launchpadlib

Merge lp:~leonardr/launchpadlib/529348-fix into lp:launchpadlib

  1. 529348-fix
  2. Merge into trunk
Proposed by Leonard Richardson
Status: Merged
Approved by: Gary Poster
Approved revision: 86
Merged at revision: not available
Proposed branch: lp:~leonardr/launchpadlib/529348-fix
Merge into: lp:launchpadlib
Diff against target: 71 lines (+15/-5)
3 files modified
src/launchpadlib/NEWS.txt (+7/-0)
src/launchpadlib/__init__.py (+1/-1)
src/launchpadlib/credentials.py (+7/-4)
To merge this branch: bzr merge lp:~leonardr/launchpadlib/529348-fix
Reviewer Review Type Date Requested Status
Gary Poster Approve
Review via email: mp+21494@code.launchpad.net

Description of the change

This branch ensures that when launchpadlib communicates with the Launchpad website (as opposed to the web service), it always sets the Referer header. In a very long time (once the versions of Ubuntu containing earlier versions of launchpadlib are at end-of-life) this will let us get rid of special hacks allowing clients to POST to certain URLs without specifying the Referer header.

To post a comment you must log in.
Revision history for this message
Gary Poster (gary) :
review: Approve
Revision history for this message
Gary Poster (gary) wrote :

gary_poster: leonardr: do I understand correctly that this will change nothing about the change needed now for 529348 in launchpad, because of legacy?
leonardr: gary: yes, this is 1) to get the tests passing, and 2) to simplify the 529348 fix a little bit many years from now
gary_poster: leonardr: right. Getting the test to pass this way is expedient. We actually have an explicit test to show the hack needed in launchpad. Understood. Approving branch.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'src/launchpadlib/NEWS.txt'
--- src/launchpadlib/NEWS.txt 2010-03-04 19:28:37 +0000
+++ src/launchpadlib/NEWS.txt 2010-03-16 21:22:17 +0000
@@ -2,6 +2,13 @@
2NEWS for launchpadlib2NEWS for launchpadlib
3=====================3=====================
44
51.5.7 (2010-03-16)
6==================
7
8- Send a Referer header whenever making requests to the Launchpad
9 website (as opposed to the web service) to avoid falling afoul of
10 new cross-site-request-forgery countermeasures.
11
51.5.6 (2010-03-04)121.5.6 (2010-03-04)
6==================13==================
714
815
=== modified file 'src/launchpadlib/__init__.py'
--- src/launchpadlib/__init__.py 2010-03-03 18:38:17 +0000
+++ src/launchpadlib/__init__.py 2010-03-16 21:22:17 +0000
@@ -14,4 +14,4 @@
14# You should have received a copy of the GNU Lesser General Public License14# You should have received a copy of the GNU Lesser General Public License
15# along with launchpadlib. If not, see <http://www.gnu.org/licenses/>.15# along with launchpadlib. If not, see <http://www.gnu.org/licenses/>.
1616
17__version__ = '1.5.6'17__version__ = '1.5.7'
1818
=== modified file 'src/launchpadlib/credentials.py'
--- src/launchpadlib/credentials.py 2009-12-17 16:52:54 +0000
+++ src/launchpadlib/credentials.py 2010-03-16 21:22:17 +0000
@@ -92,7 +92,7 @@
92 oauth_signature_method='PLAINTEXT',92 oauth_signature_method='PLAINTEXT',
93 oauth_signature='&')93 oauth_signature='&')
94 url = web_root + request_token_page94 url = web_root + request_token_page
95 headers = {}95 headers = {'Referer' : web_root}
96 if token_format == self.DICT_TOKEN_FORMAT:96 if token_format == self.DICT_TOKEN_FORMAT:
97 headers['Accept'] = 'application/json'97 headers['Accept'] = 'application/json'
98 response, content = httplib2.Http().request(98 response, content = httplib2.Http().request(
@@ -135,8 +135,9 @@
135 oauth_token=self._request_token.key,135 oauth_token=self._request_token.key,
136 oauth_signature='&%s' % self._request_token.secret)136 oauth_signature='&%s' % self._request_token.secret)
137 url = web_root + access_token_page137 url = web_root + access_token_page
138 headers = {'Referer' : web_root}
138 response, content = httplib2.Http().request(139 response, content = httplib2.Http().request(
139 url, method='POST', body=urlencode(params))140 url, method='POST', headers=headers, body=urlencode(params))
140 if response.status != 200:141 if response.status != 200:
141 raise HTTPError(response, content)142 raise HTTPError(response, content)
142 self.access_token = AccessToken.from_string(content)143 self.access_token = AccessToken.from_string(content)
@@ -215,7 +216,8 @@
215 # We can't use httplib2's add_credentials, because Launchpad216 # We can't use httplib2's add_credentials, because Launchpad
216 # doesn't respond to credential-less access with a 401217 # doesn't respond to credential-less access with a 401
217 # response code.218 # response code.
218 headers = {'Accept' : 'application/json'}219 headers = {'Accept' : 'application/json',
220 'Referer' : self.web_root}
219 headers['Authorization'] = self._auth_header(username, password)221 headers['Authorization'] = self._auth_header(username, password)
220 response, content = self.http.request(url, headers=headers)222 response, content = self.http.request(url, headers=headers)
221 # Detect common error conditions and set the response code223 # Detect common error conditions and set the response code
@@ -232,7 +234,8 @@
232 def grant_access(self, username, password, request_token, access_level,234 def grant_access(self, username, password, request_token, access_level,
233 context=None):235 context=None):
234 """Grant a level of access to an application on behalf of a user."""236 """Grant a level of access to an application on behalf of a user."""
235 headers = {'Content-type' : 'application/x-www-form-urlencoded'}237 headers = {'Content-type' : 'application/x-www-form-urlencoded',
238 'Referer' : self.web_root}
236 headers['Authorization'] = self._auth_header(username, password)239 headers['Authorization'] = self._auth_header(username, password)
237 body = "oauth_token=%s&field.actions.%s=True" % (240 body = "oauth_token=%s&field.actions.%s=True" % (
238 quote(request_token), quote(access_level))241 quote(request_token), quote(access_level))

Subscribers

People subscribed via source and target branches