def test_base64decode(): """The base64decode wrapper works properly""" if six.PY2: assert base64decode('YWJjMTIz') == 'abc123' assert base64decode(unicode('YWJjMTIz')) == 'abc123' assert base64decode(unicode('InRlc3RAbWFpbGluYXRvci5jb20iLkRHeGVvQS5sQ3NzVTNNMlF1QmZvaE8tRnRkZ0RRTEtiVTQ%3D'), urldecode=True) == '"*****@*****.**".DGxeoA.lCssU3M2QuBfohO-FtdgDQLKbU4' assert base64decode('8J-Yhg==') == '😆' assert base64decode('8J-Yhg%3D%3D', urldecode=True) == '😆' else: assert base64decode('YWJjMTIz') == 'abc123' assert base64decode('YWJjMTIz') == 'abc123' assert base64decode('InRlc3RAbWFpbGluYXRvci5jb20iLkRHeGVvQS5sQ3NzVTNNMlF1QmZvaE8tRnRkZ0RRTEtiVTQ%3D', urldecode=True) == '"*****@*****.**".DGxeoA.lCssU3M2QuBfohO-FtdgDQLKbU4' assert base64decode('8J-Yhg==') == '😆' assert base64decode('8J-Yhg%3D%3D', urldecode=True) == '😆'
def reset_password(data=None): if utils.get_config('no_emails'): return redirect(url_for('auth.login')) logger = logging.getLogger('logins') if data is not None: try: s = TimedSerializer(app.config['SECRET_KEY']) name = s.loads(utils.base64decode(data, urldecode=True), max_age=1800) except BadTimeSignature: return render_template('reset_password.html', errors=['Your link has expired']) except (BadSignature, TypeError, base64.binascii.Error): return render_template('reset_password.html', errors=['Your reset token is invalid']) if request.method == "GET": return render_template('reset_password.html', mode='set') if request.method == "POST": team = Teams.query.filter_by(name=name).first_or_404() team.password = bcrypt_sha256.encrypt( request.form['password'].strip()) db.session.commit() logger.warn( "[{date}] {ip} - successful password reset for {username}". format(date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip(), username=team.name.encode('utf-8'))) db.session.close() return redirect(url_for('auth.login')) if request.method == 'POST': email = request.form['email'].strip() team = Teams.query.filter_by(email=email).first() errors = [] if utils.can_send_mail() is False: return render_template( 'reset_password.html', errors=[ 'Email could not be sent due to server misconfiguration' ]) if not team: return render_template( 'reset_password.html', errors=[ 'If that account exists you will receive an email, please check your inbox' ]) utils.forgot_password(email, team.name) return render_template( 'reset_password.html', errors=[ 'If that account exists you will receive an email, please check your inbox' ]) return render_template('reset_password.html')
def confirm_user(data=None): if not utils.get_config('verify_emails'): # If the CTF doesn't care about confirming email addresses then redierct to challenges return redirect(url_for('challenges.challenges_view')) logger = logging.getLogger('regs') # User is confirming email account if data and request.method == "GET": try: s = TimedSerializer(app.config['SECRET_KEY']) email = s.loads(utils.base64decode(data, urldecode=True), max_age=1800) except BadTimeSignature: return render_template('confirm.html', errors=[get_tip('LINK_EXPIRED')]) except (BadSignature, TypeError, base64.binascii.Error): return render_template('confirm.html', errors=[get_tip('INVIDE_RESET_TOKEN')]) team = Teams.query.filter_by(email=email).first_or_404() team.verified = True db.session.commit() logger.warn( get_tip('USER_HAVE_CM').format(date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip(), username=team.name.encode('utf-8'), email=team.email.encode('utf-8'))) db.session.close() if utils.authed(): return redirect(url_for('challenges.challenges_view')) return redirect(url_for('auth.login')) # User is trying to start or restart the confirmation flow if not utils.authed(): return redirect(url_for('auth.login')) team = Teams.query.filter_by(id=session['id']).first_or_404() if data is None: if request.method == "POST": # User wants to resend their confirmation email if team.verified: return redirect(url_for('views.profile')) else: utils.verify_email(team.email) logger.warn( get_tip('EMAIL_CF_RESENT').format( date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip(), username=team.name.encode('utf-8'), email=team.email.encode('utf-8'))) return render_template('confirm.html', team=team, infos=[get_tip('EMAIL_CF_SENT')]) elif request.method == "GET": # User has been directed to the confirm page team = Teams.query.filter_by(id=session['id']).first_or_404() if team.verified: # If user is already verified, redirect to their profile return redirect(url_for('views.profile')) return render_template('confirm.html', team=team)
