}/{f_path:.*}',
                             controller='changelog',
                             conditions=dict(function=check_repo))
                 rmap.connect('changelog_details', '/{repo_name:.*?}/changelog_details/{cs}',
                             controller='changelog', action='changelog_details',
                             conditions=dict(function=check_repo))
                 rmap.connect('files_home', '/{repo_name:.*?}/files/{revision}/{f_path:.*}',
                             controller='files', revision='tip', f_path='',
                             conditions=dict(function=check_repo))
                 rmap.connect('files_home_nopath', '/{repo_name:.*?}/files/{revision}',
                             controller='files', revision='tip', f_path='',
                             conditions=dict(function=check_repo))
                 rmap.connect('files_history_home',
                              '/{repo_name:.*?}/history/{revision}/{f_path:.*}',
                              controller='files', action='history', revision='tip', f_path='',
                              conditions=dict(function=check_repo))
                 rmap.connect('files_authors_home',
                              '/{repo_name:.*?}/authors/{revision}/{f_path:.*}',
                              controller='files', action='authors', revision='tip', f_path='',
                              conditions=dict(function=check_repo))
                 rmap.connect('files_diff_home', '/{repo_name:.*?}/diff/{f_path:.*}',
                             controller='files', action='diff', revision='tip', f_path='',
                             conditions=dict(function=check_repo))
                 rmap.connect('files_diff_2way_home', '/{repo_name:.*?}/diff-2way/{f_path:.+}',
                             controller='files', action='diff_2way', revision='tip', f_path='',
                             conditions=dict(function=check_repo))
                 rmap.connect('files_rawfile_home',
                              '/{repo_name:.*?}/rawfile/{revision}/{f_path:.*}',
                              controller='files', action='rawfile', revision='tip',
                              f_path='', conditions=dict(function=check_repo))
                 rmap.connect('files_raw_home',
                              '/{repo_name:.*?}/raw/{revision}/{f_path:.*}',
                              controller='files', action='raw', revision='tip', f_path='',
                              conditions=dict(function=check_repo))
                 rmap.connect('files_annotate_home',
                              '/{repo_name:.*?}/annotate/{revision}/{f_path:.*}',
                              controller='files', revision='tip',
                              f_path='', annotate='1', conditions=dict(function=check_repo))
                 rmap.connect('files_edit_home',
                              '/{repo_name:.*?}/edit/{revision}/{f_path:.*}',
                              controller='files', action='edit', revision='tip',
                              f_path='', conditions=dict(function=check_repo))
                 rmap.connect('files_add_home',
                              '/{repo_name:.*?}/add/{revision}/{f_path:.*}',
                              controller='files', action='add', revision='tip',
                              f_path='', conditions=dict(function=check_repo))
                 rmap.connect('files_delete_home',
                              '/{repo_name:.*?}/delete/{revision}/{f_path:.*}',
                              controller='files', action='delete', revision='tip',
                              f_path='', conditions=dict(function=check_repo))
                 rmap.connect('files_archive_home', '/{repo_name:.*?}/archive/{fname}',
                             controller='files', action='archivefile',
                             conditions=dict(function=check_repo))
                 rmap.connect('files_nodelist_home',
                              '/{repo_name:.*?}/nodelist/{revision}/{f_path:.*}',
                             controller='files', action='nodelist',
                             conditions=dict(function=check_repo))
                 rmap.connect('repo_fork_create_home', '/{repo_name:.*?}/fork',
                             controller='forks', action='fork_create',
                             conditions=dict(function=check_repo, method=["POST"]))
                 rmap.connect('repo_fork_home', '/{repo_name:.*?}/fork',
                             controller='forks', action='fork',
                             conditions=dict(function=check_repo))
                 rmap.connect('repo_forks_home', '/{repo_name:.*?}/forks',
                              controller='forks', action='forks',
                              conditions=dict(function=check_repo))
                 rmap.connect('repo_followers_home', '/{repo_name:.*?}/followers',
                              controller='followers', action='followers',
                              conditions=dict(function=check_repo))
                 return rmap
             class UrlGenerator(object):
                 """Emulate pylons.url in providing a wrapper around routes.url
                 This code was added during migration from Pylons to Turbogears2. Pylons
                 already provided a wrapper like this, but Turbogears2 does not.
