diff options
author | Simo Sorce <simo@redhat.com> | 2014-10-14 22:30:32 -0400 |
---|---|---|
committer | Patrick Uiterwijk <puiterwijk@redhat.com> | 2014-10-27 14:58:30 +0100 |
commit | 5ebec54b30ae7cfeef98761894732f52b30d2441 (patch) | |
tree | 93a5d7c2d3152c669cebf2d7592e1cea23f8afff /ipsilon/util | |
parent | 8396e2c5a880042eda2c9549a9f6e9651bb68b93 (diff) | |
download | ipsilon-5ebec54b30ae7cfeef98761894732f52b30d2441.tar.gz ipsilon-5ebec54b30ae7cfeef98761894732f52b30d2441.tar.xz ipsilon-5ebec54b30ae7cfeef98761894732f52b30d2441.zip |
Allow to call forms from any of the admin pages
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Diffstat (limited to 'ipsilon/util')
-rwxr-xr-x | ipsilon/util/page.py | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/ipsilon/util/page.py b/ipsilon/util/page.py index 213f945..eeb9ca3 100755 --- a/ipsilon/util/page.py +++ b/ipsilon/util/page.py @@ -17,11 +17,16 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +import cherrypy from ipsilon.util.log import Log from ipsilon.util.user import UserSession from ipsilon.util.trans import Transaction from urllib import unquote -import cherrypy +try: + from urlparse import urlparse +except ImportError: + # pylint: disable=no-name-in-module, import-error + from urllib.parse import urlparse def admin_protect(fn): @@ -46,10 +51,14 @@ class Page(Log): self.default_headers = dict() self.auth_protect = False - def _compare_urls(self, url1, url2): - u1 = unquote(url1) - u2 = unquote(url2) - if u1 == u2: + def _check_referer(self, referer, url): + r = urlparse(unquote(referer)) + u = urlparse(unquote(url)) + if r.scheme != u.scheme: + return False + if r.netloc != u.netloc: + return False + if r.path.startswith(self.basepath): return True return False @@ -79,7 +88,7 @@ class Page(Log): % (cherrypy.request.method, url)) raise cherrypy.HTTPError(403) referer = cherrypy.request.headers['referer'] - if not self._compare_urls(referer, url): + if not self._check_referer(referer, url): self._debug("Wrong referer %s in request to %s" % (referer, url)) raise cherrypy.HTTPError(403) |