def get_sk(self):
save_path = '/www/server/panel/config/api.json'
if not os.path.exists(save_path):
return redirect('/login')
try:
api_config = json.loads(public.ReadFile(save_path))
except:
os.remove(save_path)
return redirect('/login')
if not api_config['open']:
return redirect('/login')
from BTPanel import get_input
get = get_input()
client_ip = public.GetClientIp()
if not 'client_bind_token' in get:
if not 'request_token' in get or not 'request_time' in get:
return redirect('/login')
num_key = client_ip + '_api'
if not public.get_error_num(num_key,20):
return public.returnJson(False,'AUTH_FAILED1')
if not client_ip in api_config['limit_addr']:
public.set_error_num(num_key)
return public.returnJson(False,'%s[' % public.GetMsg("AUTH_FAILED1")+client_ip+']')
else:
num_key = client_ip + '_app'
if not public.get_error_num(num_key,20):
return public.returnJson(False,'AUTH_FAILED1')
a_file = '/dev/shm/' + get.client_bind_token
if not os.path.exists(a_file):
import panelApi
if not panelApi.panelApi().get_app_find(get.client_bind_token):
public.set_error_num(num_key)
return public.returnJson(False,'UNBOUND_DEVICE')
public.writeFile(a_file,'')
if not 'key' in api_config:
public.set_error_num(num_key)
return public.returnJson(False, 'KEY_ERR')
if not 'form_data' in get:
public.set_error_num(num_key)
return public.returnJson(False, 'FORM_DATA_ERR')
g.form_data = json.loads(public.aes_decrypt(get.form_data, api_config['key']))
get = get_input()
if not 'request_token' in get or not 'request_time' in get:
return redirect('/login')
g.is_aes = True
g.aes_key = api_config['key']
request_token = public.md5(get.request_time + api_config['token'])
if get.request_token == request_token:
public.set_error_num(num_key,True)
return False
public.set_error_num(num_key)
return public.returnJson(False,'SECRET_KEY_CHECK_FALSE')
def check_login(self):
try:
api_check = True
if not 'login' in session:
api_check = self.get_sk()
if api_check:
session.clear()
return api_check
else:
if session['login'] == False:
session.clear()
return redirect('/login')
if api_check:
try:
sess_out_path = 'data/session_timeout.pl'
sess_input_path = 'data/session_last.pl'
if not os.path.exists(sess_out_path):
public.writeFile(sess_out_path, '86400')
if not os.path.exists(sess_input_path):
public.writeFile(sess_input_path,
str(int(time.time())))
session_timeout = int(public.readFile(sess_out_path))
session_last = int(public.readFile(sess_input_path))
if time.time() - session_last > session_timeout:
os.remove(sess_input_path)
session['login'] = False
cache.set('dologin', True)
session.clear()
return redirect('/login')
public.writeFile(sess_input_path, str(int(time.time())))
except:
pass
filename = '/www/server/panel/data/login_token.pl'
if os.path.exists(filename):
token = public.readFile(filename).strip()
if 'login_token' in session:
if session['login_token'] != token:
session.clear()
return redirect('/login?dologin=True')
if api_check:
filename = 'data/sess_files/' + public.get_sess_key()
if not os.path.exists(filename):
session.clear()
return redirect('/login?dologin=True')
except:
return public.returnMsg(False, public.get_error_info())
session.clear()
return redirect('/login')
def check_login(self):
try:
api_check = True
g.api_request = False
if not 'login' in session:
api_check = self.get_sk()
if api_check:
session.clear()
return api_check
g.api_request = True
else:
if session['login'] == False:
public.WriteLog('Login auth', 'The current session has been logged out')
