From ec7170ea423896e60c8d6b77da40f7d118add12e Mon Sep 17 00:00:00 2001 From: s3lph Date: Mon, 3 Feb 2020 23:58:25 +0100 Subject: [PATCH 1/7] CI Hotfix --- .gitlab-ci.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 933cf08..c67adf4 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -46,7 +46,7 @@ build_docker: build_wheel: stage: build script: - - python3.6 setup.py egg_info bdist_wheel + - python3.7 setup.py egg_info bdist_wheel - cd dist - sha256sum *.whl > SHA256SUMS artifacts: @@ -71,16 +71,16 @@ build_debian: - gzip -9n package/debian/matemat/usr/share/doc/matemat/changelog - cp -r static/ package/debian/matemat/usr/lib/matemat/static/ - cp -r templates/ package/debian/matemat/usr/lib/matemat/templates/ - - python3.6 setup.py egg_info install --root=package/debian/matemat/ --prefix=/usr --optimize=1 + - python3.7 setup.py egg_info install --root=package/debian/matemat/ --prefix=/usr --optimize=1 - cd package/debian - mkdir -p matemat/usr/lib/python3/dist-packages/ - - rsync -a matemat/usr/lib/python3.6/site-packages/ matemat/usr/lib/python3/dist-packages/ - - rm -rf matemat/usr/lib/python3.6/ + - rsync -a matemat/usr/lib/python3.7/site-packages/ matemat/usr/lib/python3/dist-packages/ + - rm -rf matemat/usr/lib/python3.7/ - find matemat/usr/lib/python3/dist-packages -name __pycache__ -exec rm -r {} \; 2>/dev/null || true - find matemat/usr/lib/python3/dist-packages -name '*.pyc' -exec rm {} \; - mv matemat/usr/bin/matemat matemat/usr/lib/matemat/matemat - rm -rf matemat/usr/bin - - sed -re 's$#!/usr/local/bin/python3.6$#!/usr/bin/python3$' -i matemat/usr/lib/matemat/matemat + - sed -re 's$#!/usr/local/bin/python3.7$#!/usr/bin/python3$' -i matemat/usr/lib/matemat/matemat - find matemat -type f -exec chmod 0644 {} \; - find matemat -type d -exec chmod 755 {} \; - chmod +x matemat/usr/lib/matemat/matemat matemat/DEBIAN/postinst matemat/DEBIAN/prerm matemat/DEBIAN/postrm From 50815a2c747899727c2d3dfb1b1d4cec4db68d3f Mon Sep 17 00:00:00 2001 From: s3lph Date: Tue, 4 Feb 2020 00:07:10 +0100 Subject: [PATCH 2/7] Hotfix: Typo in Arch Linux dependency --- package/archlinux/PKGBUILD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/archlinux/PKGBUILD b/package/archlinux/PKGBUILD index 644b974..134227e 100644 --- a/package/archlinux/PKGBUILD +++ b/package/archlinux/PKGBUILD @@ -12,7 +12,7 @@ licence=('MIT') depends=( 'python' - 'ptyhon-bottle' + 'python-bottle' 'python-jinja' 'python-pillow' 'python-magic' From 6cf47d62f10d58a7e15fc088015c5df88cea1aa3 Mon Sep 17 00:00:00 2001 From: s3lph Date: Tue, 4 Feb 2020 00:17:07 +0100 Subject: [PATCH 3/7] Some more hotfixes --- .gitlab-ci.yml | 2 +- package/archlinux/PKGBUILD | 2 +- package/debian/matemat/DEBIAN/control | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c67adf4..06a3c1c 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -99,7 +99,7 @@ build_archlinux: stage: build image: archlinux/base:latest # Use an archlinux image instead of the customized debian image. script: - - pacman -Sy --noconfirm python python-setuptools python-pip python-wheel python-jinja python-pillow python-magic base-devel + - pacman -Sy --noconfirm python python-setuptools python-pip python-wheel python-bottle python-jinja python-pillow python-magic base-devel - export MATEMAT_VERSION=$(python -c 'import matemat; print(matemat.