def confirm_user(data=None): if not utils.get_config('verify_emails'): # If the CTF doesn't care about confirming email addresses then redierct to challenges return redirect(url_for('challenges.challenges_view')) logger = logging.getLogger('regs') # User is confirming email account if data and request.method == "GET": try: s = TimedSerializer(app.config['SECRET_KEY']) email = s.loads(utils.base64decode(data, urldecode=True), max_age=1800) except BadTimeSignature: return render_template('confirm.html', errors=['Your confirmation link has expired']) except BadSignature: return render_template('confirm.html', errors=['Your confirmation link seems wrong']) team = Teams.query.filter_by(email=email).first_or_404() team.verified = True db.session.commit() logger.warn("[{date}] {ip} - {username} confirmed their account".format( date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip(), username=team.name.encode('utf-8'), email=team.email.encode('utf-8') )) db.session.close() if utils.authed(): return redirect(url_for('challenges.challenges_view')) return redirect(url_for('auth.login')) # User is trying to start or restart the confirmation flow if not utils.authed(): return redirect(url_for('auth.login')) team = Teams.query.filter_by(id=session['id']).first_or_404() if data is None: if request.method == "POST": # User wants to resend their confirmation email if team.verified: return redirect(url_for('views.profile')) else: utils.verify_email(team.email) logger.warn("[{date}] {ip} - {username} initiated a confirmation email resend".format( date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip(), username=team.name.encode('utf-8'), email=team.email.encode('utf-8') )) return render_template('confirm.html', team=team, infos=['Your confirmation email has been resent!']) elif request.method == "GET": # User has been directed to the confirm page team = Teams.query.filter_by(id=session['id']).first_or_404() if team.verified: # If user is already verified, redirect to their profile return redirect(url_for('views.profile')) return render_template('confirm.html', team=team)
def test_base64decode(): """The base64decode wrapper works properly""" if six.PY2: assert base64decode('YWJjMTIz') == 'abc123' assert base64decode(unicode('YWJjMTIz')) == 'abc123' assert base64decode(unicode('InRlc3RAbWFpbGluYXRvci5jb20iLkRHeGVvQS5sQ3NzVTNNMlF1QmZvaE8tRnRkZ0RRTEtiVTQ')) == '"*****@*****.**".DGxeoA.lCssU3M2QuBfohO-FtdgDQLKbU4' assert base64decode('8J-Yhg') == '😆' else: assert base64decode('YWJjMTIz') == 'abc123' assert base64decode('InRlc3RAbWFpbGluYXRvci5jb20iLkRHeGVvQS5sQ3NzVTNNMlF1QmZvaE8tRnRkZ0RRTEtiVTQ') == '"*****@*****.**".DGxeoA.lCssU3M2QuBfohO-FtdgDQLKbU4' assert base64decode('dXNlcit1c2VyQGN0ZmQuaW8') == '*****@*****.**' assert base64decode('8J-Yhg') == '😆'
