Index: sitescripts/submitEmail/web/submitEmail.py |
=================================================================== |
new file mode 100644 |
--- /dev/null |
+++ b/sitescripts/submitEmail/web/submitEmail.py |
@@ -0,0 +1,132 @@ |
+# coding: utf-8 |
+ |
+# This file is part of the Adblock Plus web scripts, |
+# Copyright (C) 2006-2015 Eyeo GmbH |
+# |
+# Adblock Plus is free software: you can redistribute it and/or modify |
+# it under the terms of the GNU General Public License version 3 as |
+# published by the Free Software Foundation. |
+# |
+# Adblock Plus is distributed in the hope that it will be useful, |
+# but WITHOUT ANY WARRANTY; without even the implied warranty of |
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
+# GNU General Public License for more details. |
+# |
+# You should have received a copy of the GNU General Public License |
+# along with Adblock Plus. If not, see <http://www.gnu.org/licenses/>. |
+ |
+import os |
+import re |
+import errno |
+import fcntl |
+import random |
+import string |
+import wsgiref.util |
+from urlparse import parse_qs, urljoin |
+from urllib import urlencode |
+ |
+from sitescripts.utils import get_config, sendMail |
+from sitescripts.web import url_handler, form_handler |
+ |
+VERIFICATION_PATH = '/verifyEmail' |
+VERIFICATION_CODE_PARAM = 'code' |
+VERIFICATION_CODE_CHARS = string.letters + string.digits |
+ |
+verification_code_regexp = re.compile(r'^[%s]+$' % re.escape(VERIFICATION_CODE_CHARS)) |
kzar
2015/04/22 12:48:13
Shouldn't this be called VERIFICATION_CODE_REGEXP?
Sebastian Noack
2015/04/22 13:09:49
I usually only use constants for simple values. Ha
|
+ |
+def generate_verification_code(): |
+ return ''.join(random.sample(VERIFICATION_CODE_CHARS, 32)) |
kzar
2015/04/22 12:21:54
If we're going to use a constant for the chars sho
Sebastian Noack
2015/04/22 12:28:45
We don't need to check for the exact length when v
kzar
2015/04/22 12:48:13
Well using a constant for the length would mean th
Sebastian Noack
2015/04/22 13:09:49
I won't mind adding a constant, but I'm opposed to
kzar
2015/04/22 13:31:34
Sure and if we change the character set constant a
Sebastian Noack
2015/04/22 13:42:28
Yes (if some of the previous characters aren't inc
|
+ |
+def get_filename_for_verification_code(config, verification_code): |
+ directory = config.get('submitEmail', 'pendingVerficationsDirectory') |
+ return os.path.join(directory, verification_code) |
+ |
+def create_file_for_verification_code(config): |
+ flags = os.O_CREAT | os.O_EXCL | os.O_WRONLY | getattr(os, 'O_BINARY', 0) |
+ |
+ while True: |
+ verification_code = generate_verification_code() |
+ filename = get_filename_for_verification_code(config, verification_code) |
+ |
+ try: |
+ return (os.open(filename, flags), verification_code) |
+ except OSError as e: |
+ if e.errno != errno.EEXIST: |
+ raise |
+ |
+def verify_email_address(config, verification_code): |
+ if not verification_code_regexp.search(verification_code): |
+ return False |
+ |
+ verification_filename = get_filename_for_verification_code(config, verification_code) |
+ try: |
+ file = open(verification_filename, 'rb') |
+ except IOError as e: |
+ if e.errno == errno.ENOENT: |
+ return False |
+ raise |
+ |
+ with file: |
+ email = file.read() |
+ |
+ verified_filename = config.get('submitEmail', 'verifiedEmailAddressesFile') |
+ with open(verified_filename, 'ab', 0) as file: |
+ fcntl.lockf(file, fcntl.LOCK_EX) |
+ try: |
+ print >>file, email |
+ finally: |
+ fcntl.lockf(file, fcntl.LOCK_UN) |
+ |
+ try: |
+ os.unlink(verification_filename) |
+ except OSError as e: |
+ if e.errno != errno.ENOENT: |
+ raise |
+ |
+ return True |
+ |
+@url_handler('/submitEmail') |
+@form_handler |
+def submitEmail(environ, start_response, data): |
+ email = data.get('email', '').strip() |
+ if not email or '\r' in email or '\n' in email: |
Wladimir Palant
2015/04/22 14:46:58
If you don't want to verify email addresses, why a
Sebastian Noack
2015/04/23 14:29:34
I forbid newlines to ..
1. Prevent header injecti
|
+ start_response('400 Bad Request', [('Content-Type', 'text/plain')]) |
+ if email: |
+ return ['No newlines allowed in email address.'] |
+ return ['No email address given.'] |
+ |
+ config = get_config() |
+ fd, verification_code = create_file_for_verification_code(config) |
Wladimir Palant
2015/04/22 14:46:58
Storing pending email addresses is pointless:
1.
Sebastian Noack
2015/04/23 14:29:34
I initially considered a similar approach, but fou
|
+ try: |
+ os.write(fd, email.encode('utf-8')) |
+ finally: |
+ os.close(fd) |
+ |
+ sendMail( |
+ config.get('submitEmail', 'verificationEmailTemplate'), |
+ { |
+ 'recipient': email, |
+ 'verification_url': '%s?%s' % ( |
+ urljoin(wsgiref.util.application_uri(environ), VERIFICATION_PATH), |
+ urlencode([(VERIFICATION_CODE_PARAM, verification_code)]) |
+ ) |
+ } |
+ ) |
+ |
+ start_response('200 OK', [('Content-Type', 'text/plain')]) |
+ return ["Thanks for your submission! You'll receive a verification email shortly."] |
+ |
+@url_handler(VERIFICATION_PATH) |
+def verifyEmail(environ, start_response): |
+ config = get_config() |
+ |
+ params = parse_qs(environ.get('QUERY_STRING', '')) |
+ verification_code = params.get(VERIFICATION_CODE_PARAM, [''])[0] |
+ |
+ if verify_email_address(config, verification_code): |
+ option = 'successfulVerificationRedirectLocation' |
+ else: |
+ option = 'unknownVerificationCodeRedirectLocation' |
+ |
+ start_response('303 See other', [('Location', config.get('submitEmail', option))]) |
Wladimir Palant
2015/04/22 14:46:58
I see that you studied HTTP response codes in much
Sebastian Noack
2015/04/23 14:29:34
Well, 302 is implemented inconsistently across bro
|
+ return [] |