sitescripts/submitEmail/web/submitEmail.py - Issue 5177883412660224: Issue 2234 - Add a WSGI controller to collect email addresses for the Adblock Browser iOS launch

Side by Side Diff: sitescripts/submitEmail/web/submitEmail.py

Issue 5177883412660224: Issue 2234 - Add a WSGI controller to collect email addresses for the Adblock Browser iOS launch (Closed)

Patch Set: Simplified verification code validation Created April 22, 2015, 12:17 p.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 # coding: utf-8

	2

	3 # This file is part of the Adblock Plus web scripts,

	4 # Copyright (C) 2006-2015 Eyeo GmbH

	5 #

	6 # Adblock Plus is free software: you can redistribute it and/or modify

	7 # it under the terms of the GNU General Public License version 3 as

	8 # published by the Free Software Foundation.

	9 #

	10 # Adblock Plus is distributed in the hope that it will be useful,

	11 # but WITHOUT ANY WARRANTY; without even the implied warranty of

	12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

	13 # GNU General Public License for more details.

	14 #

	15 # You should have received a copy of the GNU General Public License

	16 # along with Adblock Plus. If not, see <http://www.gnu.org/licenses/>.

	17

	18 import os

	19 import re

	20 import errno

	21 import fcntl

	22 import random

	23 import string

	24 import wsgiref.util

	25 from urlparse import parse_qs, urljoin

	26 from urllib import urlencode

	27

	28 from sitescripts.utils import get_config, sendMail

	29 from sitescripts.web import url_handler, form_handler

	30

	31 VERIFICATION_PATH = '/verifyEmail'

	32 VERIFICATION_CODE_PARAM = 'code'

	33 VERIFICATION_CODE_CHARS = string.letters + string.digits

	34

	35 verification_code_regexp = re.compile(r'^[%s]+$' % re.escape(VERIFICATION_CODE_C HARS))
	kzar 2015/04/22 12:48:13 Shouldn't this be called VERIFICATION_CODE_REGEXP? Shouldn't this be called VERIFICATION_CODE_REGEXP? Sebastian Noack 2015/04/22 13:09:49 I usually only use constants for simple values. Ha Show quoted text On 2015/04/22 12:48:13, kzar wrote: > Shouldn't this be called VERIFICATION_CODE_REGEXP? I usually only use constants for simple values. Having a constant for a mutable instance of a complex object, initialized function call seems weird to me.
	36

	37 def generate_verification_code():

