Merge lp:~leonardr/launchpadlib/529348-fix into lp:launchpadlib

Proposed by Leonard Richardson
Status: Merged
Approved by: Gary Poster
Approved revision: 86
Merged at revision: not available
Proposed branch: lp:~leonardr/launchpadlib/529348-fix
Merge into: lp:launchpadlib
Diff against target: 71 lines (+15/-5)
3 files modified
src/launchpadlib/NEWS.txt (+7/-0)
src/launchpadlib/__init__.py (+1/-1)
src/launchpadlib/credentials.py (+7/-4)
To merge this branch: bzr merge lp:~leonardr/launchpadlib/529348-fix
Reviewer Review Type Date Requested Status
Gary Poster Approve
Review via email: mp+21494@code.launchpad.net

Description of the change

This branch ensures that when launchpadlib communicates with the Launchpad website (as opposed to the web service), it always sets the Referer header. In a very long time (once the versions of Ubuntu containing earlier versions of launchpadlib are at end-of-life) this will let us get rid of special hacks allowing clients to POST to certain URLs without specifying the Referer header.

To post a comment you must log in.
Revision history for this message
Gary Poster (gary) :
review: Approve
Revision history for this message
Gary Poster (gary) wrote :

gary_poster: leonardr: do I understand correctly that this will change nothing about the change needed now for 529348 in launchpad, because of legacy?
leonardr: gary: yes, this is 1) to get the tests passing, and 2) to simplify the 529348 fix a little bit many years from now
gary_poster: leonardr: right. Getting the test to pass this way is expedient. We actually have an explicit test to show the hack needed in launchpad. Understood. Approving branch.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'src/launchpadlib/NEWS.txt'
2--- src/launchpadlib/NEWS.txt 2010-03-04 19:28:37 +0000
3+++ src/launchpadlib/NEWS.txt 2010-03-16 21:22:17 +0000
4@@ -2,6 +2,13 @@
5 NEWS for launchpadlib
6 =====================
7
8+1.5.7 (2010-03-16)
9+==================
10+
11+- Send a Referer header whenever making requests to the Launchpad
12+ website (as opposed to the web service) to avoid falling afoul of
13+ new cross-site-request-forgery countermeasures.
14+
15 1.5.6 (2010-03-04)
16 ==================
17
18
19=== modified file 'src/launchpadlib/__init__.py'
20--- src/launchpadlib/__init__.py 2010-03-03 18:38:17 +0000
21+++ src/launchpadlib/__init__.py 2010-03-16 21:22:17 +0000
22@@ -14,4 +14,4 @@
23 # You should have received a copy of the GNU Lesser General Public License
24 # along with launchpadlib. If not, see <http://www.gnu.org/licenses/>.
25
26-__version__ = '1.5.6'
27+__version__ = '1.5.7'
28
29=== modified file 'src/launchpadlib/credentials.py'
30--- src/launchpadlib/credentials.py 2009-12-17 16:52:54 +0000
31+++ src/launchpadlib/credentials.py 2010-03-16 21:22:17 +0000
32@@ -92,7 +92,7 @@
33 oauth_signature_method='PLAINTEXT',
34 oauth_signature='&')
35 url = web_root + request_token_page
36- headers = {}
37+ headers = {'Referer' : web_root}
38 if token_format == self.DICT_TOKEN_FORMAT:
39 headers['Accept'] = 'application/json'
40 response, content = httplib2.Http().request(
41@@ -135,8 +135,9 @@
42 oauth_token=self._request_token.key,
43 oauth_signature='&%s' % self._request_token.secret)
44 url = web_root + access_token_page
45+ headers = {'Referer' : web_root}
46 response, content = httplib2.Http().request(
47- url, method='POST', body=urlencode(params))
48+ url, method='POST', headers=headers, body=urlencode(params))
49 if response.status != 200:
50 raise HTTPError(response, content)
51 self.access_token = AccessToken.from_string(content)
52@@ -215,7 +216,8 @@
53 # We can't use httplib2's add_credentials, because Launchpad
54 # doesn't respond to credential-less access with a 401
55 # response code.
56- headers = {'Accept' : 'application/json'}
57+ headers = {'Accept' : 'application/json',
58+ 'Referer' : self.web_root}
59 headers['Authorization'] = self._auth_header(username, password)
60 response, content = self.http.request(url, headers=headers)
61 # Detect common error conditions and set the response code
62@@ -232,7 +234,8 @@
63 def grant_access(self, username, password, request_token, access_level,
64 context=None):
65 """Grant a level of access to an application on behalf of a user."""
66- headers = {'Content-type' : 'application/x-www-form-urlencoded'}
67+ headers = {'Content-type' : 'application/x-www-form-urlencoded',
68+ 'Referer' : self.web_root}
69 headers['Authorization'] = self._auth_header(username, password)
70 body = "oauth_token=%s&field.actions.%s=True" % (
71 quote(request_token), quote(access_level))

Subscribers

People subscribed via source and target branches