MAAS

Merge lp:~gmb/maas/login-form-auto-complete-bug-1298781 into lp:~maas-committers/maas/trunk

  1. login-form-auto-complete-bug-1298781
  2. Merge into trunk
Proposed by Graham Binns
Status: Merged
Approved by: Graham Binns
Approved revision: no longer in the source branch.
Merged at revision: 2233
Proposed branch: lp:~gmb/maas/login-form-auto-complete-bug-1298781
Merge into: lp:~maas-committers/maas/trunk
Diff against target: 99 lines (+31/-9)
5 files modified
docs/conf.py (+2/-0)
src/maasserver/context_processors.py (+2/-1)
src/maasserver/templates/registration/login.html (+6/-1)
src/maasserver/views/tests/test_account.py (+19/-1)
src/provisioningserver/custom_hardware/seamicro.py (+2/-6)
To merge this branch: bzr merge lp:~gmb/maas/login-form-auto-complete-bug-1298781
Reviewer Review Type Date Requested Status
Jeroen T. Vermeulen (community) Approve
Review via email: mp+213598@code.launchpad.net

Commit message

Turn autocomplete off for the login form when not running in debug mode. Previously autocomplete was always on, which netcraft has warned against.

To post a comment you must log in.
Revision history for this message
Jeroen T. Vermeulen (jtv) wrote :

It'd be nice to have the reason for this tweak embedded in the code somewhere, so that future readers won't think it frivolous.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'docs/conf.py'
2--- docs/conf.py 2014-04-06 08:12:50 +0000
3+++ docs/conf.py 2014-04-07 10:43:10 +0000
4@@ -13,6 +13,8 @@
5
6 # Import maas' settings.
7 from os import environ
8+
9+
10 environ.setdefault("DJANGO_SETTINGS_MODULE", "maas.settings")
11
12 # If extensions (or modules to document with autodoc) are in another directory,
13
14=== modified file 'src/maasserver/context_processors.py'
15--- src/maasserver/context_processors.py 2014-03-27 04:15:45 +0000
16+++ src/maasserver/context_processors.py 2014-04-07 10:43:10 +0000
17@@ -80,5 +80,6 @@
18 ],
19 'global_options': {
20 'site_name': Config.objects.get_config('maas_name'),
21- }
22+ },
23+ 'debug': settings.DEBUG,
24 }
25
26=== modified file 'src/maasserver/templates/registration/login.html'
27--- src/maasserver/templates/registration/login.html 2014-02-03 08:17:56 +0000
28+++ src/maasserver/templates/registration/login.html 2014-04-07 10:43:10 +0000
29@@ -33,7 +33,12 @@
30 <p class="form-errors">Your username and password didn't match. Please try again.</p>
31 {% endif %}
32
33- <form method="post" action="{% url 'login' %}">{% csrf_token %}
34+ {% comment %}
35+ We turn off autocompletion of the login form in production
36+ environments. Autocompletion, in combination with cross-site scripting
37+ attacks, can potentially allow remote attackers to steal credentials.
38+ {% endcomment %}
39+ <form method="post" {% if not debug %}autocomplete="off"{% endif %} action="{% url 'login' %}">{% csrf_token %}
40 <input type="hidden" name="next" value="{{ next }}" />
41 <ul>
42 {% for field in form %}
43
44=== modified file 'src/maasserver/views/tests/test_account.py'
45--- src/maasserver/views/tests/test_account.py 2014-04-02 08:57:30 +0000
46+++ src/maasserver/views/tests/test_account.py 2014-04-07 10:43:10 +0000
47@@ -17,7 +17,10 @@
48 from django.conf import settings
49 from django.contrib.auth import SESSION_KEY
50 from django.core.urlresolvers import reverse
51-from lxml.html import fromstring
52+from lxml.html import (
53+ fromstring,
54+ tostring,
55+ )
56 from maasserver.testing import (
57 extract_redirect,
58 get_content_links,
59@@ -50,6 +53,21 @@
60 response = self.client.get('/accounts/login/')
61 self.assertEqual('/', extract_redirect(response))
62
63+ def test_login_sets_autocomplete_off_in_production(self):
64+ self.patch(settings, 'DEBUG', False)
65+ factory.make_user()
66+ response = self.client.get('/accounts/login/')
67+ doc = fromstring(response.content)
68+ form = doc.cssselect("form")[0]
69+ self.assertIn('autocomplete="off"', tostring(form))
70+
71+ def test_login_sets_autocomplete_on_in_debug_mode(self):
72+ self.patch(settings, 'DEBUG', True)
73+ factory.make_user()
74+ response = self.client.get('/accounts/login/')
75+ doc = fromstring(response.content)
76+ form = doc.cssselect("form")[0]
77+ self.assertNotIn('autocomplete="off"', tostring(form))
78
79 class TestLogout(MAASServerTestCase):
80
81
82=== modified file 'src/provisioningserver/custom_hardware/seamicro.py'
83--- src/provisioningserver/custom_hardware/seamicro.py 2014-04-04 21:05:54 +0000
84+++ src/provisioningserver/custom_hardware/seamicro.py 2014-04-07 10:43:10 +0000
85@@ -24,12 +24,8 @@
86 import urlparse
87
88 import provisioningserver.custom_hardware.utils as utils
89-from seamicroclient.v2 import (
90- client as seamicro_client,
91- )
92-from seamicroclient import (
93- exceptions as seamicro_exceptions,
94- )
95+from seamicroclient import exceptions as seamicro_exceptions
96+from seamicroclient.v2 import client as seamicro_client
97
98
99 logger = logging.getLogger(__name__)