__version__)') - cp -r static/ package/archlinux/matemat/usr/lib/matemat/static/ - cp -r templates/ package/archlinux/matemat/usr/lib/matemat/templates/ diff --git a/package/archlinux/PKGBUILD b/package/archlinux/PKGBUILD index 134227e..fc7af45 100644 --- a/package/archlinux/PKGBUILD +++ b/package/archlinux/PKGBUILD @@ -2,7 +2,7 @@ # Maintainer: s3lph pkgname=matemat -pkgver=0.1 +pkgver=0.2 pkgrel=1 arch=('any') diff --git a/package/debian/matemat/DEBIAN/control b/package/debian/matemat/DEBIAN/control index ae7a111..0b99949 100644 --- a/package/debian/matemat/DEBIAN/control +++ b/package/debian/matemat/DEBIAN/control @@ -1,5 +1,5 @@ Package: matemat -Version: 0.1 +Version: 0.2 Maintainer: s3lph Section: web Priority: optional From 9d959eecc39990a2774f18dac97e3e50093ecbd8 Mon Sep 17 00:00:00 2001 From: s3lph Date: Tue, 4 Feb 2020 18:03:20 +0100 Subject: [PATCH 4/7] Hotfix: Properly parse config files --- matemat/__main__.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/matemat/__main__.py b/matemat/__main__.py index 5da5ea8..22043dd 100644 --- a/matemat/__main__.py +++ b/matemat/__main__.py @@ -7,7 +7,7 @@ import bottle from matemat.db import MatematDatabase from matemat.webserver import cron from matemat.webserver.logger import Logger -from matemat.webserver.config import get_config, parse_config_file +from matemat.webserver.config import get_config, get_app_config, parse_config_file from matemat.webserver.template import init as template_init # Those imports are actually needed, as they implicitly register pagelets. @@ -75,7 +75,7 @@ def main(): config = get_config() - _init(config) + _init(get_app_config()) host: str = config['listen'] port: int = int(str(config['port'])) From 357afcd21b4ec7877fc96202026cf953caa09208 Mon Sep 17 00:00:00 2001 From: s3lph Date: Tue, 4 Feb 2020 18:19:57 +0100 Subject: [PATCH 5/7] Fix: Properly load config --- CHANGELOG.md | 13 ++++++++++ matemat/__init__.py | 2 +- matemat/__main__.py | 36 +++++++++++++-------------- package/archlinux/PKGBUILD | 2 +- package/debian/matemat/DEBIAN/control | 2 +- 5 files changed, 34 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c9a2aed..20873ea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,18 @@ # Matemat Changelog + +## Version 0.2.1 + +Hotfix release + +### Changes + + +- Fix: Properly load config + + + + ## Version 0.2 diff --git a/matemat/__init__.py b/matemat/__init__.py index c1ae7f9..34395d3 100644 --- a/matemat/__init__.py +++ b/matemat/__init__.py @@ -1,2 +1,2 @@ -__version__ = '0.2' +__version__ = '0.2.1' diff --git a/matemat/__main__.py b/matemat/__main__.py index 22043dd..a5cbe0b 100644 --- a/matemat/__main__.py +++ b/matemat/__main__.py @@ -18,41 +18,41 @@ from matemat.webserver.pagelets import * def _init(config: Dict[str, Any]): logger = Logger.instance() # Set default values for missing config items - if 'InstanceName' not in config: - config['InstanceName'] = 'Matemat' + if 'InstanceName' not in config['pagelet_variables']: + config['pagelet_variables']['InstanceName'] = 'Matemat' logger.warning('Property \'InstanceName\' not set, using \'Matemat\'') - if 'UploadDir' not in config: - config['UploadDir'] = './static/upload/' + if 'UploadDir' not in config['pagelet_variables']: + config['pagelet_variables']['UploadDir'] = './static/upload/' logger.warning('Property \'UploadDir\' not set, using \'./static/upload/\'') - if 'DatabaseFile' not in config: - config['DatabaseFile'] = './matemat.db' + if 'DatabaseFile' not in config['pagelet_variables']: + config['pagelet_variables']['DatabaseFile'] = './matemat.db' logger.warning('Property \'DatabaseFile\' not set, using \'./matemat.db\'') - if 'SmtpSendReceipts' not in config: - config['SmtpSendReceipts'] = '0' + if 'SmtpSendReceipts' not in config['pagelet_variables']: + config['pagelet_variables']['SmtpSendReceipts'] = '0' logger.warning('Property \'SmtpSendReceipts\' not set, using \'0\'') - if config['SmtpSendReceipts'] == '1': - if 'SmtpFrom' not in config: + if config['pagelet_variables']['SmtpSendReceipts'] == '1': + if 'SmtpFrom' not in config['pagelet_variables']: logger.fatal('\'SmtpSendReceipts\' set to \'1\', but \'SmtpFrom\' missing.') raise KeyError() - if 'SmtpSubj' not in config: + if 'SmtpSubj' not in config['pagelet_variables']: logger.fatal('\'SmtpSendReceipts\' set to \'1\', but \'SmtpSubj\' missing.') raise KeyError() - if 'SmtpHost' not in config: + if 'SmtpHost' not in config['pagelet_variables']: logger.fatal('\'SmtpSendReceipts\' set to \'1\', but \'SmtpHost\' missing.') raise KeyError() - if 'SmtpPort' not in config: + if 'SmtpPort' not in config['pagelet_variables']: logger.fatal('\'SmtpSendReceipts\' set to \'1\', but \'SmtpPort\' missing.') raise KeyError() - if 'SmtpUser' not in config: + if 'SmtpUser' not in config['pagelet_variables']: logger.fatal('\'SmtpSendReceipts\' set to \'1\', but \'SmtpUser\' missing.') raise KeyError() - if 'SmtpPass' not in config: + if 'SmtpPass' not in config['pagelet_variables']: logger.fatal('\'SmtpSendReceipts\' set to \'1\', but \'SmtpPass\' missing.') raise KeyError() - if 'SmtpEnforceTLS' not in config: + if 'SmtpEnforceTLS' not in config['pagelet_variables']: config['SmtpEnforceTLS'] = '1' logger.warning('Property \'SmtpEnforceTLS\' not set, using \'1\'') - with MatematDatabase(config['DatabaseFile']): + with MatematDatabase(config['pagelet_variables']['DatabaseFile']): # Connect to the database to create it and perform any schema migrations pass # Initialize Jinaj2 template system @@ -75,7 +75,7 @@ def main(): config = get_config() - _init(get_app_config()) + _init(config) host: str = config['listen'] port: int = int(str(config['port'])) diff --git a/package/archlinux/PKGBUILD b/package/archlinux/PKGBUILD index fc7af45..72723b0 100644 --- a/package/archlinux/PKGBUILD +++ b/package/archlinux/PKGBUILD @@ -2,7 +2,7 @@ # Maintainer: s3lph pkgname=matemat -pkgver=0.2 +pkgver=0.2.1 pkgrel=1 arch=('any') diff --git a/package/debian/matemat/DEBIAN/control b/package/debian/matemat/DEBIAN/control index 0b99949..da86517 100644 --- a/package/debian/matemat/DEBIAN/control +++ b/package/debian/matemat/DEBIAN/control @@ -1,5 +1,5 @@ Package: matemat -Version: 0.2 +Version: 0.2.1 Maintainer: s3lph Section: web Priority: optional From 5cee6e1d22d3e91c9c531ef1705bb4674a6ca28f Mon Sep 17 00:00:00 2001 From: s3lph Date: Tue, 4 Feb 2020 18:39:28 +0100 Subject: [PATCH 6/7] Fix: Sessions were shared between clients --- CHANGELOG.md | 13 +++++++++++++ matemat/__init__.py | 2 +- matemat/webserver/session/sessions.py | 4 +++- package/archlinux/PKGBUILD | 2 +- package/debian/matemat/DEBIAN/control | 2 +- 5 files changed, 19 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 20873ea..53a9c59 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,18 @@ # Matemat Changelog + +## Version 0.2.1 + +Security fix release + +### Changes + + +- Fix: Sessions were shared between clients + + + + ## Version 0.2.1 diff --git a/matemat/__init__.py b/matemat/__init__.py index 34395d3..954cb1c 100644 --- a/matemat/__init__.py +++ b/matemat/__init__.py @@ -1,2 +1,2 @@ -__version__ = '0.2.1' +__version__ = '0.2.2' diff --git a/matemat/webserver/session/sessions.py b/matemat/webserver/session/sessions.py index 55f0549..6b5aad3 100644 --- a/matemat/webserver/session/sessions.py +++ b/matemat/webserver/session/sessions.py @@ -23,10 +23,12 @@ def start() -> str: # Reference date for session timeout now = datetime.utcnow() # Read the client's session ID, if any - session_id = str(request.get_cookie(_COOKIE_NAME, secret=__key)) + session_id = request.get_cookie(_COOKIE_NAME, secret=__key) # If there is no active session, create a new session ID if session_id is None: session_id = str(uuid4()) + else: + session_id = str(session_id) # Check for session timeout if session_id in __session_vars and __session_vars[session_id][0] < now: diff --git a/package/archlinux/PKGBUILD b/package/archlinux/PKGBUILD index 72723b0..18e7dc5 100644 --- a/package/archlinux/PKGBUILD +++ b/package/archlinux/PKGBUILD @@ -2,7 +2,7 @@ # Maintainer: s3lph pkgname=matemat -pkgver=0.2.1 +pkgver=0.2.2 pkgrel=1 arch=('any') diff --git a/package/debian/matemat/DEBIAN/control b/package/debian/matemat/DEBIAN/control index da86517..eb52b4c 100644 --- a/package/debian/matemat/DEBIAN/control +++ b/package/debian/matemat/DEBIAN/control @@ -1,5 +1,5 @@ Package: matemat -Version: 0.2.1 +Version: 0.2.2 Maintainer: s3lph Section: web Priority: optional From 6026f21a60f1b2563bef2df817efed5abe6b7992 Mon Sep 17 00:00:00 2001 From: s3lph Date: Wed, 5 Feb 2020 00:34:22 +0100 Subject: [PATCH 7/7] Fix: Session timeout lead to 500 error --- CHANGELOG.md | 15 ++++++++++++++- matemat/__init__.py | 2 +- matemat/webserver/session/sessions.py | 3 ++- package/archlinux/PKGBUILD | 2 +- package/debian/matemat/DEBIAN/control | 2 +- 5 files changed, 19 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 53a9c59..3569157 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,20 @@ # Matemat Changelog + +## Version 0.2.3 + +Bugfix fix release + +### Changes + + +- Fix: Session timeout lead to 500 error + + + + -## Version 0.2.1 +## Version 0.2.2 Security fix release diff --git a/matemat/__init__.py b/matemat/__init__.py index 954cb1c..12dad7e 100644 --- a/matemat/__init__.py +++ b/matemat/__init__.py @@ -1,2 +1,2 @@ -__version__ = '0.2.2' +__version__ = '0.2.3' diff --git a/matemat/webserver/session/sessions.py b/matemat/webserver/session/sessions.py index 6b5aad3..a3d3672 100644 --- a/matemat/webserver/session/sessions.py +++ b/matemat/webserver/session/sessions.py @@ -33,7 +33,8 @@ def start() -> str: # Check for session timeout if session_id in __session_vars and __session_vars[session_id][0] < now: end(session_id) - raise TimeoutError('Session timed out.') + # Create new session ID after terminating the previous session + session_id = str(uuid4()) # Update or initialize the session timeout if session_id not in __session_vars: __session_vars[session_id] = (now + timedelta(seconds=_SESSION_TIMEOUT)), dict() diff --git a/package/archlinux/PKGBUILD b/package/archlinux/PKGBUILD index 18e7dc5..68994c7 100644 --- a/package/archlinux/PKGBUILD +++ b/package/archlinux/PKGBUILD @@ -2,7 +2,7 @@ # Maintainer: s3lph pkgname=matemat -pkgver=0.2.2 +pkgver=0.2.3 pkgrel=1 arch=('any') diff --git a/package/debian/matemat/DEBIAN/control b/package/debian/matemat/DEBIAN/control index eb52b4c..ad4b86d 100644 --- a/package/debian/matemat/DEBIAN/control +++ b/package/debian/matemat/DEBIAN/control @@ -1,5 +1,5 @@ Package: matemat -Version: 0.2.2 +Version: 0.2.3 Maintainer: s3lph Section: web Priority: optional