3 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/3e87c1b1c380/ Changeset: 3e87c1b1c380 Branch: stable User: dan Date: 2014-04-21 18:11:49 Summary: Prevent redirect misuse on user log in. Affected #: 2 files diff -r e6876f6918548a0805fa0cc5306ba1ced6fb184a -r 3e87c1b1c3801aac29bb9bd7709ead6f996d7dc3 lib/galaxy/util/__init__.py --- a/lib/galaxy/util/__init__.py +++ b/lib/galaxy/util/__init__.py @@ -29,6 +29,8 @@ from hashlib import md5 from itertools import izip +from urlparse import urlparse + from galaxy import eggs eggs.require( 'docutils' ) @@ -691,6 +693,17 @@ def string_to_object( s ): return pickle.loads( binascii.unhexlify( s ) ) +def compare_urls( url1, url2, compare_scheme=True, compare_hostname=True, compare_path=True ): + url1 = urlparse( url1 ) + url2 = urlparse( url2 ) + if compare_scheme and url1.scheme and url2.scheme and url1.scheme != url2.scheme: + return False + if compare_hostname and url1.hostname and url2.hostname and url1.hostname != url2.hostname: + return False + if compare_path and url1.path and url2.path and url1.path != url2.path: + return False + return True + def get_ucsc_by_build(build): sites = [] for site in ucsc_build_sites: diff -r e6876f6918548a0805fa0cc5306ba1ced6fb184a -r 3e87c1b1c3801aac29bb9bd7709ead6f996d7dc3 lib/galaxy/webapps/galaxy/controllers/user.py --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -445,26 +445,35 @@ return self.user_openid_grid( trans, **kwd ) @web.expose - def login( self, trans, redirect_url='', refresh_frames=[], **kwd ): + def login( self, trans, refresh_frames=[], **kwd ): '''Handle Galaxy Log in''' redirect = kwd.get( 'redirect', trans.request.referer ).strip() + root_url = url_for( '/', qualified=True ) + redirect_url = '' #always start with redirect_url being empty + # compare urls, to prevent a redirect from pointing (directly) outside of galaxy + # or to enter a logout/login loop + if not util.compare_urls( root_url, redirect, compare_path=False ) or util.compare_urls( url_for( controller='user', action='logout', qualified=True ), redirect ): + redirect = root_url use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) message = kwd.get( 'message', '' ) status = kwd.get( 'status', 'done' ) header = '' - user = None + user = trans.user email = kwd.get( 'email', '' ) - if kwd.get( 'login_button', False ): + if user: + #already logged in + redirect_url = redirect + message = 'You are already logged in.' + status = 'info' + elif kwd.get( 'login_button', False ): if trans.webapp.name == 'galaxy' and not refresh_frames: if trans.app.config.require_login: refresh_frames = [ 'masthead', 'history', 'tools' ] else: refresh_frames = [ 'masthead', 'history' ] message, status, user, success = self.__validate_login( trans, **kwd ) - if success and redirect and not redirect.startswith( trans.request.base + url_for( controller='user', action='logout' ) ): + if success: redirect_url = redirect - elif success: - redirect_url = url_for( '/' ) if not user and trans.app.config.require_login: if trans.app.config.allow_user_creation: create_account_str = " If you don't already have an account, <a href='%s'>you may create one</a>." % \ https://bitbucket.org/galaxy/galaxy-central/commits/6e91e5fcd113/ Changeset: 6e91e5fcd113 Branch: stable User: dan Date: 2014-04-21 18:12:03 Summary: Fix for masthead link for biostar mainpage. Affected #: 3 files diff -r 3e87c1b1c3801aac29bb9bd7709ead6f996d7dc3 -r 6e91e5fcd11351ea04789403e44002f9ccb70060 static/scripts/galaxy.menu.js --- a/static/scripts/galaxy.menu.js +++ b/static/scripts/galaxy.menu.js @@ -196,7 +196,7 @@ { tab_help.add({ title : "Galaxy Q&A Site", - content : this.options.biostar_url, + content : this.options.biostar_url_redirect, target : "_blank" }); tab_help.add({ diff -r 3e87c1b1c3801aac29bb9bd7709ead6f996d7dc3 -r 6e91e5fcd11351ea04789403e44002f9ccb70060 static/scripts/packed/galaxy.menu.js --- a/static/scripts/packed/galaxy.menu.js +++ b/static/scripts/packed/galaxy.menu.js @@ -1,1 +1,1 @@ -define(["galaxy.masthead"],function(b){var a=Backbone.Model.extend({options:null,masthead:null,initialize:function(c){this.options=c.config;this.masthead=c.masthead;this.create()},create:function(){var e=new b.GalaxyMastheadTab({id:"analysis",title:"Analyze Data",content:"root/index",title_attribute:"Analysis home view"});this.masthead.append(e);var