1.1 --- a/WebStack/Resources/OpenIDLogin.py Sat Nov 17 00:49:08 2007 +0000
1.2 +++ b/WebStack/Resources/OpenIDLogin.py Sat Nov 17 02:05:17 2007 +0000
1.3 @@ -26,6 +26,7 @@
1.4 import datetime
1.5 import time
1.6 import random
1.7 +import cgi # for escape
1.8
1.9 class OpenIDLoginResource:
1.10
1.11 @@ -34,7 +35,7 @@
1.12 encoding = "utf-8"
1.13 openid_ns = "http://specs.openid.net/auth/2.0"
1.14
1.15 - def __init__(self, app_url, authenticator, associations=None, use_redirect=1, urlencoding=None, encoding=None):
1.16 + def __init__(self, app_url, authenticator, associations=None, use_redirect=0, urlencoding=None, encoding=None):
1.17
1.18 """
1.19 Initialise the resource with the application URL 'app_url' and an
1.20 @@ -73,16 +74,17 @@
1.21
1.22 fields = trans.get_fields(self.encoding)
1.23
1.24 + app = fields.get("openid.return_to", [""])[0]
1.25 + claimed_id = fields.get("openid.claimed_id", [""])[0]
1.26 + local_id = fields.get("openid.identity", [""])[0]
1.27 +
1.28 if fields.has_key("login"):
1.29
1.30 # Check a combination of local identifier and username together with
1.31 # the password.
1.32
1.33 - claimed_id = fields.get("claimed_id", [""])[0]
1.34 - local_id = fields.get("local_id", [""])[0]
1.35 username = fields.get("username", [""])[0]
1.36 password = fields.get("password", [""])[0]
1.37 - app = fields.get("app", [""])[0]
1.38
1.39 # NOTE: Permit flexibility in the credentials.
1.40
1.41 @@ -112,10 +114,6 @@
1.42
1.43 # Otherwise, show the login form.
1.44
1.45 - app = fields.get("openid.return_to", [""])[0]
1.46 - claimed_id = fields.get("openid.claimed_id", [""])[0]
1.47 - local_id = fields.get("openid.identity", [""])[0]
1.48 -
1.49 self.show_login(trans, app, claimed_id, local_id)
1.50
1.51 def _redirect(self, trans, claimed_id, local_id, username, app):
1.52 @@ -204,7 +202,7 @@
1.53
1.54 trans.set_content_type(WebStack.Generic.ContentType("text/html", self.encoding))
1.55 out = trans.get_response_stream()
1.56 - out.write(self.login_page % (app, claimed_id, local_id))
1.57 + out.write(self.login_page % tuple(map(cgi.escape, (app, claimed_id, local_id))))
1.58
1.59 def show_success(self, trans, app, mode, signed_names, signature, fields):
1.60
1.61 @@ -221,7 +219,10 @@
1.62 l = []
1.63 for name, value in fields.items():
1.64 l.append("""<input name="%s" type="hidden" value="%s" />""" % (name, value[0]))
1.65 - out.write(self.success_page % (app, self.openid_ns, mode, ",".join(signed_names), signature, "\n".join(l)))
1.66 + args = tuple(
1.67 + map(cgi.escape, (app, self.openid_ns, mode, ",".join(signed_names), signature))
1.68 + ) + ("\n".join(l),)
1.69 + out.write(self.success_page % args)
1.70
1.71 login_page = """
1.72 <html>
1.73 @@ -234,9 +235,9 @@
1.74 <p>Username: <input name="username" type="text" size="12"/></p>
1.75 <p>Password: <input name="password" type="password" size="12"/></p>
1.76 <p><input name="login" type="submit" value="Login"/></p>
1.77 - <input name="app" type="hidden" value="%s"/>
1.78 - <input name="claimed_id" type="hidden" value="%s"/>
1.79 - <input name="local_id" type="hidden" value="%s"/>
1.80 + <input name="openid.return_to" type="hidden" value="%s"/>
1.81 + <input name="openid.claimed_id" type="hidden" value="%s"/>
1.82 + <input name="openid.identity" type="hidden" value="%s"/>
1.83 </form>
1.84 </body>
1.85 </html>