Beispiel #1
0
 def __load_cookie(self, cookies, cookie):
     
     key_name = cookie.replace("session__", "")
     key_value = cookies[cookie]
     
     # We need to get the signature off the value. I didn't know
     # what a good delimiter was so I chose '.'
     try:
         key_sig, key_value = key_value.split('.')
     except:
         self.__data[key_name] = ('', True)
         return
     
     # We hash after base64 encoding so we need to validate
     # before base64 decoding.
     our_sig = quick_hash(self.id, self.secret_key, key_value)
     
     if our_sig == key_sig:
         key_value = base64.b64decode(key_value)
         key_value = pickle.loads(key_value)
         self.__data[key_name] = (key_value, False)
     
     # else we assume that the cookie was an attack.
     # we will enter it's name into the dict but set it
     # to be deleted in the response.
     else:
         self.__data[key_name] = ('', True)
Beispiel #2
0
 def to_cookies(self):
     
     for key, (value, deleted) in self.__data.iteritems():
         
         morsel = Morsel()
         morsel.key = "session__%s" % key
         
         if not deleted:
             
             value = pickle.dumps(value)
             value = base64.b64encode(value)
             sig = quick_hash(self.id, self.secret_key, value)
             value = ".".join((sig, value))
             
         else:
             value = 'no-value'
             morsel['expires'] = -3600
             # Sets the cookie to expire in the past.
         
         
         morsel.coded_value = morsel.value = value
         
         # This optionally sets the cookie's timeout till
         # deletion.
         if 'timeout' in self.options:
             timeout = self.options['timeout']
             morsel['expires'] = timeout
             morsel['max-age'] = timeout
             
         morsel['path'] = '/'
         
         yield morsel
Beispiel #3
0
 def csrf_token(self):
     # This get's a csrf_token using available
     # data. The purpouse of this csrf token is to
     # ensure that any post data came from a page that
     # was loaded from this server.
     if not hasattr(self, "__csrf_token"):
         # if the request is a get request, we just
         # use the host that was requested by the 
         # user, since the netloc of host should
         # be the netloc of the referer or origin
         # headers of the post request.
         if self.is_get:
             origin = self.headers["Host"]
         # Else we just grab the netloc of the origin
         # or referer header.
         else:
             if "Origin" in self.headers:
                 origin = self.headers["Origin"]
             elif "Referer" in self.headers:
                 origin = self.headers["Referer"]
             else:
                 raise Server403Exception("Could not reliably determin origin")
         
             origin = urlparse(origin).netloc
             
         remote_addr = self.remote_addr
         secret_key = self.__secret_key
         
         # Create the csrf token by hashing the origin, the remote
         # address of the request and our secret key. This key will
         # then be compared to the "csrf_token" value in the post.
         # only if the form came from this domain, and was sent to
         # this remote host will the form validate. 
         self.__csrf_token = quick_hash(origin, remote_addr, secret_key)
         
     return self.__csrf_token