g={id:"workflow",title:"Workflow",content:"workflow",title_attribute:"Chain tools into workflows"};if(!this.options.user.valid){g.disabled=true}var d=new b.GalaxyMastheadTab(g);this.masthead.append(d);var i=new b.GalaxyMastheadTab({id:"shared",title:"Shared Data",content:"library/index",title_attribute:"Access published resources"});i.add({title:"Data Libraries",content:"library/index"});i.add({title:"Data Libraries Beta",content:"library/list",divider:true});i.add({title:"Published Histories",content:"history/list_published"});i.add({title:"Published Workflows",content:"workflow/list_published"});i.add({title:"Published Visualizations",content:"visualization/list_published"});i.add({title:"Published Pages",content:"page/list_published"});this.masthead.append(i);if(this.options.user.requests){var j=new b.GalaxyMastheadTab({id:"lab",title:"Lab"});j.add({title:"Sequencing Requests",content:"requests/index"});j.add({title:"Find Samples",content:"requests/find_samples_index"});j.add({title:"Help",content:this.options.lims_doc_url});this.masthead.append(j)}var c={id:"visualization",title:"Visualization",content:"visualization/list",title_attribute:"Visualize datasets"};if(!this.options.user.valid){c.disabled=true}var m=new b.GalaxyMastheadTab(c);if(this.options.user.valid){m.add({title:"New Track Browser",content:"visualization/trackster",target:"_frame"});m.add({title:"Saved Visualizations",content:"visualization/list",target:"_frame"})}this.masthead.append(m);if(this.options.enable_cloud_launch){var f=new b.GalaxyMastheadTab({id:"cloud",title:"Cloud",content:"cloudlaunch/index"});f.add({title:"New Cloud Cluster",content:"cloudlaunch/index"});this.masthead.append(f)}if(this.options.is_admin_user){var h=new b.GalaxyMastheadTab({id:"admin",title:"Admin",content:"admin/index",extra_class:"admin-only",title_attribute:"Administer this Galaxy"});this.masthead.append(h)}var l=new b.GalaxyMastheadTab({id:"help",title:"Help",title_attribute:"Support, contact, and community hubs"});if(this.options.biostar_url){l.add({title:"Galaxy Q&A Site",content:this.options.biostar_url,target:"_blank"});l.add({title:"Ask a question",content:"biostar/biostar_question_redirect",target:"_blank"})}l.add({title:"Support",content:this.options.support_url,target:"_blank"});l.add({title:"Search",content:this.options.search_url,target:"_blank"});l.add({title:"Mailing Lists",content:this.options.mailing_lists,target:"_blank"});l.add({title:"Videos",content:this.options.screencasts_url,target:"_blank"});l.add({title:"Wiki",content:this.options.wiki_url,target:"_blank"});l.add({title:"How to Cite Galaxy",content:this.options.citation_url,target:"_blank"});if(this.options.terms_url){l.add({title:"Terms and Conditions",content:this.options.terms_url,target:"_blank"})}this.masthead.append(l);if(!this.options.user.valid){var k=new b.GalaxyMastheadTab({id:"user",title:"User",extra_class:"loggedout-only",title_attribute:"Account registration or login"});k.add({title:"Login",content:"user/login",target:"galaxy_main"});if(this.options.allow_user_creation){k.add({title:"Register",content:"user/create",target:"galaxy_main"})}this.masthead.append(k)}else{var k=new b.GalaxyMastheadTab({id:"user",title:"User",extra_class:"loggedin-only",title_attribute:"Account preferences and saved data"});k.add({title:"Logged in as "+this.options.user.email});if(this.options.use_remote_user&&this.options.remote_user_logout_href){k.add({title:"Logout",content:this.options.remote_user_logout_href,target:"_top"})}else{k.add({title:"Preferences",content:"user?cntrller=user",target:"galaxy_main"});k.add({title:"Custom Builds",content:"user/dbkeys",target:"galaxy_main"});k.add({title:"Logout",content:"user/logout",target:"_top",divider:true})}k.add({title:"Saved Histories",content:"history/list",target:"galaxy_main"});k.add({title:"Saved Datasets",content:"dataset/list",target:"galaxy_main"});k.add({title:"Saved Pages",content:"page/list",target:"_top"});k.add({title:"API Keys",content:"user/api_keys?cntrller=user",target:"galaxy_main"});if(this.options.use_remote_user){k.add({title:"Public Name",content:"user/edit_username?cntrller=user",target:"galaxy_main"})}this.masthead.append(k)}if(this.options.active_view){this.masthead.highlight(this.options.active_view)}}});return{GalaxyMenu:a}}); \ No newline at end of file +define(["galaxy.masthead"],function(b){var