session.clear()
return redirect('/login')
if 'tmp_login_expire' in session:
s_file = 'data/session/{}'.format(session['tmp_login_id'])
if session['tmp_login_expire'] < time.time():
public.WriteLog('Login auth', 'Temporary authorization has expired {}'.format(public.get_client_ip()))
session.clear()
if os.path.exists(s_file): os.remove(s_file)
return redirect('/login')
if not os.path.exists(s_file):
public.WriteLog('Login auth', 'Forced withdrawal due to cancellation of temporary authorization {}'.format(public.get_client_ip()))
session.clear()
return redirect('/login')
ua_md5 = public.md5(g.ua)
if ua_md5 != session.get('login_user_agent',ua_md5):
public.WriteLog('Login auth', 'UA verification failed {}'.format(public.get_client_ip()))
session.clear()
return redirect('/login')
if api_check:
session_timeout = session.get('session_timeout',0)
if session_timeout < time.time() and session_timeout != 0:
public.WriteLog('Login auth', 'The session has expired {}'.format(public.get_client_ip()))
session.clear()
return redirect('/login?dologin=True&go=0')
login_token = session.get('login_token','')
if login_token:
if login_token != public.get_login_token_auth():
public.WriteLog('Login auth', 'Session ID does not match {}'.format(public.get_client_ip()))
session.clear()
return redirect('/login?dologin=True&go=1')
if api_check:
filename = 'data/sess_files/' + public.get_sess_key()
if not os.path.exists(filename):
public.WriteLog('Login auth', 'Trigger CSRF defense {}'.format(public.get_client_ip()))
session.clear()
return redirect('/login?dologin=True&go=2')
except:
public.WriteLog('Login auth',public.get_error_info())
session.clear()
return redirect('/login')
def init(self):
panel_path = public.get_panel_path()
if os.getcwd() != panel_path: os.chdir(panel_path)
g.ua = request.headers.get('User-Agent', '')
if g.ua:
ua = g.ua.lower()
if ua.find('spider') != -1 or g.ua.find('bot') != -1:
return redirect('https://www.google.com')
g.version = '6.8.21'
g.title = public.GetConfigValue('title')
g.uri = request.path
g.debug = os.path.exists('data/debug.pl')
g.pyversion = sys.version_info[0]
session['version'] = g.version
if request.method == 'GET':
if not g.debug:
g.cdn_url = public.get_cdn_url()
if not g.cdn_url:
g.cdn_url = '/static'
else:
g.cdn_url = '//' + g.cdn_url + '/' + g.version
else:
g.cdn_url = '/static'
session['title'] = g.title
g.recycle_bin_open = 0
if os.path.exists("data/recycle_bin.pl"): g.recycle_bin_open = 1
g.recycle_bin_db_open = 0
if os.path.exists("data/recycle_bin_db.pl"): g.recycle_bin_db_open = 1
g.is_aes = False
self.other_import()
return None
def init(self):
ua = request.headers.get('User-Agent','')
if ua:
ua = ua.lower()
if ua.find('spider') != -1 or ua.find('bot') != -1:
return redirect('https://www.google.com')
g.version = '6.8.12'
g.title = public.GetConfigValue('title')
g.uri = request.path
g.debug = os.path.exists('data/debug.pl')
g.pyversion = sys.version_info[0]
session['version'] = g.version
if request.method == 'GET':
if not g.debug:
g.cdn_url = public.get_cdn_url()
if not g.cdn_url:
g.cdn_url = '/static'
else:
g.cdn_url = '//' + g.cdn_url + '/' + g.version
else:
g.cdn_url = '/static'
session['title'] = g.title
g.is_aes = False
self.other_import()
return None
def _check(self, args):
if not comm.local():
return True
else:
return redirect('/login', 302)
if not public.GetConfigValue('btco'):
return public.returnMsg(
False, '「BTCO」Please configure the license first.')
