Hi,
I've been working on CSRF protection for zope.formlib.
I have a "csrfprotection" branch in my zope.formlib fork on github. The
changes against the current zope.formlib mainline can be found here:
https://github.com/janwijbrand/zope.formlib/compare/csrfprotection
When creating form components based on zope.formlib.form.FormBase, one
can enable this protection just by setting the attribute ``protected``
to True on the component.
This implementation is based on the following assumptions:
* We do not want to keep server-side state(!)
* An "attacker" that attempts CSRF cannot get to information stored in
cookies that are meant for the domain of the (forged) request.
* The token stored in the cookie is sufficiently random and long, to be
practically "unguessable" by the attacker.
* The form submit is deemed valid as long as the token in the cookie is
identical to a hidden input value that is part of the form submit.
My questions:
* Do you find this feature useful enough to be, in principle, included
in zope.formlib?
* I'd like to kindly request someone to review my branch and provide
feedback.
The included test cases describe a few more questions and concerns about
this implementation.
Thank you in advance!
kind regards, jw
This is the summary for test reports received on the
zope-tests list between 2013-10-29 00:00:00 UTC and 2013-10-30 00:00:00 UTC:
See the footnotes for test reports of unsuccessful builds.
An up-to date view of the builders is also available in our
buildbot documentation:
http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds
Reports received
----------------
Successful - zopetoolkit_trunk - Build # 443
winbot / ZODB_dev py_265_win32
winbot / ZODB_dev py_265_win64
winbot / ZODB_dev py_270_win32
winbot / ZODB_dev py_270_win64
winbot / ztk_10 py_254_win32
winbot / ztk_10 py_265_win32
winbot / ztk_10 py_265_win64
winbot / ztk_11 py_254_win32
winbot / ztk_11 py_265_win32
winbot / ztk_11 py_265_win64
winbot / ztk_11 py_270_win32
winbot / ztk_11 py_270_win64
Non-OK results
--------------
This is the summary for test reports received on the
zope-tests list between 2013-10-28 00:00:00 UTC and 2013-10-29 00:00:00 UTC:
See the footnotes for test reports of unsuccessful builds.
An up-to date view of the builders is also available in our
buildbot documentation:
http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds
Reports received
----------------
Successful - zopetoolkit_trunk - Build # 442
winbot / ZODB_dev py_265_win32
winbot / ZODB_dev py_265_win64
winbot / ZODB_dev py_270_win32
winbot / ZODB_dev py_270_win64
winbot / ztk_10 py_254_win32
winbot / ztk_10 py_265_win32
winbot / ztk_10 py_265_win64
winbot / ztk_11 py_254_win32
winbot / ztk_11 py_265_win32
winbot / ztk_11 py_265_win64
winbot / ztk_11 py_270_win32
winbot / ztk_11 py_270_win64
Non-OK results
--------------
Hello list.
I'm having an issue with ZTUtils.Zope.make_query when providing Unicode
values.
Specifically, We're building search results pagination using
CMFPlone.PloneBatch
Here's the scenario:
The search form is provided a Unicode string. The query is properly
written as "?search_text:utf8:ustring=value"
The search will return many results.
Our searchResults browser view will provide a PloneBatch object, making
it very easy to display only, for example, 30 results, then provide page
links at the bottom of the page for the next 30 results, or whatever.
These links will contain the original query string, but when they are
built using make_query(), the result is "?search_text=value"
- What follows is Unicode decode errors when the 'next' link is
followed - the search_text is marshaled as a 'str', not as a 'unicode'
The bottom line is that make_query (actually, complex_marshal &
simple_marshal) doesn't seem to apply the ':ustring' type prefix when
creating query strings.
Kind of important to us at Radio Free Asia, considering we host
Cantonese and Korean languages, for example.
This was fixed by using sys.setdefaultencoding('utf-8'), but that seems
like quite a sledgehammer fix.
----------
I have a proposed fix, branched from the master branch on Github.
