def __load_cookie(self, cookies, cookie):
key_name = cookie.replace("session__", "")
key_value = cookies[cookie]
# We need to get the signature off the value. I didn't know
# what a good delimiter was so I chose '.'
try:
key_sig, key_value = key_value.split('.')
except:
self.__data[key_name] = ('', True)
return
# We hash after base64 encoding so we need to validate
# before base64 decoding.
our_sig = quick_hash(self.id, self.secret_key, key_value)
if our_sig == key_sig:
key_value = base64.b64decode(key_value)
key_value = pickle.loads(key_value)
self.__data[key_name] = (key_value, False)
# else we assume that the cookie was an attack.
# we will enter it's name into the dict but set it
# to be deleted in the response.
else:
self.__data[key_name] = ('', True)
def to_cookies(self):
for key, (value, deleted) in self.__data.iteritems():
morsel = Morsel()
morsel.key = "session__%s" % key
if not deleted:
value = pickle.dumps(value)
value = base64.b64encode(value)
sig = quick_hash(self.id, self.secret_key, value)
value = ".".join((sig, value))
else:
value = 'no-value'
morsel['expires'] = -3600
# Sets the cookie to expire in the past.
morsel.coded_value = morsel.value = value
# This optionally sets the cookie's timeout till
# deletion.
if 'timeout' in self.options:
timeout = self.options['timeout']
morsel['expires'] = timeout
morsel['max-age'] = timeout
morsel['path'] = '/'
yield morsel
def csrf_token(self):
# This get's a csrf_token using available
# data. The purpouse of this csrf token is to
# ensure that any post data came from a page that
# was loaded from this server.
if not hasattr(self, "__csrf_token"):
# if the request is a get request, we just
# use the host that was requested by the
# user, since the netloc of host should
# be the netloc of the referer or origin
# headers of the post request.
if self.is_get:
origin = self.headers["Host"]
# Else we just grab the netloc of the origin
# or referer header.
else:
if "Origin" in self.headers:
origin = self.headers["Origin"]
elif "Referer" in self.headers:
origin = self.headers["Referer"]
else:
raise Server403Exception("Could not reliably determin origin")
origin = urlparse(origin).netloc
remote_addr = self.remote_addr
secret_key = self.__secret_key
# Create the csrf token by hashing the origin, the remote
# address of the request and our secret key. This key will
# then be compared to the "csrf_token" value in the post.
# only if the form came from this domain, and was sent to
# this remote host will the form validate.
self.__csrf_token = quick_hash(origin, remote_addr, secret_key)
return self.__csrf_token
