teach git-bz how to deal with BZ's CSRF protection

This is pretty hackish; it may be time to see if we can do what we need using BZ's official web services. Signed-off-by: Galen Charlton <gmc@esilibrary.com>
author: Galen Charlton <gmc@esilibrary.com> 2014-04-20 14:54:25 +0000
committer: Galen Charlton <gmc@esilibrary.com> 2014-04-20 14:54:31 +0000
commit: 650fce32ac875737acbd3ce07b2aa06b2769e53f (patch)
tree: 671e8e3d8c1c1832808568fb7d925b5f0ab9974f
parent: 88272fce5014f5f55a7655c8281e47a4e8c4f7c2 (diff)
download: git-bz-650fce32ac875737acbd3ce07b2aa06b2769e53f.tar.gz
1 files changed, 22 insertions, 1 deletions
diff --git a/git-bz b/git-bz
index f711fc7..de76437 100755
--- a/git-bz
+++ b/git-bz
@@ -923,8 +923,29 @@ class BugServer(object):
     def get_cookie_string(self):
         if self.cookiestring == '':
             if self.bz_user and self.bz_password:
+                # get a login request cookie
                 connection = get_connection(self.host, self.https)
-                connection.request("POST", self.path + "/index.cgi", urllib.urlencode({'Bugzilla_login':self.bz_user,'Bugzilla_password':self.bz_password}))
+                connection.request("GET", self.path + "/index.cgi")
+                res = connection.getresponse()
+                headers = dict({})
+                login_request_cookie = res.getheader('set-cookie')
+                headers['Cookie'] = login_request_cookie
+                connection.close()
+
+                # request again with the login request cookie, which in turns
+                # gets a login token set in the     response
+                connection = get_connection(self.host, self.https)
+                connection.request("GET", self.path + "/index.cgi", '', headers)
+                res = connection.getresponse()
+                match = re.search(r'name="Bugzilla_login_token"[\s]+value="([^"]*)', res.read())
+                login_token =  match.group(1)
+                headers = dict({})
+                headers['Cookie'] = login_request_cookie
+                headers['User-Agent'] = "git-bz"
+
+                # now that we have both token and login request cookie
+                # authentication should now work
+                connection.request("POST", self.path + "/index.cgi", urllib.urlencode({'Bugzilla_login':self.bz_user,'Bugzilla_password':self.bz_password,'Bugzilla_login_token':login_token}), headers)
                 res = connection.getresponse()
                 self.cookiestring = res.getheader('set-cookie')
                 connection.close()
author	Galen Charlton <gmc@esilibrary.com>	2014-04-20 14:54:25 +0000
committer	Galen Charlton <gmc@esilibrary.com>	2014-04-20 14:54:31 +0000
commit	650fce32ac875737acbd3ce07b2aa06b2769e53f (patch)
tree	671e8e3d8c1c1832808568fb7d925b5f0ab9974f
parent	88272fce5014f5f55a7655c8281e47a4e8c4f7c2 (diff)
download	git-bz-650fce32ac875737acbd3ce07b2aa06b2769e53f.tar.gz