def login(req, **params): """ New login attempt. Clean out old session if present, and create new one. """ sess = Session(req) if not sess.is_new(): sess.delete() sess = Session(req) if not sess.is_new(): req.status = apache.HTTP_BAD_REQUEST return 'failed to create new session' if 'u' not in params or 'p' not in params: req.status = apache.HTTP_BAD_REQUEST return 'some parameters were not provided' ret = dict() if params['u'] != 'einstein' or params['p'] != 'fuckbin': ret['success'] = False ret['error'] = 'bad username or password' # note: session is not saved! else: ret['success'] = True # keep some stuff in session... sess['username'] = params['u'] sess['user_id'] = 1 sess.set_timeout(60 * 60 * 24 * 365 * 10) # 10 year sess.save() # grab the user's cookie, and save the seen leaks into the database seen_ranges = urllib.unquote(Cookie.get_cookie(req, '__CJ_seen').value) seen_ranges = json.loads(seen_ranges) values = [[sess['user_id'], i] for seen_range in seen_ranges for i in range(seen_range['start'], seen_range['end'] + 1)] db = Database.get() c = db.cursor() c.executemany( """ replace into user_seen (user_id, leak_id) values (%s, %s) """, values) db.commit() c.close() req.content_type = 'application/json' return json.dumps(ret, ensure_ascii=False)
def seen(req, **params): """ Return all leak id that this user has seen. """ sess = Session(req) if sess.is_new(): req.status = apache.HTTP_BAD_REQUEST return 'not logged in' db = Database.get() c = db.cursor() q = """ select us.leak_id from user_seen us where us.user_id = {user_id} """.format(user_id=sess['user_id']) c.execute(q) r = c.fetchall() c.close() # reformat the list... r = [e[0] for e in r] req.content_type = 'application/json' return json.dumps(dict(items=r), ensure_ascii=False)
def index(req): session = Session(req, lock=False) # output directory for uploaded files used in _upload_limit.py session.lock() session['outdir'] = outdir session.save() session.unlock() return psp.PSP(req, 'test.html', vars={})
def clear(req, **params): """ Obliterate the session. """ sess = Session(req) if not sess.is_new(): sess.invalidate() req.content_type = 'application/json' return json.dumps(dict(success=True), ensure_ascii=False)
def get(req, **params): """ Return logged-in username. """ sess = Session(req) if sess.is_new(): req.content_type = 'application/json' return 'null' ret = dict() ret['created'] = sess.created() ret['user_id'] = sess['user_id'] ret['username'] = sess['username'] req.content_type = 'application/json' return json.dumps(ret, ensure_ascii=False)
def fixuphandler(req): if req.method == 'POST': length = req.headers_in.get('Content-Length') if length is None: req.status = apache.HTTP_LENGTH_REQUIRED req.write("{ 'code': 5, 'desc': 'content length required' }") return apache.DONE elif int(length) > UPLOAD_LIMIT: req.status = apache.HTTP_REQUEST_ENTITY_TOO_LARGE req.write("{ 'code': 4, 'desc': 'upload maximum size exceeded' }") return apache.DONE elif req.uri.startswith('/upload_file'): # parse arguments args = dict( [part.split('=') for part in (req.args or "").split('&')]) filename = "" if args.get('id'): filename = urllib.unquote(os.path.split(args['id'])[1]) if filename == "": req.write("{ 'code': 3, 'desc': 'id not supplied' }") return apache.DONE if not hasattr(req, "session"): req.session = Session(req, lock=False) session = req.session session.lock() if filename in os.listdir(session['outdir']): session.unlock() req.write("{ 'code': 1, 'desc': 'already exist' }") return apache.DONE session['temp_name_' + filename] = os.path.join( session['outdir'], filename) session['temp_size_' + filename] = int(length) session.save() file_factory = StorageFactory(session['outdir']) session.unlock() util.FieldStorage(req, keep_blank_values=False, file_callback=file_factory.create) return apache.OK
def index(req, **params): """ List recent leaks. Limit of 300 leaks shown. parameters: - after: show leaks after this timestamp - period: show leaks that occured within this period (today, week, month) """ limit = '' if 'after' in params: if not params['after'].isdigit(): req.status = apache.HTTP_BAD_REQUEST return '"after" param is not digits' leak_id = int(params['after']) where = 'l.leak_id >= %u' % leak_id elif 'before' in params: if not params['after'].isdigit(): req.status = apache.HTTP_BAD_REQUEST return '"before" param is not digits' leak_id = int(params['after']) where = 'l.leak_id <= %u' % leak_id limit = 'limit 10' elif 'period' in params: if params['period'] == 'initial': # By default, load today's leaks, otherwise load the last 300 leaks from whenever... where = 'DATE(FROM_UNIXTIME(l.date)) = DATE(SYSDATE())' else: req.status = apache.HTTP_BAD_REQUEST return '"period" param has unknown value' else: req.status = apache.HTTP_BAD_REQUEST return 'bad request' sess = Session(req) if sess.is_new(): seen = 'false' else: seen = '(select true from user_seen us where us.user_id = {user_id} and us.leak_id = l.leak_id)'.format( user_id=sess['user_id'], ) db = Database.get() c = db.cursor() q = """ select l.leak_id, ({seen}) as seen, l.date, l.comment, l.reason, l.source from leaks l where {where} and l.isparsed = 1 order by leak_id {limit} """.format(seen=seen, where=where, limit=limit) c.execute(q) r = list(c.fetchall()) if len(r) == 0 and 'period' in params and params['period'] == 'initial': # last chance to get some latest entry... c.execute(""" select l.leak_id, ({seen}) as seen, l.date, l.comment, l.reason, l.source from leaks l where l.isparsed = 1 order by leak_id desc limit 200 """.format(seen=seen, where=where, limit=limit)) r = list(c.fetchall()) r.reverse() if len(r) > 0: leak_ids = [str(e[0]) for e in r] c.execute(""" select leak_id, name, value from leak_metadata where leak_id in ({ids}) """.format(ids=','.join(leak_ids))) metadata = c.fetchall() # append a dictionary at the end of every entry for i in range(len(r)): r[i] = list(r[i]) r[i].append({}) # insert metadata into dictionary for i in range(len(r)): for data in metadata: if data[0] != r[i][0]: continue r[i][-1][data[1]] = data[2] c.close() req.content_type = 'application/json' return json.dumps(dict(items=r), ensure_ascii=False)
def _wrapper(req, *args, **kwargs): if not hasattr(req, "session"): req.session = Session(req, lock=False) return f(req, *args, **kwargs)