def get_session_id(self):
cookiestring = "\n".join(self.headers.get_all('Cookie',failobj=[]))
c = cookie()
c.load(cookiestring)
if 'session_id' in c:
return c['session_id'].value
return None
def _session_cookie(self, game_name,forcenew=False):
cookiestring = "\n".join(self.headers.get_all('Cookie',failobj=[]))
c = cookie()
c.load(cookiestring)
c['session_id']=int(uuid.uuid1().int)
self.sessioncookies[int(c['session_id'].value)] = game_name
self.boards[int(c['session_id'].value)] = [[0, 0, 0], [0, 0, 0], [0, 0, 0]]
return c['session_id'].value
def get_session_id(self):
cookiestring = "\n".join(self.headers.get_all('Cookie', failobj=[]))
c = cookie()
c.load(cookiestring)
if 'session_id' in c:
return c['session_id'].value
return None
def _session_cookie(self,forcenew=False):
cookiestring = "\n".join(self.headers.get_all('Cookie',failobj=[]))
c = cookie()
c.load(cookiestring)
try:
if forcenew or self.sessioncookies[c['session_id'].value]-time() > 3600:
raise ValueError('new cookie needed')
except:
c['session_id']=uuid().hex
for m in c:
if m=='session_id':
self.sessioncookies[c[m].value] = time()
c[m]["httponly"] = True
c[m]["max-age"] = 3600
c[m]["expires"] = self.date_time_string(time()+3600)
self.sessionidmorsel = c[m]
break
def _session_cookie(self, forcenew=False):
cookiestring = "\n".join(self.headers.get_all('Cookie',failobj=[]))
c = cookie()
c.load(cookiestring)
try:
if forcenew or time.time() - int(self.sessioncookies[c['session_id'].value]) > self.SESSION_MAX_AGE:
raise ValueError('new cookie needed')
except:
# 用uuid随机生成session id
c['session_id'] = uuid.uuid4().hex
for m in c:
if m == 'session_id':
c[m]["httponly"] = True
c[m]["max-age"] = self.SESSION_MAX_AGE
c[m]["expires"] = self.date_time_string(time.time() + self.SESSION_MAX_AGE)
self.sessioncookies[c[m].value] = time.time()
self.sessionidmorsel = c[m]
break
return c['session_id'].value
def _session_cookie(self, forcenew=False):
cookiestring = "\n".join(self.headers.get_all('Cookie', failobj=[]))
c = cookie()
c.load(cookiestring)
try:
if forcenew or time.time() - int(self.sessioncookies[
c['session_id'].value]) > self.SESSION_MAX_AGE:
raise ValueError('new cookie needed')
except:
# 用uuid随机生成session id
c['session_id'] = uuid.uuid4().hex
for m in c:
if m == 'session_id':
c[m]["httponly"] = True
c[m]["max-age"] = self.SESSION_MAX_AGE
c[m]["expires"] = self.date_time_string(time.time() +
self.SESSION_MAX_AGE)
self.sessioncookies[c[m].value] = time.time()
self.sessionidmorsel = c[m]
break
return c['session_id'].value
def _session_cookie(self, s, forcenew=False):
new_cookie = False
cookiestring = "\n".join(s.headers.get_all('Cookie', failobj=[]))
c = cookie()
c.load(cookiestring)
#clear old session_id's
self.sessioncookies = {
k: v
for k, v in self.sessioncookies.items()
if time.time() - v < SESSION_TIMEOUT
}
common = self.sessioncookies.keys() & self.userdata.keys()
self.userdata = {k: v for k, v in self.userdata.items() if k in common}
