darcs

Issue 1220 wiki: can't login with curl

Bug Tracker Home

Issues
Show Unassigned
 Show All
Search Issues

Patches
Show Open
 Show All
Search Patches

Login




Register
Lost your login?

Help
Roundup docs

Title wiki: can't login with curl
Priority wishlist Status resolved
Milestone Resolved in
Superseder Nosy List darcs-devel, dmitry.kurochkin, kowey, thorkilnaur, twb
Assigned To
Topics

Created on 2008-11-11.05:00:37 by twb, last changed 2009-08-27.14:17:14 by admin.

Messages
msg6649 (view) Author: twb Date: 2008-11-11.05:00:35 
It appears that wiki.darcs.net currently does not allow anonymous
edits:

    $ editmoin http://wiki.darcs.net/index.html/TrentBuck
    You are not allowed to edit this page.
    error: body information not found

Therefore, I have created an account using w3m.  Instead of giving
editmoin my username and password and having *it* perform the login
step, I apparently have to give it a session cookie.

Therefore, I am attempting to log in with curl so as to generate a
session cookie.  Apart from the fact that I don't know how to extract
session cookies from w3m, this is useful because cookies expire daily
(which I approve of), and therefore I will need to re-create this
session cookie each time I use editmoin.

Where my password is stored (without a trailing newline) in
~/.darcs-wiki.secret,

    $ u=http://wiki.darcs.net/index.html/UserPreferences
    $ f=~/.darcs-wiki.secret
    $ curl $u -F name=TrentBuck -F password=@$f
    You are not allowed to access this!

It appears that wiki.darcs.net has blacklisted curl users.  Therefore,
I spoof User-Agent accordingly:

    $ a='W3C standards are important. Stop fucking obsessing over user-agent already.'
    $ curl $u -A "$a" -F name=TrentBuck -F password=@$f

This results in an HTML page that is *not* logged in.  You can render
it thusly:

    $ curl -s $u -A "$a" -F name=TrentBuck -F password=@$f |
    > w3m -dump -T text/html
msg6651 (view) Author: twb Date: 2008-11-11.07:12:49 
On Mon, Nov 10, 2008 at 06:00:35PM +0000, trentbuck@gmail.com wrote:
>     $ curl $u -A "$a" -F name=TrentBuck -F password=@$f

This works if I add -F login=Login.

It appears that because moinmoin (naughtily) displays multiple forms
on a single page, it kludgily checks the value of the submit button to
work out WHICH form it is responding to.

A complete script to extract the session ID is thus

    #!/bin/sh -ev
    f=~/.darcs-wiki.secret
    curl -s -o /dev/null -c - \
         http://wiki.darcs.net/index.html \
         -A 'W3C standards are important. Stop fucking obsessing over user-agent already.' \
         -F login=Login -F name=TrentBuck -F password=@$f |
    sed -n \$p | cut -d"$(printf \\t)" -f7

I will now attempt to implement this directly in editmoin, so that it
can just get a password from ~/.netrc like any other utility that
deals with pointless and insecure passwords.

See also: http://bugs.debian.org/505257
History
Date User Action Args
2008-11-11 05:00:37twbcreate
2008-11-11 07:12:51twbsetstatus: unread -> resolved
nosy: kowey, dagit, simon, twb, thorkilnaur, dmitry.kurochkin
messages: + msg6651
2009-04-22 02:36:06twbsetpriority: wishlist
nosy: kowey, dagit, simon, twb, thorkilnaur, dmitry.kurochkin
2009-08-10 23:51:20adminsetnosy: - dagit
2009-08-25 17:34:18adminsetnosy: + darcs-devel, - simon
2009-08-27 14:17:14adminsetnosy: kowey, darcs-devel, twb, thorkilnaur, dmitry.kurochkin