                 When the routing of Kallithea is changed to use less Routes and more
                 Turbogears2-style routing, this class may disappear or change.
                 url() (the __call__ method) returns the URL based on a route name and
                 arguments.
                 url.current() returns the URL of the current page with arguments applied.
                 Refer to documentation of Routes for details:
                 https://routes.readthedocs.io/en/latest/generating.html#generation
                 """
                 def __call__(self, *args, **kwargs):
                     return request.environ['routes.url'](*args, **kwargs)
                 def current(self, *args, **kwargs):
                     return request.environ['routes.url'].current(*args, **kwargs)
             url = UrlGenerator()

kallithea/lib/base.py

0 +7 -2

             # -*- coding: utf-8 -*-
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU General Public License as published by
             # the Free Software Foundation, either version 3 of the License, or
             # (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             """
             kallithea.lib.base
             ~~~~~~~~~~~~~~~~~~
             The base Controller API
             Provides the BaseController class for subclassing. And usage in different
             controllers
             This file was forked by the Kallithea project in July 2014.
             Original author and date, and relevant copyright and licensing information is below:
             :created_on: Oct 06, 2010
             :author: marcink
             :copyright: (c) 2013 RhodeCode GmbH, and others.
             :license: GPLv3, see LICENSE.md for more details.
             """
             import base64
             import datetime
             import logging
             import traceback
             import warnings
             import decorator
             import paste.auth.basic
             import paste.httpexceptions
             import paste.httpheaders
             import webob.exc
             from tg import TGController, config, render_template, request, response, session
             from tg import tmpl_context as c
             from tg.i18n import ugettext as _
             from kallithea import BACKENDS, __version__
             from kallithea.config.routing import url
             from kallithea.lib import auth_modules, ext_json
             from kallithea.lib.auth import AuthUser, HasPermissionAnyMiddleware
             from kallithea.lib.exceptions import UserCreationError
             from kallithea.lib.utils import get_repo_slug, is_valid_repo
             from kallithea.lib.utils2 import AttributeDict, ascii_bytes, safe_int, safe_str, set_hook_environment, str2bool
             from kallithea.lib.vcs.exceptions import ChangesetDoesNotExistError, EmptyRepositoryError, RepositoryError
             from kallithea.model import meta
             from kallithea.model.db import PullRequest, Repository, Setting, User
             from kallithea.model.scm import ScmModel
             log = logging.getLogger(__name__)
             def render(template_path):
                 return render_template({'url': url}, 'mako', template_path)
             def _filter_proxy(ip):
                 """
                 HEADERS can have multiple ips inside the left-most being the original
                 client, and each successive proxy that passed the request adding the IP
                 address where it received the request from.
                 :param ip:
                 """
                 if ',' in ip:
                     _ips = ip.split(',')
                     _first_ip = _ips[0].strip()
                     log.debug('Got multiple IPs %s, using %s', ','.join(_ips), _first_ip)
                     return _first_ip
                 return ip
             def _get_ip_addr(environ):
                 proxy_key = 'HTTP_X_REAL_IP'
                 proxy_key2 = 'HTTP_X_FORWARDED_FOR'
                 def_key = 'REMOTE_ADDR'
                 ip = environ.get(proxy_key)
                 if ip:
                     return _filter_proxy(ip)
                 ip = environ.get(proxy_key2)
                 if ip:
                     return _filter_proxy(ip)
                 ip = environ.get(def_key, '0.0.0.0')
                 return _filter_proxy(ip)
             def get_path_info(environ):
-                """Return unicode PATH_INFO from environ ... using tg.original_request if available.
+                """Return PATH_INFO from environ ... using tg.original_request if available.
+                In Python 3 WSGI, PATH_INFO is a unicode str, but kind of contains encoded
+                bytes. The code points are guaranteed to only use the lower 8 bit bits, and
+                encoding the string with the 1:1 encoding latin1 will give the
+                corresponding byte string ... which then can be decoded to proper unicode.
                 """
                 org_req = environ.get('tg.original_request')
                 if org_req is not None:
                     environ = org_req.environ
-                return safe_str(environ['PATH_INFO'])
+                return safe_str(environ['PATH_INFO'].encode('latin1'))
             def log_in_user(user, remember, is_external_auth, ip_addr):
                 """
                 Log a `User` in and update session and cookies. If `remember` is True,
                 the session cookie is set to expire in a year; otherwise, it expires at
                 the end of the browser session.