def reset_password(data=None): logger = logging.getLogger('logins') if data is not None and request.method == "GET": return render_template('reset_password.html', mode='set') if data is not None and request.method == "POST": try: s = TimedSerializer(app.config['SECRET_KEY']) name = s.loads(utils.base64decode(data, urldecode=True), max_age=1800) except BadTimeSignature: return render_template('reset_password.html', errors=['Your link has expired']) except: return render_template( 'reset_password.html', errors=['Your link appears broken, please try again.']) team = Teams.query.filter_by(name=name).first_or_404() team.password = bcrypt_sha256.encrypt(request.form['password'].strip()) db.session.commit() logger.warn( "[{date}] {ip} - successful password reset for {username}".format( date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip(), username=team.name.encode('utf-8'))) db.session.close() return redirect(url_for('auth.login')) if request.method == 'POST': email = request.form['email'].strip() team = Teams.query.filter_by(email=email).first() if not team: return render_template( 'reset_password.html', errors=[ 'If that account exists you will receive an email, please check your inbox' ]) s = TimedSerializer(app.config['SECRET_KEY']) token = s.dumps(team.name) text = """ Did you initiate a password reset? {0}/{1} """.format(url_for('auth.reset_password', _external=True), utils.base64encode(token, urlencode=True)) utils.sendmail(email, text) return render_template( 'reset_password.html', errors=[ 'If that account exists you will receive an email, please check your inbox' ]) return render_template('reset_password.html')
def reset_password(data=None): logger = logging.getLogger('logins') if data is not None: try: s = TimedSerializer(app.config['SECRET_KEY']) name = s.loads(utils.base64decode(data, urldecode=True), max_age=1800) except BadTimeSignature: return render_template('reset_password.html', errors=['您的密码重置链接已经过期']) except (BadSignature, TypeError, base64.binascii.Error): return render_template('reset_password.html', errors=['您的密码重置令牌已经失效']) if request.method == "GET": return render_template('reset_password.html', mode='set') if request.method == "POST": team = Teams.query.filter_by(name=name).first_or_404() team.password = bcrypt_sha256.encrypt( request.form['password'].strip()) db.session.commit() logger.warn( "[{date}] {ip} - successful password reset for {username}". format(date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip(), username=team.name.encode('utf-8'))) db.session.close() return redirect(url_for('auth.login')) if request.method == 'POST': email = request.form['email'].strip() team = Teams.query.filter_by(email=email).first() errors = [] if utils.can_send_mail() is False: return render_template('reset_password.html', errors=['邮件信息配置异常,无法发送邮件,请联系管理员']) if not team: return render_template('reset_password.html', errors=['如果邮箱有效,将会收到一封密码重置邮件,请注意查收']) utils.forgot_password(email, team.name) return render_template('reset_password.html', errors=['如果邮箱有效,将会收到一封密码重置邮件,请注意查收']) return render_template('reset_password.html')
def reset_password(data=None): logger = logging.getLogger('logins') if data is not None: try: s = TimedSerializer(app.config['SECRET_KEY']) name = s.loads(utils.base64decode(data, urldecode=True), max_age=1800) except BadTimeSignature: return render_template('reset_password.html', errors=[get_tip('LINK_EXPIRED')]) except (BadSignature, TypeError, base64.binascii.Error): return render_template('reset_password.html', errors=[get_tip('INVIDE_RESET_TOKEN')]) if request.method == "GET": return render_template('reset_password.html', mode='set') if request.method == "POST": team = Teams.query.filter_by(name=name).first_or_404() team.password = bcrypt_sha256.encrypt( request.form['password'].strip()) db.session.commit() logger.warn( get_tip('PASS_HAVE_RESET').format( date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip(), username=team.name.encode('utf-8'))) db.session.close() return redirect(url_for('auth.login')) if request.method == 'POST': email = request.form['email'].strip() team = Teams.query.filter_by(email=email).first() errors = [] if utils.can_send_mail() is False: return render_template('reset_password.html', errors=[get_tip('EMAIL_NOT_CONFIG')]) if not team: return render_template('reset_password.html', errors=[get_tip('FORGOT_PASS_NOTICE')]) utils.forgot_password(email, team.name) return render_template('reset_password.html', errors=[get_tip('FORGOT_PASS_NOTICE')]) return render_template('reset_password.html')