2.9.3

CHANGELOG

@@ -1,8 +1,9 @@
-## 2.9.1
+## 2.9.1 - 2.9.3
 
 - jquery 1.11
 - codemirror 3.21, thanks Paolo Valleri
-- fixed a security issue with sessions in database
+- fixed security issue with sessions in database, thanks Nathan Humphreys
+- fixed security issue with persistant data in session, thanks Kiran
 - fixed security issue with redirect after expired login, thanks André Kablu
 - cleaner DAL and rname integration, thanks niphlod and Michele
 - added mongodb and imap tests for dal, thanks Alan

Makefile

@@ -30,7 +30,7 @@ update:
 	echo "remember that pymysql was tweaked"
 src:
 	### Use semantic versioning
-	echo 'Version 2.9.2-stable+timestamp.'`date +%Y.%m.%d.%H.%M.%S` > VERSION
+	echo 'Version 2.9.3-stable+timestamp.'`date +%Y.%m.%d.%H.%M.%S` > VERSION
 	### rm -f all junk files
 	make clean
 	### clean up baisc apps

VERSION

@@ -1 +1 @@
-Version 2.9.2-stable+timestamp.2014.03.02.17.46.39
+Version 2.9.3-stable+timestamp.2014.03.03.08.49.54

applications/admin/static/js/web2py.js

@@ -75,8 +75,8 @@
        * this over and over... all will be bound to the document
        */
       /*adds btn class to buttons*/
-      $('button', target).addClass('btn').addClass('btn-default');
-      $('form input[type="submit"], form input[type="button"]', target).addClass('btn').addClass('btn-default');
+      $('button', target).addClass('btn');
+      $('form input[type="submit"], form input[type="button"]', target).addClass('btn');
       /* javascript for PasswordWidget*/
       $('input[type=password][data-w2p_entropy]', target).each(function () {
         web2py.validate_entropy($(this));

applications/examples/static/js/web2py.js

@@ -75,8 +75,8 @@
        * this over and over... all will be bound to the document
        */
       /*adds btn class to buttons*/
-      $('button', target).addClass('btn').addClass('btn-default');
-      $('form input[type="submit"], form input[type="button"]', target).addClass('btn').addClass('btn-default');
+      $('button', target).addClass('btn');
+      $('form input[type="submit"], form input[type="button"]', target).addClass('btn');
       /* javascript for PasswordWidget*/
       $('input[type=password][data-w2p_entropy]', target).each(function () {
         web2py.validate_entropy($(this));

