CSRF Protection for TurboGears2
63 views
Skip to first unread message
Sandro Beffa
Mar 31, 2016, 7:45:39 AM3/31/16
to TurboGears
Hi there,
I was looking for some existing CSRF protection for TurboGears2. I found https://pythonhosted.org/python-fedora/service.html#csrf-protection, but it does not seem to work with TG 2.3.8:
13:40:40,815 ERROR [gearbox] cookie: An object has failed to implement interface <InterfaceClass repoze.who.interfaces.IAuthenticator>
The authenticate attribute was not provided.
Traceback (most recent call last):
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/gearbox/main.py", line 167, in _run_subcommand
return cmd.run(parsed_args)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/gearbox/command.py", line 31, in run
self.take_action(parsed_args)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/gearbox/commands/serve.py", line 254, in take_action
relative_to=base, global_conf=parsed_vars)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/gearbox/commands/serve.py", line 289, in loadapp
return loadapp(app_spec, name=name, relative_to=relative_to, **kw)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 247, in loadapp
return loadobj(APP, uri, name=name, **kw)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 272, in loadobj
return context.create()
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 710, in create
return self.object_type.invoke(self)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 146, in invoke
return fix_call(context.object, context.global_conf, **context.local_conf)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/paste/deploy/util.py", line 55, in fix_call
val = callable(*args, **kw)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/tg-csrf/tg_csrf/config/middleware.py", line 34, in make_app
full_stack=full_stack, **app_conf)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/tg/configuration/app_config.py", line 1229, in make_base_app
app = self._add_auth_middleware(app_config, app)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/tg/configuration/app_config.py", line 1010, in _add_auth_middleware
app = setup_auth(app, skip_authentication=skip_authentication, **auth_args)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/tg/configuration/auth/setup.py", line 183, in setup_auth
return PluggableAuthenticationMiddleware(app, **who_args)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/repoze/who/middleware.py", line 26, in __init__
challengers, mdproviders)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/repoze/who/middleware.py", line 447, in make_registries
raise ValueError(str(name) + ': ' + why)
ValueError: cookie: An object has failed to implement interface <InterfaceClass repoze.who.interfaces.IAuthenticator>
The authenticate attribute was not provided.
Beside this, I found this library quite 'fedora' centred.. It also pulls a lot of additional libraries..
So my question: Are there other libs to add CSRF protection to TG2 ?
Thanks,
Best regards, Sandro
I was looking for some existing CSRF protection for TurboGears2. I found https://pythonhosted.org/python-fedora/service.html#csrf-protection, but it does not seem to work with TG 2.3.8:
13:40:40,815 ERROR [gearbox] cookie: An object has failed to implement interface <InterfaceClass repoze.who.interfaces.IAuthenticator>
The authenticate attribute was not provided.
Traceback (most recent call last):
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/gearbox/main.py", line 167, in _run_subcommand
return cmd.run(parsed_args)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/gearbox/command.py", line 31, in run
self.take_action(parsed_args)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/gearbox/commands/serve.py", line 254, in take_action
relative_to=base, global_conf=parsed_vars)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/gearbox/commands/serve.py", line 289, in loadapp
return loadapp(app_spec, name=name, relative_to=relative_to, **kw)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 247, in loadapp
return loadobj(APP, uri, name=name, **kw)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 272, in loadobj
return context.create()
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 710, in create
return self.object_type.invoke(self)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 146, in invoke
return fix_call(context.object, context.global_conf, **context.local_conf)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/paste/deploy/util.py", line 55, in fix_call
val = callable(*args, **kw)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/tg-csrf/tg_csrf/config/middleware.py", line 34, in make_app
full_stack=full_stack, **app_conf)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/tg/configuration/app_config.py", line 1229, in make_base_app
app = self._add_auth_middleware(app_config, app)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/tg/configuration/app_config.py", line 1010, in _add_auth_middleware
app = setup_auth(app, skip_authentication=skip_authentication, **auth_args)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/tg/configuration/auth/setup.py", line 183, in setup_auth
return PluggableAuthenticationMiddleware(app, **who_args)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/repoze/who/middleware.py", line 26, in __init__
challengers, mdproviders)
File "/home/sbeffa/files/projects/own/csrf_tg2/csrf/local/lib/python2.7/site-packages/repoze/who/middleware.py", line 447, in make_registries
raise ValueError(str(name) + ': ' + why)
ValueError: cookie: An object has failed to implement interface <InterfaceClass repoze.who.interfaces.IAuthenticator>
The authenticate attribute was not provided.
Beside this, I found this library quite 'fedora' centred.. It also pulls a lot of additional libraries..
So my question: Are there other libs to add CSRF protection to TG2 ?
Thanks,
Best regards, Sandro
Alessandro Molina
Apr 3, 2016, 7:00:46 PM4/3/16
to TurboGears
On Thu, Mar 31, 2016 at 1:45 PM, Sandro Beffa <sbef...@gmail.com> wrote:
So my question: Are there other libs to add CSRF protection to TG2 ?
Hope this provides what you need: https://pypi.python.org/pypi/tgext.utils/0.0.1 :D
Sandro Beffa
Apr 5, 2016, 11:42:52 AM4/5/16
to TurboGears
Hi Alessandro
for not it's not used
Thank you very much for this :-)
An other thing, which I was looking for is the following:
I noticed that the TG Admin is not using the SecureFormMixin ( to prevent CSRF ), which TW2 is providing. Is there a reason because of it's not used ?
Best regards, Sandro
for not it's not used
Thank you very much for this :-)
An other thing, which I was looking for is the following:
I noticed that the TG Admin is not using the SecureFormMixin ( to prevent CSRF ), which TW2 is providing. Is there a reason because of it's not used ?
Best regards, Sandro
Alessandro Molina
Apr 5, 2016, 5:16:20 PM4/5/16
to TurboGears
CSRF has not been a priority for admin so far, so no one ever provided a patch for CSRF in admin.
Btw if I'm not wrong SecureFormMixin was from TW1 not TW2
--You received this message because you are subscribed to the Google Groups "TurboGears" group.
To unsubscribe from this group and stop receiving emails from it, send an email to turbogears+...@googlegroups.com.
To post to this group, send email to turbo...@googlegroups.com.
Visit this group at https://groups.google.com/group/turbogears.
For more options, visit https://groups.google.com/d/optout.
Sandro Beffa
Apr 7, 2016, 12:10:15 PM4/7/16
to TurboGears
Hi Alessandro
Thank you for your reply.
I checked it: SecureFormMixin is only available for TW1, you're right.
If I find some time, i'll check whether i can port it to TW2.
Reagrds, Sandro
Thank you for your reply.
I checked it: SecureFormMixin is only available for TW1, you're right.
If I find some time, i'll check whether i can port it to TW2.
Reagrds, Sandro
Reply all
Reply to author
Forward
0 new messages