return True
def check_login(self):
try:
api_check = True
g.api_request = False
if not 'login' in session:
api_check = self.get_sk()
if api_check:
session.clear()
return api_check
g.api_request = True
else:
if session['login'] == False:
session.clear()
return redirect('/login')
if 'tmp_login_expire' in session:
s_file = 'data/session/{}'.format(session['tmp_login_id'])
if session['tmp_login_expire'] < time.time():
session.clear()
if os.path.exists(s_file): os.remove(s_file)
return redirect('/login')
if not os.path.exists(s_file):
session.clear()
return redirect('/login')
if api_check:
try:
sess_out_path = 'data/session_timeout.pl'
sess_input_path = 'data/session_last.pl'
if not os.path.exists(sess_out_path): public.writeFile(sess_out_path,'86400')
if not os.path.exists(sess_input_path): public.writeFile(sess_input_path,str(int(time.time())))
session_timeout = int(public.readFile(sess_out_path))
session_last = int(public.readFile(sess_input_path))
if time.time() - session_last > session_timeout:
os.remove(sess_input_path)
session['login'] = False
cache.set('dologin', True)
session.clear()
return redirect('/login')
public.writeFile(sess_input_path, str(int(time.time())))
except:
pass
filename = '/www/server/panel/data/login_token.pl'
if os.path.exists(filename):
token = public.readFile(filename).strip()
if 'login_token' in session:
if session['login_token'] != token:
session.clear()
return redirect('/login?dologin=True&go=1')
if api_check:
filename = 'data/sess_files/' + public.get_sess_key()
if not os.path.exists(filename):
session.clear()
return redirect('/login?dologin=True&go=2')
except:
session.clear()
return redirect('/login')
def check_login(self):
try:
api_check = True
g.api_request = False
if not 'login' in session:
api_check = self.get_sk()
if api_check:
#session.clear()
return api_check
g.api_request = True
else:
if session['login'] == False:
session.clear()
return redirect('/login')
if 'tmp_login_expire' in session:
s_file = 'data/session/{}'.format(session['tmp_login_id'])
if session['tmp_login_expire'] < time.time():
session.clear()
if os.path.exists(s_file): os.remove(s_file)
return redirect('/login')
if not os.path.exists(s_file):
session.clear()
return redirect('/login')
ua_md5 = public.md5(g.ua)
if ua_md5 != session.get('login_user_agent', ua_md5):
session.clear()
return redirect('/login')
if api_check:
now_time = time.time()
session_timeout = session.get('session_timeout', 0)
if session_timeout < now_time and session_timeout != 0:
session.clear()
return redirect('/login?dologin=True&go=0')
login_token = session.get('login_token', '')
if login_token:
if login_token != public.get_login_token_auth():
session.clear()
return redirect('/login?dologin=True&go=1')
# if api_check:
# filename = 'data/sess_files/' + public.get_sess_key()
# if not os.path.exists(filename):
# session.clear()
# return redirect('/login?dologin=True&go=2')
# 标记新的会话过期时间
session['session_timeout'] = time.time(
) + public.get_session_timeout()
except:
public.WriteLog('Login auth', public.get_error_info())
session.clear()
return redirect('/login')
def init(self):
ua = request.headers.get('User-Agent', '')
if ua:
ua = ua.lower()
if ua.find('spider') != -1 or ua.find('bot') != -1:
return redirect('https://www.google.com')
g.version = '6.8.4'
g.title = public.GetConfigValue('title')
g.uri = request.path
g.debug = os.path.exists('data/debug.pl')
g.pyversion = sys.version_info[0]
if not g.debug:
g.cdn_url = public.get_cdn_url()
if not g.cdn_url:
g.cdn_url = '/static'
else:
g.cdn_url = '//' + g.cdn_url + '/' + g.version
else:
g.cdn_url = '/static'
session['version'] = g.version
session['title'] = g.title
g.is_aes = False
dirPath = '/www/server/phpmyadmin/pma'
if os.path.exists(dirPath):
public.ExecShell("rm -rf {}".format(dirPath))
dirPath = '/www/server/adminer'
if os.path.exists(dirPath):
public.ExecShell("rm -rf {}".format(dirPath))
dirPath = '/www/server/panel/adminer'
if os.path.exists(dirPath):
public.ExecShell("rm -rf {}".format(dirPath))
return None
def checkClose(self):
if os.path.exists('data/close.pl'):
return redirect('/close')