changeset 275:9be8464e4295

Oops, we didn't authenticate the parameter update
author Matt Johnston <matt@ucc.asn.au>
date Tue, 17 Nov 2015 22:24:09 +0800
parents 654caee52c83
children 2630995fb973
files web/templog.py
diffstat 1 files changed, 12 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/web/templog.py	Wed Jun 10 00:13:26 2015 +0800
+++ b/web/templog.py	Tue Nov 17 22:24:09 2015 +0800
@@ -69,6 +69,12 @@
 
 @route('/set/update', method='post')
 def set_update():
+    if not secure.check_user_hash(config.ALLOWED_USERS):
+        # the "Save" button should be disabled if the cert wasn't
+        # good
+        response.status = 403
+        return "No cert, dodginess"
+
     post_json = json.loads(request.forms.data)
 
     csrf_blob = post_json['csrf_blob']
@@ -79,7 +85,7 @@
 
     ret = log.update_params(post_json['params'])
     if not ret is True:
-        response.status = 403
+        response.status = 409 # Conflict
         return ret
         
     return "Good"
@@ -157,6 +163,11 @@
     #var_lookup = environ['mod_ssl.var_lookup']
     #return var_lookup("SSL_SERVER_I_DN_O")
 
+@route('/h')
+def headers():
+    response.set_header('Content-Type', 'text/plain')
+    return '\n'.join("%s: %s" % x for x in request.headers.items())
+
 @route('/get_settings')
 def get_settings():
     response.set_header('Cache-Control', 'no-cache')