Diff here: https://github.com/zopefoundation/Zope/pull/4/files
Questions:
1. Is "Master" the correct place to fork from?
2. Is is safe - at least to start - to assume utf8 encoding when
constructing query strings?
3. Dangerous idea: If simpleMarshal is passed a unicode object that
can be represented as ASCII, should we "magically" turn it into a
string? I don't like magic, but I also know it's common (and good)
practice to use unicode in ASCII-based languages, making this exercise
an overkill for those languages.
Any comments or criticisms (not to hard please!) would be appreciated!
-Flip
--
Mike McFadden
Radio Free Asia
Technical Operations Division
2025 M Street NW
Washington DC 20036 USA
This e-mail message is intended only for the use of the addressee and may contain information that is privileged and confidential. Any unauthorized dissemination, distribution or copying is strictly prohibited. If you receive this transmission in error, please contact network(a)rfa.org.
This is the summary for test reports received on the
zope-tests list between 2013-10-27 00:00:00 UTC and 2013-10-28 00:00:00 UTC:
See the footnotes for test reports of unsuccessful builds.
An up-to date view of the builders is also available in our
buildbot documentation:
http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds
Reports received
----------------
Successful - zopetoolkit_trunk - Build # 441
winbot / ZODB_dev py_265_win32
winbot / ZODB_dev py_265_win64
winbot / ZODB_dev py_270_win32
winbot / ZODB_dev py_270_win64
winbot / ztk_10 py_254_win32
winbot / ztk_10 py_265_win32
winbot / ztk_10 py_265_win64
winbot / ztk_11 py_254_win32
winbot / ztk_11 py_265_win32
winbot / ztk_11 py_265_win64
winbot / ztk_11 py_270_win32
winbot / ztk_11 py_270_win64
Non-OK results
--------------
This is the summary for test reports received on the
zope-tests list between 2013-10-26 00:00:00 UTC and 2013-10-27 00:00:00 UTC:
See the footnotes for test reports of unsuccessful builds.
An up-to date view of the builders is also available in our
buildbot documentation:
http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds
Reports received
----------------
Successful - zopetoolkit_trunk - Build # 440
winbot / ZODB_dev py_265_win32
winbot / ZODB_dev py_265_win64
winbot / ZODB_dev py_270_win32
winbot / ZODB_dev py_270_win64
winbot / ztk_10 py_254_win32
winbot / ztk_10 py_265_win32
winbot / ztk_10 py_265_win64
winbot / ztk_11 py_254_win32
winbot / ztk_11 py_265_win32
winbot / ztk_11 py_265_win64
winbot / ztk_11 py_270_win32
winbot / ztk_11 py_270_win64
Non-OK results
--------------
This is the summary for test reports received on the
zope-tests list between 2013-10-25 00:00:00 UTC and 2013-10-26 00:00:00 UTC:
See the footnotes for test reports of unsuccessful builds.
An up-to date view of the builders is also available in our
buildbot documentation:
http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds
Reports received
----------------
Successful - zopetoolkit_trunk - Build # 439
winbot / ztk_10 py_254_win32
winbot / ztk_10 py_265_win32
winbot / ztk_10 py_265_win64
winbot / ztk_11 py_254_win32
winbot / ztk_11 py_265_win32
winbot / ztk_11 py_265_win64
winbot / ztk_11 py_270_win32
winbot / ztk_11 py_270_win64
Non-OK results
--------------
This is the summary for test reports received on the
zope-tests list between 2013-10-24 00:00:00 UTC and 2013-10-25 00:00:00 UTC:
See the footnotes for test reports of unsuccessful builds.
An up-to date view of the builders is also available in our
buildbot documentation:
http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds
Reports received
----------------
Successful - zopetoolkit_trunk - Build # 438
winbot / ztk_10 py_254_win32
winbot / ztk_10 py_265_win32
winbot / ztk_10 py_265_win64
winbot / ztk_11 py_254_win32
winbot / ztk_11 py_265_win32
winbot / ztk_11 py_265_win64
winbot / ztk_11 py_270_win32
winbot / ztk_11 py_270_win64
Non-OK results
--------------