                 Returns populated `AuthUser` object.
                 """
                 # It should not be possible to explicitly log in as the default user.
                 assert not user.is_default_user, user
                 auth_user = AuthUser.make(dbuser=user, is_external_auth=is_external_auth, ip_addr=ip_addr)
                 if auth_user is None:
                     return None
                 user.update_lastlogin()
                 meta.Session().commit()
                 # Start new session to prevent session fixation attacks.
                 session.invalidate()
                 session['authuser'] = cookie = auth_user.to_cookie()
                 # If they want to be remembered, update the cookie.
                 # NOTE: Assumes that beaker defaults to browser session cookie.
                 if remember:
                     t = datetime.datetime.now() + datetime.timedelta(days=365)
                     session._set_cookie_expires(t)
                 session.save()
                 log.info('user %s is now authenticated and stored in '
                          'session, session attrs %s', user.username, cookie)
                 # dumps session attrs back to cookie
                 session._update_cookie_out()
                 return auth_user
             class BasicAuth(paste.auth.basic.AuthBasicAuthenticator):
                 def __init__(self, realm, authfunc, auth_http_code=None):
                     self.realm = realm
                     self.authfunc = authfunc
                     self._rc_auth_http_code = auth_http_code
                 def build_authentication(self, environ):
                     head = paste.httpheaders.WWW_AUTHENTICATE.tuples('Basic realm="%s"' % self.realm)
                     # Consume the whole body before sending a response
                     try:
                         request_body_size = int(environ.get('CONTENT_LENGTH', 0))
                     except (ValueError):
                         request_body_size = 0
                     environ['wsgi.input'].read(request_body_size)
                     if self._rc_auth_http_code and self._rc_auth_http_code == '403':
                         # return 403 if alternative http return code is specified in
                         # Kallithea config
                         return paste.httpexceptions.HTTPForbidden(headers=head)
                     return paste.httpexceptions.HTTPUnauthorized(headers=head)
                 def authenticate(self, environ):
                     authorization = paste.httpheaders.AUTHORIZATION(environ)
                     if not authorization:
                         return self.build_authentication(environ)
                     (authmeth, auth) = authorization.split(' ', 1)
                     if 'basic' != authmeth.lower():
                         return self.build_authentication(environ)
                     auth = safe_str(base64.b64decode(auth.strip()))
                     _parts = auth.split(':', 1)
                     if len(_parts) == 2:
                         username, password = _parts
                         if self.authfunc(username, password, environ) is not None:
                             return username
                     return self.build_authentication(environ)
                 __call__ = authenticate
             class BaseVCSController(object):
                 """Base controller for handling Mercurial/Git protocol requests
                 (coming from a VCS client, and not a browser).
                 """
                 scm_alias = None # 'hg' / 'git'
                 def __init__(self, application, config):
                     self.application = application
                     self.config = config
                     # base path of repo locations
                     self.basepath = self.config['base_path']
                     # authenticate this VCS request using the authentication modules
                     self.authenticate = BasicAuth('', auth_modules.authenticate,
                                                   config.get('auth_ret_code'))
                 @classmethod
                 def parse_request(cls, environ):
                     """If request is parsed as a request for this VCS, return a namespace with the parsed request.
                     If the request is unknown, return None.
                     """
                     raise NotImplementedError()
                 def _authorize(self, environ, action, repo_name, ip_addr):
                     """Authenticate and authorize user.
                     Since we're dealing with a VCS client and not a browser, we only
                     support HTTP basic authentication, either directly via raw header
                     inspection, or by using container authentication to delegate the
                     authentication to the web server.
                     Returns (user, None) on successful authentication and authorization.
                     Returns (None, wsgi_app) to send the wsgi_app response to the client.