a=Backbone.Model.extend({options:null,masthead:null,initialize:function(c){this.options=c.config;this.masthead=c.masthead;this.create()},create:function(){var e=new b.GalaxyMastheadTab({id:"analysis",title:"Analyze Data",content:"root/index",title_attribute:"Analysis home view"});this.masthead.append(e);var g={id:"workflow",title:"Workflow",content:"workflow",title_attribute:"Chain tools into workflows"};if(!this.options.user.valid){g.disabled=true}var d=new b.GalaxyMastheadTab(g);this.masthead.append(d);var i=new b.GalaxyMastheadTab({id:"shared",title:"Shared Data",content:"library/index",title_attribute:"Access published resources"});i.add({title:"Data Libraries",content:"library/index"});i.add({title:"Data Libraries Beta",content:"library/list",divider:true});i.add({title:"Published Histories",content:"history/list_published"});i.add({title:"Published Workflows",content:"workflow/list_published"});i.add({title:"Published Visualizations",content:"visualization/list_published"});i.add({title:"Published Pages",content:"page/list_published"});this.masthead.append(i);if(this.options.user.requests){var j=new b.GalaxyMastheadTab({id:"lab",title:"Lab"});j.add({title:"Sequencing Requests",content:"requests/index"});j.add({title:"Find Samples",content:"requests/find_samples_index"});j.add({title:"Help",content:this.options.lims_doc_url});this.masthead.append(j)}var c={id:"visualization",title:"Visualization",content:"visualization/list",title_attribute:"Visualize datasets"};if(!this.options.user.valid){c.disabled=true}var m=new b.GalaxyMastheadTab(c);if(this.options.user.valid){m.add({title:"New Track Browser",content:"visualization/trackster",target:"_frame"});m.add({title:"Saved Visualizations",content:"visualization/list",target:"_frame"})}this.masthead.append(m);if(this.options.enable_cloud_launch){var f=new b.GalaxyMastheadTab({id:"cloud",title:"Cloud",content:"cloudlaunch/index"});f.add({title:"New Cloud Cluster",content:"cloudlaunch/index"});this.masthead.append(f)}if(this.options.is_admin_user){var h=new b.GalaxyMastheadTab({id:"admin",title:"Admin",content:"admin/index",extra_class:"admin-only",title_attribute:"Administer this Galaxy"});this.masthead.append(h)}var l=new b.GalaxyMastheadTab({id:"help",title:"Help",title_attribute:"Support, contact, and community hubs"});if(this.options.biostar_url){l.add({title:"Galaxy Q&A Site",content:this.options.biostar_url_redirect,target:"_blank"});l.add({title:"Ask a question",content:"biostar/biostar_question_redirect",target:"_blank"})}l.add({title:"Support",content:this.options.support_url,target:"_blank"});l.add({title:"Search",content:this.options.search_url,target:"_blank"});l.add({title:"Mailing Lists",content:this.options.mailing_lists,target:"_blank"});l.add({title:"Videos",content:this.options.screencasts_url,target:"_blank"});l.add({title:"Wiki",content:this.options.wiki_url,target:"_blank"});l.add({title:"How to Cite Galaxy",content:this.options.citation_url,target:"_blank"});if(this.options.terms_url){l.add({title:"Terms and Conditions",content:this.options.terms_url,target:"_blank"})}this.masthead.append(l);if(!this.options.user.valid){var k=new b.GalaxyMastheadTab({id:"user",title:"User",extra_class:"loggedout-only",title_attribute:"Account registration or login"});k.add({title:"Login",content:"user/login",target:"galaxy_main"});if(this.options.allow_user_creation){k.add({title:"Register",content:"user/create",target:"galaxy_main"})}this.masthead.append(k)}else{var k=new b.GalaxyMastheadTab({id:"user",title:"User",extra_class:"loggedin-only",title_attribute:"Account preferences and saved data"});k.add({title:"Logged in as "+this.options.user.email});if(this.options.use_remote_user&&this.options.remote_user_logout_href){k.add({title:"Logout",content:this.options.remote_user_logout_href,target:"_top"})}else{k.add({title:"Preferences",content:"user?cntrller=user",target:"galaxy_main"});k.add({title:"Custom Builds",content:"user/dbkeys",target:"galaxy_main"});k.add({title:"Logout",content:"user/logout",target:"_top",divider:true})}k.add({title:"Saved Histories",content:"history/list",target:"galaxy_main"});k.add({title:"Saved Datasets",content:"dataset/list",target:"galaxy_main"});k.add({title:"Saved Pages",content:"page/list",target:"_top"});k.add({title:"API Keys",content:"user/api_keys?cntrller=user",target:"galaxy_main"});if(this.options.use_remote_user){k.add({title:"Public