	38 return ''.join(random.sample(VERIFICATION_CODE_CHARS, 32))
	kzar 2015/04/22 12:21:54 If we're going to use a constant for the chars sho If we're going to use a constant for the chars shouldn't we use a constant for the length too? We can then use it in the regexp as well to ensure the code is the correct length. Sebastian Noack 2015/04/22 12:28:45 We don't need to check for the exact length when v Show quoted text On 2015/04/22 12:21:54, kzar wrote: > If we're going to use a constant for the chars shouldn't we use a constant for > the length too? We can then use it in the regexp as well to ensure the code is > the correct length. We don't need to check for the exact length when validation the verification code. We merely need to make sure that it can be safely joined to a dirname resulting into a valid filename in that directory. The case that the file doesn't exist must be handled anyway. Checking also for the length would just add unnecessary complexity, and makes it harder to change the length later. kzar 2015/04/22 12:48:13 Well using a constant for the length would mean th Show quoted text On 2015/04/22 12:28:45, Sebastian Noack wrote: > On 2015/04/22 12:21:54, kzar wrote: > > If we're going to use a constant for the chars shouldn't we use a constant for > > the length too? We can then use it in the regexp as well to ensure the code is > > the correct length. > > We don't need to check for the exact length when validation the verification > code. We merely need to make sure that it can be safely joined to a dirname > resulting into a valid filename in that directory. The case that the file > doesn't exist must be handled anyway. Checking also for the length would just > add unnecessary complexity, and makes it harder to change the length later. Well using a constant for the length would mean that it would not be harder to change later. The code would be more consistent too. We could call it VERIFICATION_CODE_LENGTH. Sebastian Noack 2015/04/22 13:09:49 I won't mind adding a constant, but I'm opposed to Show quoted text On 2015/04/22 12:48:13, kzar wrote: > On 2015/04/22 12:28:45, Sebastian Noack wrote: > > On 2015/04/22 12:21:54, kzar wrote: > > > If we're going to use a constant for the chars shouldn't we use a constant > for > > > the length too? We can then use it in the regexp as well to ensure the code > is > > > the correct length. > > > > We don't need to check for the exact length when validation the verification > > code. We merely need to make sure that it can be safely joined to a dirname > > resulting into a valid filename in that directory. The case that the file > > doesn't exist must be handled anyway. Checking also for the length would just > > add unnecessary complexity, and makes it harder to change the length later. > > Well using a constant for the length would mean that it would not be harder to > change later. The code would be more consistent too. We could call it > VERIFICATION_CODE_LENGTH. I won't mind adding a constant, but I'm opposed to using it in the regexp validating the verification code. However, if the value is only used once there isn't really a point of using a constant. Note that if we change that constant later all so far issued verification codes would become invalid, if the length is considered for validation. kzar 2015/04/22 13:31:34 Sure and if we change the character set constant a Show quoted text On 2015/04/22 13:09:49, Sebastian Noack wrote: > On 2015/04/22 12:48:13, kzar wrote: > > On 2015/04/22 12:28:45, Sebastian Noack wrote: > > > On 2015/04/22 12:21:54, kzar wrote: > > > > If we're going to use a constant for the chars shouldn't we use a constant > > for > > > > the length too? We can then use it in the regexp as well to ensure the > code > > is > > > > the correct length. > > > > > > We don't need to check for the exact length when validation the verification > > > code. We merely need to make sure that it can be safely joined to a dirname > > > resulting into a valid filename in that directory. The case that the file > > > doesn't exist must be handled anyway. Checking also for the length would > just > > > add unnecessary complexity, and makes it harder to change the length later. > > > > Well using a constant for the length would mean that it would not be harder to > > change later. The code would be more consistent too. We could call it > > VERIFICATION_CODE_LENGTH. > > I won't mind adding a constant, but I'm opposed to using it in the regexp > validating the verification code. However, if the value is only used once there > isn't really a point of using a constant. Note that if we change that constant > later all so far issued verification codes would become invalid, if the length > is considered for validation. Sure and if we change the character set constant all previously issued codes become invalid too... Sebastian Noack 2015/04/22 13:42:28 Yes (if some of the previous characters aren't inc Show quoted text On 2015/04/22 13:31:34, kzar wrote: > On 2015/04/22 13:09:49, Sebastian Noack wrote: > > On 2015/04/22 12:48:13, kzar wrote: > > > On 2015/04/22 12:28:45, Sebastian Noack wrote: > > > > On 2015/04/22 12:21:54, kzar wrote: > > > > > If we're going to use a constant for the chars shouldn't we use a > constant > > > for > > > > > the length too? We can then use it in the regexp as well to ensure the > > code > > > is > > > > > the correct length. > > > > > > > > We don't need to check for the exact length when validation the > verification > > > > code. We merely need to make sure that it can be safely joined to a > dirname > > > > resulting into a valid filename in that directory. The case that the file > > > > doesn't exist must be handled anyway. Checking also for the length would > > just > > > > add unnecessary complexity, and makes it harder to change the length > later. > > > > > > Well using a constant for the length would mean that it would not be harder > to > > > change later. The code would be more consistent too. We could call it > > > VERIFICATION_CODE_LENGTH. > > > > I won't mind adding a constant, but I'm opposed to using it in the regexp > > validating the verification code. However, if the value is only used once > there > > isn't really a point of using a constant. Note that if we change that constant > > later all so far issued verification codes would become invalid, if the length > > is considered for validation. > > Sure and if we change the character set constant all previously issued codes > become invalid too... Yes (if some of the previous characters aren't included anymore). However, we check for those characters because it's the simplest way to make sure that we'll get a legit path. Not doing that potentially causes issues. But checking for the length will just add complexity but won't have any effect on the result.
	39

	40 def get_filename_for_verification_code(config, verification_code):

	41 directory = config.get('submitEmail', 'pendingVerficationsDirectory')

	42 return os.path.join(directory, verification_code)

	43

	44 def create_file_for_verification_code(config):

	45 flags = os.O_CREAT \| os.O_EXCL \| os.O_WRONLY \| getattr(os, 'O_BINARY', 0)

	46

	47 while True:

	48 verification_code = generate_verification_code()

	49 filename = get_filename_for_verification_code(config, verification_code)

	50

	51 try:

	52 return (os.open(filename, flags), verification_code)

	53 except OSError as e:

	54 if e.errno != errno.EEXIST:

	55 raise

	56

	57 def verify_email_address(config, verification_code):

	58 if not verification_code_regexp.search(verification_code):

	59 return False

	60

	61 verification_filename = get_filename_for_verification_code(config, verificatio n_code)

	62 try:

	63 file = open(verification_filename, 'rb')

	64 except IOError as e:

	65 if e.errno == errno.ENOENT:

	66 return False

	67 raise

	68

	69 with file:

	70 email = file.read()

	71

	72 verified_filename = config.get('submitEmail', 'verifiedEmailAddressesFile')

	73 with open(verified_filename, 'ab', 0) as file:

	74 fcntl.lockf(file, fcntl.LOCK_EX)

	75 try:

	76 print >>file, email

	77 finally:

	78 fcntl.lockf(file, fcntl.LOCK_UN)

	79

	80 try:

	81 os.unlink(verification_filename)

	82 except OSError as e:

	83 if e.errno != errno.ENOENT:

	84 raise

	85

	86 return True

	87

	88 @url_handler('/submitEmail')

	89 @form_handler

	90 def submitEmail(environ, start_response, data):

	91 email = data.get('email', '').strip()