                     """
                     # Use anonymous access if allowed for action on repo.
                     default_user = User.get_default_user(cache=True)
                     default_authuser = AuthUser.make(dbuser=default_user, ip_addr=ip_addr)
                     if default_authuser is None:
                         log.debug('No anonymous access at all') # move on to proper user auth
                     else:
                         if self._check_permission(action, default_authuser, repo_name):
                             return default_authuser, None
                         log.debug('Not authorized to access this repository as anonymous user')
                     username = None
                     #==============================================================
                     # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE
                     # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
                     #==============================================================
                     # try to auth based on environ, container auth methods
                     log.debug('Running PRE-AUTH for container based authentication')
                     pre_auth = auth_modules.authenticate('', '', environ)
                     if pre_auth is not None and pre_auth.get('username'):
                         username = pre_auth['username']
                     log.debug('PRE-AUTH got %s as username', username)
                     # If not authenticated by the container, running basic auth
                     if not username:
                         self.authenticate.realm = self.config['realm']
                         result = self.authenticate(environ)
                         if isinstance(result, str):
                             paste.httpheaders.AUTH_TYPE.update(environ, 'basic')
                             paste.httpheaders.REMOTE_USER.update(environ, result)
                             username = result
                         else:
                             return None, result.wsgi_application
                     #==============================================================
                     # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME
                     #==============================================================
                     try:
                         user = User.get_by_username_or_email(username)
                     except Exception:
                         log.error(traceback.format_exc())
                         return None, webob.exc.HTTPInternalServerError()
                     authuser = AuthUser.make(dbuser=user, ip_addr=ip_addr)
                     if authuser is None:
                         return None, webob.exc.HTTPForbidden()
                     if not self._check_permission(action, authuser, repo_name):
                         return None, webob.exc.HTTPForbidden()
                     return user, None
                 def _handle_request(self, environ, start_response):
                     raise NotImplementedError()
                 def _check_permission(self, action, authuser, repo_name):
                     """
                     Checks permissions using action (push/pull) user and repository
                     name
                     :param action: 'push' or 'pull' action
                     :param user: `User` instance
                     :param repo_name: repository name
                     """
                     if action == 'push':
                         if not HasPermissionAnyMiddleware('repository.write',
                                                           'repository.admin')(authuser,
                                                                               repo_name):
                             return False
                     else:
                         #any other action need at least read permission
                         if not HasPermissionAnyMiddleware('repository.read',
                                                           'repository.write',
                                                           'repository.admin')(authuser,
                                                                               repo_name):
                             return False
                     return True
                 def _get_ip_addr(self, environ):
                     return _get_ip_addr(environ)
                 def __call__(self, environ, start_response):
                     try:
                         # try parsing a request for this VCS - if it fails, call the wrapped app
                         parsed_request = self.parse_request(environ)
                         if parsed_request is None:
                             return self.application(environ, start_response)
                         # skip passing error to error controller
                         environ['pylons.status_code_redirect'] = True
                         # quick check if repo exists...
                         if not is_valid_repo(parsed_request.repo_name, self.basepath, self.scm_alias):
                             raise webob.exc.HTTPNotFound()
                         if parsed_request.action is None:
                             # Note: the client doesn't get the helpful error message
                             raise webob.exc.HTTPBadRequest('Unable to detect pull/push action for %r! Are you using a nonstandard command or client?' % parsed_request.repo_name)
                         #======================================================================
                         # CHECK PERMISSIONS
                         #======================================================================
                         ip_addr = self._get_ip_addr(environ)
                         user, response_app = self._authorize(environ, parsed_request.action, parsed_request.repo_name, ip_addr)
                         if response_app is not None:
                             return response_app(environ, start_response)
                         #======================================================================
                         # REQUEST HANDLING
                         #======================================================================
                         set_hook_environment(user.username, ip_addr,
                             parsed_request.repo_name, self.scm_alias, parsed_request.action)
                         try:
                             log.info('%s action on %s repo "%s" by "%s" from %s',
                                      parsed_request.action, self.scm_alias, parsed_request.repo_name, user.username, ip_addr)
                             app = self._make_app(parsed_request)
                             return app(environ, start_response)
                         except Exception:
                             log.error(traceback.format_exc())
                             raise webob.exc.HTTPInternalServerError()
                     except webob.exc.HTTPException as e:
                         return e(environ, start_response)
             class BaseController(TGController):
                 def _before(self, *args, **kwargs):
                     """
                     _before is called before controller methods and after __call__
                     """
                     if request.needs_csrf_check:
                         # CSRF protection: Whenever a request has ambient authority (whether
                         # through a session cookie or its origin IP address), it must include
                         # the correct token, unless the HTTP method is GET or HEAD (and thus
                         # guaranteed to be side effect free. In practice, the only situation
                         # where we allow side effects without ambient authority is when the
                         # authority comes from an API key; and that is handled above.
                         from kallithea.lib import helpers as h
                         token = request.POST.get(h.session_csrf_secret_name)
                         if not token or token != h.session_csrf_secret_token():
                             log.error('CSRF check failed')
                             raise webob.exc.HTTPForbidden()
                     c.kallithea_version = __version__
                     rc_config = Setting.get_app_settings()
                     # Visual options
                     c.visual = AttributeDict({})
                     ## DB stored
                     c.visual.show_public_icon = str2bool(rc_config.get('show_public_icon'))
                     c.visual.show_private_icon = str2bool(rc_config.get('show_private_icon'))
                     c.visual.stylify_metalabels = str2bool(rc_config.get('stylify_metalabels'))
                     c.visual.page_size = safe_int(rc_config.get('dashboard_items', 100))
                     c.visual.admin_grid_items = safe_int(rc_config.get('admin_grid_items', 100))
                     c.visual.repository_fields = str2bool(rc_config.get('repository_fields'))
                     c.visual.show_version = str2bool(rc_config.get('show_version'))
                     c.visual.use_gravatar = str2bool(rc_config.get('use_gravatar'))
                     c.visual.gravatar_url = rc_config.get('gravatar_url')
                     c.ga_code = rc_config.get('ga_code')
                     # TODO: replace undocumented backwards compatibility hack with db upgrade and rename ga_code
                     if c.ga_code and '<' not in c.ga_code:
                         c.ga_code = '''<script type="text/javascript">
                             var _gaq = _gaq || [];
                             _gaq.push(['_setAccount', '%s']);
                             _gaq.push(['_trackPageview']);
                             (function() {
                                 var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
                                 ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
                                 var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
                                 })();
                         </script>''' % c.ga_code
                     c.site_name = rc_config.get('title')
                     c.clone_uri_tmpl = rc_config.get('clone_uri_tmpl') or Repository.DEFAULT_CLONE_URI
                     c.clone_ssh_tmpl = rc_config.get('clone_ssh_tmpl') or Repository.DEFAULT_CLONE_SSH
                     ## INI stored
                     c.visual.allow_repo_location_change = str2bool(config.get('allow_repo_location_change', True))
                     c.visual.allow_custom_hooks_settings = str2bool(config.get('allow_custom_hooks_settings', True))
                     c.ssh_enabled = str2bool(config.get('ssh_enabled', False))
                     c.instance_id = config.get('instance_id')
                     c.issues_url = config.get('bugtracker', url('issues_url'))
                     # END CONFIG VARS
                     c.repo_name = get_repo_slug(request)  # can be empty
                     c.backends = list(BACKENDS)
                     self.cut_off_limit = safe_int(config.get('cut_off_limit'))
                     c.my_pr_count = PullRequest.query(reviewer_id=request.authuser.user_id, include_closed=False).count()
                     self.scm_model = ScmModel()
                 @staticmethod
                 def _determine_auth_user(session_authuser, ip_addr):
                     """
                     Create an `AuthUser` object given the API key/bearer token
                     (if any) and the value of the authuser session cookie.
                     Returns None if no valid user is found (like not active or no access for IP).
                     """
                     # Authenticate by session cookie
                     # In ancient login sessions, 'authuser' may not be a dict.
                     # In that case, the user will have to log in again.
                     # v0.3 and earlier included an 'is_authenticated' key; if present,
                     # this must be True.
                     if isinstance(session_authuser, dict) and session_authuser.get('is_authenticated', True):
                         return AuthUser.from_cookie(session_authuser, ip_addr=ip_addr)
                     # Authenticate by auth_container plugin (if enabled)
                     if any(
                         plugin.is_container_auth
                         for plugin in auth_modules.get_auth_plugins()
                     ):
                         try:
                             user_info = auth_modules.authenticate('', '', request.environ)
                         except UserCreationError as e:
                             from kallithea.lib import helpers as h
                             h.flash(e, 'error', logf=log.error)
                         else:
                             if user_info is not None:
                                 username = user_info['username']
                                 user = User.get_by_username(username, case_insensitive=True)
                                 return log_in_user(user, remember=False, is_external_auth=True, ip_addr=ip_addr)
                     # User is default user (if active) or anonymous
                     default_user = User.get_default_user(cache=True)
                     authuser = AuthUser.make(dbuser=default_user, ip_addr=ip_addr)
                     if authuser is None: # fall back to anonymous
                         authuser = AuthUser(dbuser=default_user) # TODO: somehow use .make?
                     return authuser
                 @staticmethod
                 def _basic_security_checks():
                     """Perform basic security/sanity checks before processing the request."""