Name",content:"user/edit_username?cntrller=user",target:"galaxy_main"})}this.masthead.append(k)}if(this.options.active_view){this.masthead.highlight(this.options.active_view)}}});return{GalaxyMenu:a}}); \ No newline at end of file diff -r 3e87c1b1c3801aac29bb9bd7709ead6f996d7dc3 -r 6e91e5fcd11351ea04789403e44002f9ccb70060 templates/webapps/galaxy/galaxy.masthead.mako --- a/templates/webapps/galaxy/galaxy.masthead.mako +++ b/templates/webapps/galaxy/galaxy.masthead.mako @@ -41,6 +41,7 @@ 'enable_cloud_launch' : app.config.get_bool('enable_cloud_launch', False), 'lims_doc_url' : app.config.get("lims_doc_url", "http://main.g2.bx.psu.edu/u/rkchak/p/sts"), 'biostar_url' : app.config.biostar_url, + 'biostar_url_redirect' : h.url_for( controller='biostar', action='biostar_redirect', qualified=True ), 'support_url' : app.config.get("support_url", "http://wiki.galaxyproject.org/Support"), 'search_url' : app.config.get("search_url", "http://galaxyproject.org/search/usegalaxy/"), 'mailing_lists' : app.config.get("mailing_lists", "http://wiki.galaxyproject.org/MailingLists"), https://bitbucket.org/galaxy/galaxy-central/commits/1d06e19aa3aa/ Changeset: 1d06e19aa3aa Branch: stable User: dannon Date: 2014-04-22 16:01:58 Summary: Merged in dan/galaxy-central-stable-prs/stable (pull request #374) Prevent redirect misuse on user log in. Affected #: 2 files diff -r 7fe7330660189bb382191a18ee145a7698ddbb74 -r 1d06e19aa3aac0c87b21f8482b8fc73c89e277ad lib/galaxy/util/__init__.py --- a/lib/galaxy/util/__init__.py +++ b/lib/galaxy/util/__init__.py @@ -29,6 +29,8 @@ from hashlib import md5 from itertools import izip +from urlparse import urlparse + from galaxy import eggs eggs.require( 'docutils' ) @@ -691,6 +693,17 @@ def string_to_object( s ): return pickle.loads( binascii.unhexlify( s ) ) +def compare_urls( url1, url2, compare_scheme=True, compare_hostname=True, compare_path=True ): + url1 = urlparse( url1 ) + url2 = urlparse( url2 ) + if compare_scheme and url1.scheme and url2.scheme and url1.scheme != url2.scheme: + return False + if compare_hostname and url1.hostname and url2.hostname and url1.hostname != url2.hostname: + return False + if compare_path and url1.path and url2.path and url1.path != url2.path: + return False + return True + def get_ucsc_by_build(build): sites = [] for site in ucsc_build_sites: diff -r 7fe7330660189bb382191a18ee145a7698ddbb74 -r 1d06e19aa3aac0c87b21f8482b8fc73c89e277ad lib/galaxy/webapps/galaxy/controllers/user.py --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -445,26 +445,35 @@ return self.user_openid_grid( trans, **kwd ) @web.expose - def login( self, trans, redirect_url='', refresh_frames=[], **kwd ): + def login( self, trans, refresh_frames=[], **kwd ): '''Handle Galaxy Log in''' redirect = kwd.get( 'redirect', trans.request.referer ).strip() + root_url = url_for( '/', qualified=True ) + redirect_url = '' #always start with redirect_url being empty + # compare urls, to prevent a redirect from pointing (directly) outside of galaxy + # or to enter a logout/login loop + if not util.compare_urls( root_url, redirect, compare_path=False ) or util.compare_urls( url_for( controller='user', action='logout', qualified=True ), redirect ): + redirect = root_url use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) message = kwd.get( 'message', '' ) status = kwd.get( 'status', 'done' ) header = '' - user = None + user = trans.user email = kwd.get( 'email', '' ) - if kwd.get( 'login_button', False ): + if user: + #already logged in + redirect_url = redirect + message = 'You are already logged in.' + status = 'info' + elif kwd.get( 'login_button', False ): if trans.webapp.name == 'galaxy' and not refresh_frames: if trans.app.config.require_login: refresh_frames = [ 'masthead', 'history', 'tools' ] else: refresh_frames = [ 'masthead', 'history' ] message, status, user, success = self.__validate_login( trans, **kwd ) - if success and redirect and not redirect.startswith( trans.request.base + url_for( controller='user', action='logout' ) ): + if success: redirect_url = redirect - elif success: - redirect_url = url_for( '/' ) if not user and trans.app.config.require_login: if trans.app.config.allow_user_creation: create_account_str = " If you don't already have an account, <a href='%s'>you may create one</a>." % \ Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.