try:
if forcenew or time.time() - self.sessioncookies[
c['aog_session_id'].value] > SESSION_TIMEOUT:
raise ValueError('new cookie needed')
except:
new_cookie = True
c['aog_session_id'] = uuid.uuid4().hex
self.userdata[c['aog_session_id'].value] = {}
for m in c:
if m == 'aog_session_id':
self.sessioncookies[c[m].value] = time.time()
c[m]["httponly"] = True
c[m]["max-age"] = SESSION_TIMEOUT
c[m]["expires"] = s.date_time_string(time.time() +
SESSION_TIMEOUT)
self.sessionid = c[m].value
return (new_cookie, c[m])
return (new_cookie, None)
def do_ACTION(self, action, hostname=None):
vars_ = DAOObject()
if self.useSSL:
vars_.scheme = HTTPS
else:
vars_.scheme = HTTP
setattrs(vars_,
time=time.time(),
path=urlparse(self.path),
ipaddress=self.ipaddress,
browser="unknown",
country_code=self.country_code,
session_id=None,
device_id=None,
isajax=False,
language="en",
allowcompression=False)
self.transvars = DAOObject()
# process appvars
if (vars_.path.query != None) and (vars_.path.query != ""):
splititems_ = vars_.path.query.split("&")
if (len(splititems_) > 0):
for splititem_ in splititems_:
parts_ = splititem_.split("=")
if (len(parts_) > 1):
if (parts_[0] in ["format", "position", "pretty"]):
if (parts_[0] == "format"):
vars_.output = parts_[1]
elif (parts_[0] == "position"):
vars_.positionid = parts_[1]
elif (parts_[0] == "pretty"):
vars_.pretty = parts_[1]
else:
vars_.__setattr__(parts_[0], parts_[1])
try:
headerKeys_ = self.headers.keys()
for key_ in headerKeys_:
vars_.__setattr__(key_, self.headers.get(key_))
# If the service is not using SSL, then perform a HTTP redirect to the SSL side...
if (vars_.session_id == "null"):
vars_.session_id = None
if (vars_.device_id == None) or (vars_.device_id == "null"):
vars_.device_id = self.uniqueId
# check encoding allows for compression
if (vars_.AcceptEncoding != None):
encodingoptions_ = vars_.AcceptEncoding.split(",")
for option_ in encodingoptions_:
if option_[0:1:] == " ":
option_ = option_[1:].lower()
if "deflate" in option_:
vars_.allowcompression = True
# check some headers of course (page headers of course)
if (vars_.AcceptLanguage != None):
vars_.language = self.detectLocale(vars_.AcceptLanguage)
# recover session etc. information if available from cookie !!
if (vars_.session_id == None):
cookiestring_ = "\n".join(
self.headers.get_all('Cookie', failobj=[]))
cookiein_ = cookie()
cookiein_.load(cookiestring_)
for m_ in cookiein_:
if (m_ in COOKYMAP.keys()):
vars_.__setattr__(COOKYMAP[m_], cookiein_[m_].value)
# is this an ajax call?
if (vars_.http_x_requested_with
== AJAX_TOKEN) or (vars_.xrequestedwith == AJAX_TOKEN):
referer = vars_.referer
if (referer != None) and (self.CONFIG.CROSS_CHECK != None):
if (referer.lower().find(self.CONFIG.CROSS_CHECK)) != -1:
vars_.isajax = True
else:
self.log((
"Attempt to cross-script access from the service.. %s "
% referer))
self.send_error(HTTP_FORBIDDEN, RESPONSE_ACCESS_DENIED)