                     # Only allow the following HTTP request methods.
                     if request.method not in ['GET', 'HEAD', 'POST']:
                         raise webob.exc.HTTPMethodNotAllowed()
                     # Also verify the _method override - no longer allowed.
                     if request.params.get('_method') is None:
                         pass # no override, no problem
                     else:
                         raise webob.exc.HTTPMethodNotAllowed()
                     # Make sure CSRF token never appears in the URL. If so, invalidate it.
                     from kallithea.lib import helpers as h
                     if h.session_csrf_secret_name in request.GET:
                         log.error('CSRF key leak detected')
                         session.pop(h.session_csrf_secret_name, None)
                         session.save()
                         h.flash(_('CSRF token leak has been detected - all form tokens have been expired'),
                                 category='error')
                     # WebOb already ignores request payload parameters for anything other
                     # than POST/PUT, but double-check since other Kallithea code relies on
                     # this assumption.
                     if request.method not in ['POST', 'PUT'] and request.POST:
                         log.error('%r request with payload parameters; WebOb should have stopped this', request.method)
                         raise webob.exc.HTTPBadRequest()
                 def __call__(self, environ, context):
                     try:
                         ip_addr = _get_ip_addr(environ)
                         self._basic_security_checks()
                         api_key = request.GET.get('api_key')
                         try:
                             # Request.authorization may raise ValueError on invalid input
                             type, params = request.authorization
                         except (ValueError, TypeError):
                             pass
                         else:
                             if type.lower() == 'bearer':
                                 api_key = params # bearer token is an api key too
                         if api_key is None:
                             authuser = self._determine_auth_user(
                                 session.get('authuser'),
                                 ip_addr=ip_addr,
                             )
                             needs_csrf_check = request.method not in ['GET', 'HEAD']
                         else:
                             dbuser = User.get_by_api_key(api_key)
                             if dbuser is None:
                                 log.info('No db user found for authentication with API key ****%s from %s',
                                          api_key[-4:], ip_addr)
                             authuser = AuthUser.make(dbuser=dbuser, is_external_auth=True, ip_addr=ip_addr)
                             needs_csrf_check = False # API key provides CSRF protection
                         if authuser is None:
                             log.info('No valid user found')
                             raise webob.exc.HTTPForbidden()
                         # set globals for auth user
                         request.authuser = authuser
                         request.ip_addr = ip_addr
                         request.needs_csrf_check = needs_csrf_check
                         log.info('IP: %s User: %s accessed %s',
                             request.ip_addr, request.authuser,
                             get_path_info(environ),
                         )
                         return super(BaseController, self).__call__(environ, context)
                     except webob.exc.HTTPException as e:
                         return e
             class BaseRepoController(BaseController):
                 """
                 Base class for controllers responsible for loading all needed data for
                 repository loaded items are
                 c.db_repo_scm_instance: instance of scm repository
                 c.db_repo: instance of db
                 c.repository_followers: number of followers
                 c.repository_forks: number of forks
                 c.repository_following: weather the current user is following the current repo
                 """
                 def _before(self, *args, **kwargs):
                     super(BaseRepoController, self)._before(*args, **kwargs)
                     if c.repo_name:  # extracted from routes
                         _dbr = Repository.get_by_repo_name(c.repo_name)
                         if not _dbr:
                             return
                         log.debug('Found repository in database %s with state `%s`',
                                   _dbr, _dbr.repo_state)
                         route = getattr(request.environ.get('routes.route'), 'name', '')
                         # allow to delete repos that are somehow damages in filesystem
                         if route in ['delete_repo']:
                             return
                         if _dbr.repo_state in [Repository.STATE_PENDING]:
                             if route in ['repo_creating_home']:
                                 return
                             check_url = url('repo_creating_home', repo_name=c.repo_name)
                             raise webob.exc.HTTPFound(location=check_url)
                         dbr = c.db_repo = _dbr
                         c.db_repo_scm_instance = c.db_repo.scm_instance
                         if c.db_repo_scm_instance is None:
                             log.error('%s this repository is present in database but it '
                                       'cannot be created as an scm instance', c.repo_name)
                             from kallithea.lib import helpers as h
                             h.flash(_('Repository not found in the filesystem'),
                                     category='error')
                             raise webob.exc.HTTPNotFound()
                         # some globals counter for menu
                         c.repository_followers = self.scm_model.get_followers(dbr)
                         c.repository_forks = self.scm_model.get_forks(dbr)
                         c.repository_pull_requests = self.scm_model.get_pull_requests(dbr)
                         c.repository_following = self.scm_model.is_following_repo(
                                                 c.repo_name, request.authuser.user_id)
                 @staticmethod
                 def _get_ref_rev(repo, ref_type, ref_name, returnempty=False):
                     """
                     Safe way to get changeset. If error occurs show error.
