1.1 --- a/WebStack/Resources/OpenIDInitiation.py Sat Nov 17 00:49:08 2007 +0000
1.2 +++ b/WebStack/Resources/OpenIDInitiation.py Sat Nov 17 02:05:17 2007 +0000
1.3 @@ -22,6 +22,7 @@
1.4
1.5 import WebStack.Generic
1.6 import libxml2dom
1.7 +import cgi # for escape
1.8
1.9 class OpenIDInitiationResource:
1.10
1.11 @@ -30,7 +31,7 @@
1.12 encoding = "utf-8"
1.13 openid_ns = "http://specs.openid.net/auth/2.0"
1.14
1.15 - def __init__(self, openid_mode=None, use_redirect=1, urlencoding=None, encoding=None):
1.16 + def __init__(self, openid_mode=None, use_redirect=0, urlencoding=None, encoding=None):
1.17
1.18 """
1.19 Initialise the resource.
1.20 @@ -155,7 +156,7 @@
1.21
1.22 trans.set_content_type(WebStack.Generic.ContentType("text/html", self.encoding))
1.23 out = trans.get_response_stream()
1.24 - out.write(self.initiation_page % app)
1.25 + out.write(self.initiation_page % cgi.escape(app))
1.26
1.27 def show_success(self, trans, provider, app, claimed_identifier, local_identifier):
1.28
1.29 @@ -167,9 +168,9 @@
1.30
1.31 trans.set_content_type(WebStack.Generic.ContentType("text/html", self.encoding))
1.32 out = trans.get_response_stream()
1.33 - out.write(self.success_page % (
1.34 + out.write(self.success_page % tuple(map(cgi.escape, (
1.35 provider, self.openid_ns, self.openid_mode, app, claimed_identifier, local_identifier)
1.36 - )
1.37 + )))
1.38
1.39 initiation_page = """
1.40 <html>
2.1 --- a/WebStack/Resources/OpenIDLogin.py Sat Nov 17 00:49:08 2007 +0000
2.2 +++ b/WebStack/Resources/OpenIDLogin.py Sat Nov 17 02:05:17 2007 +0000
2.3 @@ -26,6 +26,7 @@
2.4 import datetime
2.5 import time
2.6 import random
2.7 +import cgi # for escape
2.8
2.9 class OpenIDLoginResource:
2.10
2.11 @@ -34,7 +35,7 @@
2.12 encoding = "utf-8"
2.13 openid_ns = "http://specs.openid.net/auth/2.0"
2.14
2.15 - def __init__(self, app_url, authenticator, associations=None, use_redirect=1, urlencoding=None, encoding=None):
2.16 + def __init__(self, app_url, authenticator, associations=None, use_redirect=0, urlencoding=None, encoding=None):
2.17
2.18 """
2.19 Initialise the resource with the application URL 'app_url' and an
2.20 @@ -73,16 +74,17 @@
2.21
2.22 fields = trans.get_fields(self.encoding)
2.23
2.24 + app = fields.get("openid.return_to", [""])[0]
2.25 + claimed_id = fields.get("openid.claimed_id", [""])[0]
2.26 + local_id = fields.get("openid.identity", [""])[0]
2.27 +
2.28 if fields.has_key("login"):
2.29
2.30 # Check a combination of local identifier and username together with
2.31 # the password.
2.32
2.33 - claimed_id = fields.get("claimed_id", [""])[0]
2.34 - local_id = fields.get("local_id", [""])[0]
2.35 username = fields.get("username", [""])[0]
2.36 password = fields.get("password", [""])[0]
2.37 - app = fields.get("app", [""])[0]
2.38
2.39 # NOTE: Permit flexibility in the credentials.
2.40
2.41 @@ -112,10 +114,6 @@
2.42
2.43 # Otherwise, show the login form.
2.44
2.45 - app = fields.get("openid.return_to", [""])[0]
2.46 - claimed_id = fields.get("openid.claimed_id", [""])[0]
2.47 - local_id = fields.get("openid.identity", [""])[0]
2.48 -
2.49 self.show_login(trans, app, claimed_id, local_id)
2.50
2.51 def _redirect(self, trans, claimed_id, local_id, username, app):
2.52 @@ -204,7 +202,7 @@
2.53
2.54 trans.set_content_type(WebStack.Generic.ContentType("text/html", self.encoding))
2.55 out = trans.get_response_stream()
2.56 - out.write(self.login_page % (app, claimed_id, local_id))
2.57 + out.write(self.login_page % tuple(map(cgi.escape, (app, claimed_id, local_id))))
2.58
2.59 def show_success(self, trans, app, mode, signed_names, signature, fields):
2.60
2.61 @@ -221,7 +219,10 @@
2.62 l = []
2.63 for name, value in fields.items():
2.64 l.append("""<input name="%s" type="hidden" value="%s" />""" % (name, value[0]))
2.65 - out.write(self.success_page % (app, self.openid_ns, mode, ",".join(signed_names), signature, "\n".join(l)))
2.66 + args = tuple(
2.67 + map(cgi.escape, (app, self.openid_ns, mode, ",".join(signed_names), signature))
2.68 + ) + ("\n".join(l),)
2.69 + out.write(self.success_page % args)
2.70
2.71 login_page = """
2.72 <html>
2.73 @@ -234,9 +235,9 @@
2.74 <p>Username: <input name="username" type="text" size="12"/></p>
2.75 <p>Password: <input name="password" type="password" size="12"/></p>
2.76 <p><input name="login" type="submit" value="Login"/></p>
2.77 - <input name="app" type="hidden" value="%s"/>
2.78 - <input name="claimed_id" type="hidden" value="%s"/>
2.79 - <input name="local_id" type="hidden" value="%s"/>
2.80 + <input name="openid.return_to" type="hidden" value="%s"/>
2.81 + <input name="openid.claimed_id" type="hidden" value="%s"/>
2.82 + <input name="openid.identity" type="hidden" value="%s"/>
2.83 </form>
2.84 </body>
2.85 </html>