self.close_connection = 1
return
# check useragent for allowing access...
if (vars_.useragent != None):
vars_.useragent = vars_.useragent.lower()
for agent_ in AUTOBLOCK_USERAGENTS:
if (vars_.useragent.find(agent_) != -1):
self.send_error(HTTP_FORBIDDEN, RESPONSE_ACCESS_DENIED)
self.close_connection = 1
return
for agent_ in ALLOWED_USERAGENTS:
if (vars_.useragent.find(agent_) != -1):
vars_.browser = agent_
break
except Exception as inst:
self.logException(inst)
self.send_error(HTTP_FORBIDDEN, RESPONSE_ACCESS_DENIED)
self.close_connection = 1
return
routefound_ = None
if (action in [HTTP_ACTION_GATEWAY]):
if (vars_.contentlength != None):
length_ = int(vars_.contentlength)
if (length_ > 0):
postData_ = self.rfile.read(length_)
encoded_ = postData_.decode(UTF8)
dict_ = json.loads(encoded_)
if (dict_ != None) and ("actions" in dict_.keys()):
actionsFound_ = dict_["actions"]
if (len(actionsFound_) == 1):
gatewayAction_ = actionsFound_[0]
action_ = gatewayAction_["action"]
content_ = None
params_ = DAOObject(gatewayAction_["data"])
if ("content" in gatewayAction_.keys()):
content_ = gatewayAction_["content"]
routefound_ = self.CONTROLLERS.routes.match(
action_, HTTP_ACTION_GATEWAY)
if (routefound_ != None):
if (routefound_.vars_ == None):
routefound_.vars_ = {}
routefound_.vars_.update({
"params": params_,
"content": content_
})
else:
routefound_ = self.CONTROLLERS.routes.match(
vars_.path.path, action)
if (routefound_ == None):
self.log(("Route invalid - %s:%s" % (action, vars_.path.path)))
else:
permissionsreq_ = routefound_.auth # get extended information (like permissions and user info etc)
session_ = None # do session binding !!
if (not routefound_.tracksession):
vars_.session_id = NO_TRACK
session_ = self.SESSIONS.noTrackSession
if (permissionsreq_ != None):
self.log((
"cannot execute permission check on a non-authenticated connection"
), "warn")
self.send_error(HTTP_FORBIDDEN, RESPONSE_ACCESS_DENIED)
self.close_connection = 1
return
else:
if (vars_.session_id != None):
current_ = re.findall(SESSIONPARSER, vars_.session_id)
if (len(current_) > 0):
session_ = self.SESSIONS.sessionForId(vars_.session_id)
if (session_ == None):
vars_.session_id = None # reset session with a new one !
else:
self.log(
("Spoofing sessionid - %s" % (vars_.session_id)),
"session")
self.close_connection = 1
return
if (session_ != None) and (session_.id_session == None):
vars_.session_id = None
if (vars_.session_id == None):
session_ = self.SESSIONS.newSession(
self.ipaddress, vars_.language, vars_.browser,
vars_.useragent, self.country_code)
vars_.session_id = session_.id_session
if (session_.lang == None):
session_.lang = vars_.language
# Authenticate the connection (if not done already)
if (session_.username == None):
if (vars_.authorization != None):
success_, username_, permissions_ = self.AUTHENTICATION.check(
vars_.authorization)
if (success_):
session_.username = username_
session_.permissions = permissions_
else:
self.send_error(HTTP_FORBIDDEN,
RESPONSE_ACCESS_DENIED)
self.close_connection = 1
return
else:
if (self.CONFIG.REQUIRE_AUTH == 1):
if (self.CONFIG.PROMPT_AUTH == 1):
# use the browser default authentication process
if (vars_.authorization == None):
self.send_response(401)
self.send_header("WWW-Authenticate",
"Basic")
self.end_headers()
self.close_connection = 1
return
self.send_error(HTTP_FORBIDDEN,
RESPONSE_ACCESS_DENIED)
self.close_connection = 1
return
# check permission set...
if (permissionsreq_ != None):
success_ = False
if (session_.permissions != None):
for permissionreq_ in permissionsreq_:
if permissionreq_ in session_.permissions:
success_ = True
break
if (not success_):
self.log(
("Method not allowed (%s)" % (routefound_.function)))
self.send_error(HTTP_METHOD_NOT_ALLOWED,
RESPONSE_NO_PERMISSIONS)
self.close_connection = 1
return
# if the connection is invalid return state 400
if (session_ != None):
controller_ = None
postData_ = None
contentout_ = None
response_ = None
function_ = None
format_ = None
exitcode_ = HTTP_OK
length_ = 0
try:
# ignore postdata if the request is a get/delete etc...
if ((routefound_ != None)
and (routefound_.controller != None)):
if (action not in [
HTTP_ACTION_GET, HTTP_ACTION_DELETE,
HTTP_ACTION_GATEWAY
]):
if (vars_.contentlength != None):
length_ = int(vars_.contentlength)
if (length_ > 0):
if (vars_.allowcompression):
rawData_ = self.rfile.read(length_)
postData_ = zlib.decompress(rawData_)
else:
postData_ = self.rfile.read(length_)
module_ = self.CONTROLLERS.controllerForId(
routefound_.controller)
if (module_ != None):
class_ = getattr(module_, routefound_.controller)
controller_ = class_(self, session_,
vars_.path.query,
vars_.isajax)
if (routefound_.function):
function_ = getattr(controller_,
routefound_.function)
# no data to post !
if (function_ != None):
if (routefound_.vars != None) and (len(
routefound_.vars) > 0):
response_ = function_(postData_, vars_,
**routefound_.vars)
else:
response_ = function_(postData_, vars_)
if (response_ != None):
exitcode_ = response_.response
format_ = response_.mimetype
else:
exitcode_ = HTTP_NO_CONTENT
if (exitcode_ != HTTP_OK) and (exitcode_ !=
HTTP_NO_CONTENT):
self.log(("Request failed - %s:%s" %
(action, vars_.path.path)))
else:
self.log(
("%s | %s" %
(routefound_.function, routefound_.vars)))
except Exception as inst:
self.logException(inst)
finally:
if (controller_ == None) or (response_ == None):
exitcode_ = HTTP_PAGE_DOES_NOT_EXIST
# now render the result
if (response_ != None):
modifiedsince_ = None
if (vars_.ifmodifiedsince != None):
modifiedsince_ = vars_.ifmodifiedsince
now_ = time.time()
expires_ = now_ + 2419200
sendcontent_ = 1
compress_ = response_.compressed
if (exitcode_ == HTTP_OK):
contentout_ = self.reformat(response_.content, format_)
dataout_ = contentout_
if (not response_.isbinary):
if (dataout_ != None):
if (format_ in TEXT_TYPES):
dataout_ = bytes(contentout_, UTF8)
if (dataout_ !=
None) and (not response_.compressed) and (
vars_.allowcompression):
compress_ = True
dataout_ = zlib.compress(dataout_)
response_.content = dataout_
sendcookies_ = False
if (format_ in [
TYPE_RAW, TYPE_HTML, TYPE_JSON, TYPE_XMLS,
TYPE_XML
]):
self.send_response(HTTP_OK)
if compress_:
self.send_header("Content-Encoding", "deflate")
self.send_header("Content-Type",
MIMETYPES[format_])
self.send_header("Content-Length",
str(len(response_.content)))
sendcookies_ = True
elif (format_ != None):
if (response_.lastmodified != None):
if (response_.lastmodified == 0):
self.send_response(HTTP_OK)
self.send_header("Expires", "0")
self.send_header("Pragma-Directive",
"no-cache")
self.send_header("Cache-Directive",
"no-cache")
self.send_header("Cache-Control",
"no-cache")
if compress_:
self.send_header(
"Content-Encoding", "deflate")
if (format_ in MIMETYPES.keys()):
self.send_header(
"Content-Type", MIMETYPES[format_])
else:
self.send_header(
"Content-Type", format_)
self.send_header("Pragma", "no-cache")
else:
datelastmodified_ = datetime.datetime.strptime(
time.ctime(response_.lastmodified),
"%a %b %d %H:%M:%S %Y")
datemodified_ = datelastmodified_.strftime(
"%a, %d %b %Y %H:%M:%S GMT")
if (datemodified_ == modifiedsince_):
self.send_response(HTTP_NOT_MODIFIED)
sendcontent_ = 0
response_.content = None
self.send_header(
"Cache-Control",
"max-age=86400, public")
else:
self.send_response(HTTP_OK)
