The oauth_* form field whitelisting was added to let launchpadlib tests pass (launchpadlib/docs/browser.txt, in particular). All of the launchpadlib tests pass if I remove the oauth_* whitelisting, whitelist /+request-token and /+access-token, and teach launchpadlib's test browser to send a Referer when it's forging +authorize-token requests. Since those two views are safe, it would appear to close all except the /api hole.
So something like this:
+ if (IWebServiceClientRequest.providedBy(request) or
+ not IBrowserRequest.providedBy(request) or
+ request['PATH_INFO'] in ('/+storeblob', '/+request-token',
+ '/+access-token')):
Plus adding "'Referer': self.web_root" to the headers dict in both methods of launchpadlib.credentials.SimulatedLaunchpadBrowser.
Then we just need to work out how to distinguish OAuth-authenticated webservice requests from cookie-authenticated ones.
The oauth_* form field whitelisting was added to let launchpadlib tests pass (launchpadlib/ docs/browser. txt, in particular). All of the launchpadlib tests pass if I remove the oauth_* whitelisting, whitelist /+request-token and /+access-token, and teach launchpadlib's test browser to send a Referer when it's forging +authorize-token requests. Since those two views are safe, it would appear to close all except the /api hole.
So something like this:
+ if (IWebServiceCli entRequest. providedBy( request) or .providedBy( request) or 'PATH_INFO' ] in ('/+storeblob', '/+request-token',
+ not IBrowserRequest
+ request[
+ '/+access-token')):
Plus adding "'Referer': self.web_root" to the headers dict in both methods of launchpadlib. credentials. SimulatedLaunch padBrowser.
Then we just need to work out how to distinguish OAuth-authenticated webservice requests from cookie- authenticated ones.