applications/welcome/views/default/index.html

@@ -1,50 +1,35 @@
-{{left_sidebar_enabled,right_sidebar_enabled=False,('message' in globals())}}
-{{extend 'layout.html'}}
-
-{{block head}}
-<style>
-#w2padmin-btn {margin:30px 0 30px 0;}
-</style>
-{{end head}}
-
-{{if 'message' in globals():}}
-<h2>{{=message}}</h2>
-<p class="lead">{{=T('How did you get here?')}}</p>
-<ol>
-    <li>{{=T('You are successfully running web2py')}}</li>
-    <li>{{=XML(T('You visited the url %s', A(request.env.path_info,_href=request.env.path_info)))}}</li>
-    <li>{{=XML(T('Which called the function %s located in the file %s',
-            (A(request.function+'()',_href='#'),
-                A('web2py/applications/%(application)s/controllers/%(controller)s.py'%request,
-                    _href=URL('admin','default','peek', args=(request.application,'controllers',request.controller+'.py'))))))}}</li>
-    <li>{{=XML(T('The output of the file is a dictionary that was rendered by the view %s',
-            A('web2py/applications/%(application)s/views/%(controller)s/index.html'%request,
-                _href=URL('admin','default','peek',args=(request.application,'views',request.controller,'index.html')))))}}</li>
-    <li>{{=T('You can modify this application and adapt it to your needs')}}</li>
-</ol>
-{{elif 'content' in globals():}}
-{{=content}}
-{{else:}}
-{{=BEAUTIFY(response._vars)}}
-{{pass}}
-
-{{block right_sidebar}}
-<button id="w2padmin-btn" class="btn btn-primary btn-lg btn-block">
-    <i class="glyphicon glyphicon-cog"></i> {{=T("Administrative Interface")}}</button>
-<div class="panel panel-info">
-    <div class="panel-heading">{{=T("Don't know what to do?")}}</div>
-    <ul class="list-group">
-      <li class="list-group-item">{{=A(T("Online examples"), _href=URL('examples','default','index'))}}</li>
-      <li class="list-group-item"><a href="http://web2py.com">web2py.com</a></li>
-      <li class="list-group-item"><a href="http://web2py.com/book">{{=T('Documentation')}}</a></li>
-    </ul>
-</div>
-{{end}}
-
-{{block page_js}}
-<script>
-    $('#w2padmin-btn').click(function() {
-       window.location = "{{=URL('admin','default','index')}}";
-    });
-</script>
-{{end}}
+{{left_sidebar_enabled,right_sidebar_enabled=False,('message' in globals())}}
+{{extend 'layout.html'}}
+
+{{if 'message' in globals():}}
+<h3>{{=message}}</h3>
+
+<h4>{{=T('How did you get here?')}}</h4>
+<ol>
+  <li>{{=T('You are successfully running web2py')}}</li>
+  <li>{{=XML(T('You visited the url %s', A(request.env.path_info,_href=request.env.path_info)))}}</li>
+  <li>{{=XML(T('Which called the function %s located in the file %s',
+             (A(request.function+'()',_href='#'),
+              A('web2py/applications/%(application)s/controllers/%(controller)s.py'%request,
+               _href=URL('admin','default','peek', args=(request.application,'controllers',request.controller+'.py'))))))}}</li>
+  <li>{{=XML(T('The output of the file is a dictionary that was rendered by the view %s',
+           A('web2py/applications/%(application)s/views/%(controller)s/index.html'%request,
+           _href=URL('admin','default','peek',args=(request.application,'views',request.controller,'index.html')))))}}</li>
+  <li>{{=T('You can modify this application and adapt it to your needs')}}</li>
+</ol>
+{{elif 'content' in globals():}}
+{{=content}}
+{{else:}}
+{{=BEAUTIFY(response._vars)}}
+{{pass}}
+
+{{block right_sidebar}}
+{{=A(T("Administrative Interface"), _href=URL('admin','default','index'), _class='btn',
+     _style='margin-top: 1em;')}}
+<h6>{{=T("Don't know what to do?")}}</h6>
+<ul>
+  <li>{{=A(T("Online examples"), _href=URL('examples','default','index'))}}</li>
+  <li><a href="http://web2py.com">web2py.com</a></li>
+  <li><a href="http://web2py.com/book">{{=T('Documentation')}}</a></li>
+</ul>
+{{end}}

gluon/globals.py

@@ -887,6 +887,7 @@ class Session(Storage):
                         # Unpickle the data
                         session_data = cPickle.loads(row.session_data)
                         self.update(session_data)
+                        response.session_new = False
                     else:
                         record_id = None
                 if record_id:

gluon/tools.py

@@ -1153,16 +1153,27 @@ class Auth(object):
         self.user_groups = auth and auth.user_groups or {}
         if secure:
             request.requires_https()
-        if auth and auth.last_visit and auth.last_visit + \
-                datetime.timedelta(days=0, seconds=auth.expiration) > request.now:
-            self.user = auth.user
-            # this is a trick to speed up sessions
-            if (request.now - auth.last_visit).seconds > (auth.expiration / 10):
-                auth.last_visit = request.now
+        now = request.now        
+        # if we have auth info
+        #    if not expired it, used it
+        #    if expired, clear the session
+        # else, only clear auth info in the session
+        if auth:
+            delta = datetime.timedelta(days=0, seconds=auth.expiration)
+            if auth.last_visit and auth.last_visit + delta > now:
+                self.user = auth.user
+                # this is a trick to speed up sessions to avoid many writes
+                if (now - auth.last_visit).seconds > (auth.expiration / 10):
+                    auth.last_visit = request.now
+            else:
+                self.user = None
+                if session.auth:
+                    del session.auth
+                session.renew(clear_session=True)                
         else:
             self.user = None
             if session.auth:
-                del session.auth
+                del session.auth            
         # ## what happens after login?
 
         url_index = URL(controller, 'index')