Your ROOT_URL in app.ini is https://source.parasitstudio.de:63000/ but you are visiting https://source.parasitstudio.de/wirtz/scriptform/commit/25a64b7949ab8b03dc682fb75edcd3dbaea951e4?style=unified&whitespace=ignore-change
You should set ROOT_URL correctly, otherwise the web may not work correctly.
2 changed files with
13 additions and
2 deletions
doc/MANUAL.md
src/webapp.py
@ -1305,7 +1305,7 @@ There are a few security issues to take into consideration when deploying Script
"Invocations" chapter.
- Scriptform logs the invocation of scripts and variables to the log file for
auditing purposes.
auditing purposes. Password values are censored.
- Although Scriptform is written to be secure, it not meant to be served to
the public internet. **You should only use it in controlled environments
@ -9,6 +9,7 @@ import tempfile
import os
import base64
import hashlib
import copy
from formrender import FormRender
from webserver import HTTPError , RequestHandler
@ -158,6 +159,16 @@ HTML_SUBMIT_RESPONSE = u'''
{ footer }
'''
def censor_form_values ( form_def , form_values ) :
"""
Remove sensitive field values from form_values dict .
"""
censored_form_values = copy . copy ( form_values )
for field in form_def . fields :
if field [ ' type ' ] == ' password ' :
censored_form_values [ field [ ' name ' ] ] = ' ******** '
return censored_form_values
class ScriptFormWebApp ( RequestHandler ) :
"""
@ -421,7 +432,7 @@ class ScriptFormWebApp(RequestHandler):
log . info ( " Calling script: %s " , form_def . script )
log . info ( " Current working dir: %s " , cwd )
log . info ( " User: %s " , username )
log . info ( " Variables: %s " , dict ( form_values . items ( ) ) )
log . info ( " Variables: %s " , censor_form_values ( form_def , form_values ) )
form_def = form_config . get_form_def ( form_name )
result = runscript . run_script ( form_def , form_values , self . wfile ,
Ferry Boender
8 years ago