dateexpires_ = datetime.datetime.strptime(
time.ctime(expires_),
"%a %b %d %H:%M:%S %Y")
self.send_header(
"Expires",
dateexpires_.strftime(
"%a, %d %b %Y %H:%M:%S GMT"))
self.send_header(
"Last-Modified", datemodified_)
self.send_header(
"Cache-Control",
"max-age=86400, public")
if compress_:
self.send_header(
"Content-Encoding", "deflate")
if (format_ in MIMETYPES.keys()):
self.send_header(
"Content-Type",
MIMETYPES[format_])
else:
self.send_header(
"Content-Type", format_)
self.send_header(
"Pragma", response_.cachetype)
else:
self.send_response(HTTP_OK)
self.send_header(
"Cache-Control",
"max-age=900, must-revalidate")
if compress_:
self.send_header("Content-Encoding",
"deflate")
if (format_ in MIMETYPES.keys()):
self.send_header("Content-Type",
MIMETYPES[format_])
else:
self.send_header("Content-Type", format_)
self.send_header("Pragma", "private")
if (response_.content != None) and (sendcontent_
== 1):
self.send_header("Content-Length",
str(len(response_.content)))
else:
self.send_response(HTTP_PAGE_DOES_NOT_EXIST)
self.send_header("Connection", "Close")
self.end_headers()
self.close_connection = 1
return
if (vars_.session_id != NO_TRACK) and sendcookies_:
# send recovery header for http session handling
self.send_header("session_id", vars_.session_id)
# OWASP Compliance
# prevent TLS issues arising
self.send_header(
"Strict-Transport-Security",
"max-age=86400; includeSubDomains")
# prevent iframe abuse (only allow same origin) - options are...
# ALLOW-FROM https://example.com/
# DENY
# SAMEORIGIN
self.send_header("X-Frame-Options", "SAMEORIGIN")
# prevent Cross Site Scripting etc
self.send_header("X-XSS-Protection",
"1; mode=block")
self.send_header("X-Content-Type-Options",
"nosniff")
# send cookies
cookies_ = {
"session_id": vars_.session_id,
"device_id": vars_.device_id,
"language": vars_.language
}
expires_ = datetime.datetime.strptime(
time.ctime(now_ + TIMEOUT),
"%a %b %d %H:%M:%S %Y")
cookie_ = cookie()
for cookiekey_ in cookies_.keys():
cookie_[cookiekey_] = cookies_[cookiekey_]
cookie_[cookiekey_]["httponly"] = True
# if we use a default servicename, then cookies should link to the hostname
if (self.CONFIG.SERVICE_NAME == "*"):
host_ = vars_.HOST
cookie_[cookiekey_]["domain"] = host_
else:
cookie_[cookiekey_]["domain"] = (
"." + self.CONFIG.SERVICE_NAME)
cookie_[cookiekey_]["path"] = "/"
cookie_[cookiekey_]["max-age"] = TIMEOUT
cookie_[cookiekey_]["expires"] = expires_
cookie_[cookiekey_][
"secure"] = self.CONFIG.REQUIRE_SSL
_cookieOut = cookie_[cookiekey_]
self.send_header('Set-Cookie',
_cookieOut.OutputString())
# send user identifier
if (session_.username != None):
self.send_header("X-Userid", session_.username)
# send render time (for page)
self.send_header("X-Time",
("%s" % (now_ - vars_.time)))
if (response_.release):
self.end_headers()
self.returnResponse(exitcode_, response_.content,
True)
else:
self.send_header("Connection", "Keep-alive")
self.send_header("Keep-Alive",
"max=5, timeout=120")
self.close_connection = 0
return
self.send_response(HTTP_OK)
self.send_header("Content-Type", "text/html")
self.send_header("Connection", "Close")
self.end_headers()
self.close_connection = 1
def sessionCookie(self):
cookiestring = "\n".join(self.headers.get_all('Cookie', failobj=[]))
c = cookie()
c.load(cookiestring)
self.cookie = c
