YunoHost/apps
1
0
Fork 0
mirror of https://github.com/YunoHost/apps.git synced 2024-09-03 20:06:07 +02:00
Code Projects Activity

appstore: add CSRF token for wishlist_add form

Browse source
This commit is contained in:
Alexandre Aubin 2023-09-19 17:02:56 +02:00
parent c6889e4b01
commit 846d3d096f
2 changed files with 36 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
store/app.py
View file

@ -5,6 +5,7 @@ import base64
import hashlib
import hmac
import os
import string
import random
import urllib
import json
@ -186,6 +187,22 @@ def add_to_wishlist():
"wishlist_add.html",
locale=get_locale(),
user=session.get("user", {}),
csrf_token=None,
successmsg=None,
errormsg=errormsg,
)
csrf_token = request.form["csrf_token"]
print(csrf_token)
print(session.get("csrf_token"))
if csrf_token != session.get("csrf_token"):
errormsg = _("Invalid CSRF token, please refresh the form and try again")
return render_template(
"wishlist_add.html",
locale=get_locale(),
user=session.get("user", {}),
csrf_token=csrf_token,
successmsg=None,
errormsg=errormsg,
)
@ -227,6 +244,7 @@ def add_to_wishlist():
"wishlist_add.html",
locale=get_locale(),
user=session.get("user", {}),
csrf_token=csrf_token,
successmsg=None,
errormsg=errormsg,
)
@ -247,6 +265,7 @@ def add_to_wishlist():
"wishlist_add.html",
locale=get_locale(),
user=session.get("user", {}),
csrf_token=csrf_token,
successmsg=None,
errormsg=_(
"An entry with the name %(slug) already exists in the wishlist",
@ -280,6 +299,7 @@ def add_to_wishlist():
"wishlist_add.html",
locale=get_locale(),
user=session.get("user", {}),
csrf_token=csrf_token,
successmsg=None,
errormsg=errormsg,
)
@ -328,10 +348,14 @@ Proposed by **{session['user']['username']}**
successmsg=successmsg,
)
else:
letters = string.ascii_lowercase + string.digits
csrf_token = ''.join(random.choice(letters) for i in range(16))
session["csrf_token"] = csrf_token
return render_template(
"wishlist_add.html",
locale=get_locale(),
user=session.get("user", {}),
csrf_token=csrf_token,
successmsg=None,
errormsg=None,
)

22
store/templates/wishlist_add.html
View file

@ -5,7 +5,7 @@
{% block main %}
<div class="mt-5 text-center px-3 sm:px-0">
<h1 class="text-2xl font-bold text-gray-900">
{{ _("Suggest an application to be added to YunoHost's catalog") }}
{{ _("Suggest an application to be added to YunoHost's catalog") }}
</h1>
</div>
@ -26,7 +26,7 @@
<div role="alert" class="rounded-md border-s-4 border-orange-500 bg-orange-50 p-4 mb-5">
<p class="mt-2 text-sm text-orange-700 font-bold">
<i class="fa fa-exclamation-triangle fa-fw" aria-hidden="true"></i>
{{ _("You must first login to be allowed to submit an app to the wishlist") }}
{{ _("You must first login to be allowed to submit an app to the wishlist") }}
</p>
</div>
{% endif %}
@ -34,10 +34,10 @@
<div role="alert" class="rounded-md border-s-4 border-sky-500 bg-sky-50 p-4">
<p class="mt-2 text-sm text-sky-700 font-bold">
<i class="fa fa-info-circle fa-fw" aria-hidden="true"></i>
{{ _("Please check the license of the app your are proposing") }}
{{ _("Please check the license of the app your are proposing") }}
</p>
<p class="mt-2 text-sm text-sky-700">
{{ _("The YunoHost project will only package free/open-source software (with possible case-by-case exceptions for apps which are not-totally-free)") }}
{{ _("The YunoHost project will only package free/open-source software (with possible case-by-case exceptions for apps which are not-totally-free)") }}
</p>
</div>
@ -50,28 +50,30 @@
</div>
{% endif %}
<form method="POST" action="{{ url_for('add_to_wishlist') }}" class="mt-8 mb-8" >
<form method="POST" action="{{ url_for('add_to_wishlist') }}" class="my-8" >
<input name="csrf_token" type="text" class="hidden" value="{{ csrf_token }}" >
<label for="name" class="mt-5 block font-bold text-gray-700">{{ _("Name") }}</label>
<input name="name" type="text" class="w-full mt-1 rounded-md border-gray-200 text-gray-700 shadow-sm" maxlength="30" required onkeyup="this.value = this.value.replace(/[^a-zA-Z0-9.-\\(\\)\\ ]/, '')" >
<label for="description" class="mt-5 block font-bold text-gray-700">{{ _("App's description") }}</label>
<textarea name="description" type="text" class="w-full mt-1 rounded-md border-gray-200 text-gray-700 shadow-sm" required rows='3' maxlength='100'></textarea>
<span class="text-xs text-gray-600"><span class="font-bold">{{ _("Please be concise and focus on what the app does.") }}</span> {{ _("No need to repeat '[App] is ...'. No need to state that it is free/open-source or self-hosted (otherwise it wouldn't be packaged for YunoHost). Avoid marketing stuff like 'the most', or vague properties like 'easy', 'simple', 'lightweight'.") }}</span>
<label for="upstream" class="mt-5 block font-bold text-gray-700">{{ _("Project code repository") }}</label>
<input name="upstream" type="url" class="w-full mt-1 rounded-md border-gray-200 text-gray-700 shadow-sm" maxlength="150" required >
<label for="website" class="mt-5 block font-bold text-gray-700">{{ _("Project website") }}</label>
<input name="website" type="url" class="w-full mt-1 rounded-md border-gray-200 text-gray-700 shadow-sm" maxlength="150" >
<span class="text-xs text-gray-600">{{ _("Please *do not* just copy-paste the code repository URL. If the project has no proper website, then leave the field empty.") }}</span>
<button
type="submit"
class="block mx-auto btn btn-primary mt-5 {% if user %}hover:bg-blue-700{% endif %}"
{% if not user %}disabled{% endif %}
>
{{ _("Submit") }}
{{ _("Submit") }}
</button>
</form>