	92 if not email or '\r' in email or '\n' in email:
	Wladimir Palant 2015/04/22 14:46:58 If you don't want to verify email addresses, why a If you don't want to verify email addresses, why are you still checking for newlines then? We use r'^\w[\w.+!-]+@\w[\w.-]+\.[a-zA-Z]{2,6}$' to verify email addresses in formmail.py - that's very permissive and should be good enough here as well. Sebastian Noack 2015/04/23 14:29:34 I forbid newlines to .. 1. Prevent header injecti Show quoted text On 2015/04/22 14:46:58, Wladimir Palant wrote: > If you don't want to verify email addresses, why are you still checking for > newlines then? I forbid newlines to .. 1. Prevent header injection (however, I realized that the "mime" template filter does that as well) 2. The file of verified email addresses gets messed up if newlines are included, as the email addresses in there are separated by newline. Show quoted text > We use r'^\w[\w.+!-]+@\w[\w.-]+\.[a-zA-Z]{2,6}$' to verify email > addresses in formmail.py - that's very permissive and should be good enough here > as well. This regexp isn't permissive at all, just some examples of valid email addresses that don't match: x@exmaple.com foo~bar@example.com +foo@example.com -foo@example.com I've implemented a more reasonable validation approach now.
	93 start_response('400 Bad Request', [('Content-Type', 'text/plain')])

	94 if email:

	95 return ['No newlines allowed in email address.']

	96 return ['No email address given.']

	97

	98 config = get_config()

	99 fd, verification_code = create_file_for_verification_code(config)
	Wladimir Palant 2015/04/22 14:46:58 Storing pending email addresses is pointless: 1. Storing pending email addresses is pointless: 1. If they aren't confirmed then we shouldn't store them at all. 2. This file will grow in size continuously. Please add a secret key to the sitescripts.ini file. The verification code can then be generated as: hmac.new(secret, email).hexdigest() The verification URL should receive both the email address and this verification code - if they match we should add the email address to the list. Sebastian Noack 2015/04/23 14:29:34 I initially considered a similar approach, but fou Show quoted text On 2015/04/22 14:46:58, Wladimir Palant wrote: > Storing pending email addresses is pointless: > > 1. If they aren't confirmed then we shouldn't store them at all. > 2. This file will grow in size continuously. > > Please add a secret key to the sitescripts.ini file. The verification code can > then be generated as: > > hmac.new(secret, email).hexdigest() > > The verification URL should receive both the email address and this verification > code - if they match we should add the email address to the list. I initially considered a similar approach, but found it more straight-forward to use random verification codes instead involving a secrect key (that can be leaked) and crypto functions (that can be broke). And it keeps the link short, as from my experience with generated emails, some mail clients out there tend to break long links. But on the other hand, not storing unverified email addresses simplifies the logic here quite a lot, and is a little more privacy friendly. So fair enough.
	100 try:

	101 os.write(fd, email.encode('utf-8'))

	102 finally:

	103 os.close(fd)

	104

	105 sendMail(

	106 config.get('submitEmail', 'verificationEmailTemplate'),

	107 {

	108 'recipient': email,

	109 'verification_url': '%s?%s' % (

	110 urljoin(wsgiref.util.application_uri(environ), VERIFICATION_PATH),

	111 urlencode([(VERIFICATION_CODE_PARAM, verification_code)])

	112 )

	113 }

	114 )

	115

	116 start_response('200 OK', [('Content-Type', 'text/plain')])

	117 return ["Thanks for your submission! You'll receive a verification email short ly."]

	118

	119 @url_handler(VERIFICATION_PATH)

	120 def verifyEmail(environ, start_response):

	121 config = get_config()

	122

	123 params = parse_qs(environ.get('QUERY_STRING', ''))

	124 verification_code = params.get(VERIFICATION_CODE_PARAM, [''])[0]

	125

	126 if verify_email_address(config, verification_code):

	127 option = 'successfulVerificationRedirectLocation'

	128 else:

	129 option = 'unknownVerificationCodeRedirectLocation'

	130

	131 start_response('303 See other', [('Location', config.get('submitEmail', option ))])
	Wladimir Palant 2015/04/22 14:46:58 I see that you studied HTTP response codes in much I see that you studied HTTP response codes in much detail but 302 Found please - KISS. A 303 response is really not appropriate in this situation. Sebastian Noack 2015/04/23 14:29:34 Well, 302 is implemented inconsistently across bro Show quoted text On 2015/04/22 14:46:58, Wladimir Palant wrote: > I see that you studied HTTP response codes in much detail but 302 Found please - > KISS. A 303 response is really not appropriate in this situation. Well, 302 is implemented inconsistently across browsers, and seems to be superseded by 303 and 307 in HTTP 1.1. When searching the web for HTTP redirect status codes it seems to be generally advised to use 303 in this case.
	132 return []

OLD	NEW

« sitescripts/submitEmail/template/verification.mail ('K') | « sitescripts/submitEmail/web/__init__.py ('k') | sitescripts/web.py » ('j') | no next file with comments »