                     """
                     from kallithea.lib import helpers as h
                     try:
                         return repo.scm_instance.get_ref_revision(ref_type, ref_name)
                     except EmptyRepositoryError as e:
                         if returnempty:
                             return repo.scm_instance.EMPTY_CHANGESET
                         h.flash(_('There are no changesets yet'), category='error')
                         raise webob.exc.HTTPNotFound()
                     except ChangesetDoesNotExistError as e:
                         h.flash(_('Changeset for %s %s not found in %s') %
                                           (ref_type, ref_name, repo.repo_name),
                                 category='error')
                         raise webob.exc.HTTPNotFound()
                     except RepositoryError as e:
                         log.error(traceback.format_exc())
                         h.flash(e, category='error')
                         raise webob.exc.HTTPBadRequest()
             @decorator.decorator
             def jsonify(func, *args, **kwargs):
                 """Action decorator that formats output for JSON
                 Given a function that will return content, this decorator will turn
                 the result into JSON, with a content-type of 'application/json' and
                 output it.
                 """
                 response.headers['Content-Type'] = 'application/json; charset=utf-8'
                 data = func(*args, **kwargs)
                 if isinstance(data, (list, tuple)):
                     # A JSON list response is syntactically valid JavaScript and can be
                     # loaded and executed as JavaScript by a malicious third-party site
                     # using <script>, which can lead to cross-site data leaks.
                     # JSON responses should therefore be scalars or objects (i.e. Python
                     # dicts), because a JSON object is a syntax error if intepreted as JS.
                     msg = "JSON responses with Array envelopes are susceptible to " \
                           "cross-site data leak attacks, see " \
                           "https://web.archive.org/web/20120519231904/http://wiki.pylonshq.com/display/pylonsfaq/Warnings"
                     warnings.warn(msg, Warning, 2)
                     log.warning(msg)
                 log.debug("Returning JSON wrapped action output")
                 return ascii_bytes(ext_json.dumps(data))
             @decorator.decorator
             def IfSshEnabled(func, *args, **kwargs):
                 """Decorator for functions that can only be called if SSH access is enabled.
                 If SSH access is disabled in the configuration file, HTTPNotFound is raised.
                 """
                 if not c.ssh_enabled:
                     from kallithea.lib import helpers as h
                     h.flash(_("SSH access is disabled."), category='warning')
                     raise webob.exc.HTTPNotFound()
                 return func(*args, **kwargs)

kallithea/lib/middleware/permanent_repo_url.py

0 +2 -2

             # -*- coding: utf-8 -*-
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU General Public License as published by
             # the Free Software Foundation, either version 3 of the License, or
             # (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             """
             kallithea.lib.middleware.permanent_repo_url
             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
             middleware to handle permanent repo URLs, replacing PATH_INFO '/_123/yada' with
             '/name/of/repo/yada' after looking 123 up in the database.
             """
             from kallithea.lib.utils import fix_repo_id_name
             from kallithea.lib.utils2 import safe_bytes, safe_str
             class PermanentRepoUrl(object):
                 def __init__(self, app, config):
                     self.application = app
                     self.config = config
                 def __call__(self, environ, start_response):
                     # Extract path_info as get_path_info does, but do it explicitly because
                     # we also have to do the reverse operation when patching it back in
-                    path_info = safe_str(environ['PATH_INFO'])
+                    path_info = safe_str(environ['PATH_INFO'].encode('latin1'))
                     if path_info.startswith('/'): # it must
                         path_info = '/' + fix_repo_id_name(path_info[1:])
-                        environ['PATH_INFO'] = safe_bytes(path_info)
+                        environ['PATH_INFO'] = safe_bytes(path_info).decode('latin1')
                     return self.application(environ, start_response)

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages