예제 #1
0
    def do_PUT(self):
        alog("PUT " + self.path)
        self.set_ipaddr()
        path = self.path

        if self.has_handler(path):
            self.exec_handler(path, "PUT")
        else:
            self.send_error(404)
예제 #2
0
 def do_GET(self, serv):
   qs = get_qs(serv.path)
   if "accessToken" not in qs or ("path" not in qs and "id" not in qs):
     serv.send_error(400)
     return
   
   tok = qs["accessToken"][0]
   userid = do_auth(tok)
   
   if userid == None:
     serv.send_error(401)
     return
   
   if "path" in qs:
     fileid = resolve_path(qs["path"][0])
   else:
     fileid = publicid_to_fileid(qs["id"][0])[1]
   
   if fileid == None:
     serv.send_error(404)
     return
     
   alog("fetching file %s" % fileid);
   f = fetch_file(fileid)
   if f == None:
     serv.send_error(400)
     return
   
   if is_folder(f):
     serv.send_error(401)
     return
     
   if f["userid"] != userid:
     serv.send_error(401)
     return
   
   try:
     file = open(f["diskpath"], "rb")    
   except OSError:
     serv.send_error(404)
     return
   
   body = file.read()
   file.close()
   
   serv.gen_headers("GET", len(body), "application/octet-stream")
   serv.send_header("Content-Disposition", "attachment; filename=\"%s\"" % f["name"])
   #Content-Disposition: attachment; filename=FILENAME
   
   serv.wfile.write(body)
예제 #3
0
    def do_POST(self):
        self.set_ipaddr()
        path = self.path

        alog("POST " + self.path)

        if path == "/webgl_helper.webpy":
            self._handle_mesh_post()
        elif path == "/logger":
            self._handle_logger_post()
        elif self.has_handler(path):
            self.exec_handler(path, "POST")
        else:
            self.send_error(404)
예제 #4
0
    def do_GET(self, serv):
        qs = get_qs(serv.path)
        if "refreshToken" not in qs:
            serv.send_error(400)
            return

        token = qs["refreshToken"][0]

        cur, con = mysql_connect()
        cur.execute("SELECT * FROM authtokens WHERE tokenid=" + estr(token))

        ret = cur.fetchone()
        if ret == None:
            serv.send_error(401)
            return

        exprtime1 = ensure_datetime(ret["expiration"])

        if exprtime1 < datetime.datetime.now():
            alog("Expired token %s" % (token))
            serv.send_error(408)
            return

        userid = ret["userid"]
        tok = gen_token("A", userid)
        exprtime = datetime.datetime.now() + datetime.timedelta(hours=2)

        alog("Generated session token %s for user %s" % (tok, str(userid)))

        cols = ["tokenid", "userid", "type", "permissions", "expiration"]
        values = [tok, userid, toktypes["A"], default_permission, exprtime]
        types = [sq.token, sq.int, sq.int, sq.int, sq.datetime]

        try:
            qstr = sql_insertinto("authtokens", cols, values, types)
        except SQLParamError:
            do_param_error("cols: " + str(cols) + ", values:" + str(values))
            serv.send_error(401)
            return

        cur.execute(qstr)
        con.commit()

        body = json.dumps({"access_token": str(tok)})
        body = bstr(body)

        serv.gen_headers("GET", len(body), json_mimetype)
        serv.wfile.write(body)
예제 #5
0
  def do_GET(self, serv):
    qs = get_qs(serv.path)
    if "accessToken" not in qs or ("path" not in qs and "id" not in qs):
      serv.send_error(400)
      return
    
    tok = qs["accessToken"][0]
    userid = do_auth(tok)
    
    if userid == None:
      serv.send_error(401)
      return
    
    if "path" in qs:
      path = qs["path"][0]
    else:
      path = publicid_to_fileid(qs["id"][0])
    
    if path == None:
      serv.send_error(404)
      return
      
    alog("fetching file %s" % path);
    f = File(path, userid)
    
    if f == None:
      serv.send_error(400)
      return
    
    if is_folder(f):
      serv.send_error(401)
      return

    print("diskpath:", f.diskpath)
    try:
      file = open(f.diskpath, "rb")    
    except OSError:
      serv.send_error(404)
      return
    
    body = file.read()
    file.close()
    
    serv.gen_headers("GET", len(body), "application/octet-stream")
    serv.send_header("Content-Disposition", "attachment; filename=\"%s\"" % f.name)
    #Content-Disposition: attachment; filename=FILENAME
    
    serv.wfile.write(body)
예제 #6
0
    def do_GET(self, serv):
        global OAUTH_SCOPES

        qs = get_qs(serv.path)
        qs2 = {}
        for k in qs:
            if type(qs[k]) in [list, tuple] and len(qs[k]) == 1:
                qs2[k] = qs[k][0]
            else:
                qs2[k] = qs[k]
        qs = qs2

        if "response_type" not in qs or "client_id" not in qs:
            alog("Invaild oauth request 1")
            serv.send_error(400)
            return

        if qs["response_type"] != "code":
            alog("Invaild oauth request 2")
            serv.send_error(400)
            return

        if "redirect_uri" in qs:
            self.redirect_uri = qs["redirect_uri"]

        scope = ""
        if "scope" in qs:
            scope = qs["scope"]

        state = None
        if "state" in qs:
            state = qs["state"]

        restype = qs["response_type"]
        clientid = qs["client_id"]

        if clientid not in self.valid_clients:
            alog("Invaild client id in oauth request")
            serv.send_error(401)
            return

        body = "<html><body>login</body></html>"
        body = bstr(body)

        serv.gen_headers("GET", len(body), "text/html")
        serv.wfile.write(body)
예제 #7
0
파일: mysql_db.py 프로젝트: joeedh/allshape
def do_sql_error(t, d, extra=None):
  elog("Database security failure")
  alog("Database security failure")
  raise RuntimeError("Invalid data for database query: type " + str(t) + ", data: " + estr(d))
예제 #8
0
파일: mysql_db.py 프로젝트: joeedh/allshape
def do_param_error(str):
  alog("possible sql injection: \"" + str + "\"")
  elog("possible sql injection: \"" + str + "\"")
예제 #9
0
    def do_GET(self, serv):
        qs = get_qs(serv.path)
        if not ("user" in qs and "password" in qs):
            serv.send_error(400)
            return

        user = qs["user"][0]
        password = qs["password"][0]
        #HACK: wsgi is turning +'s into spaces? how odd
        password = password.replace(" ", "+")

        if not valid_pass(password):
            alog("invalid pass format %s" % password)
            serv.send_error(401)
            return

        cur, con = mysql_connect()
        try:
            qstr = sql_selectall("users", ["username"], [user], [sq.user])
        except SQLParamError:
            do_param_error(user)
            serv.send_error(401)
            return

        cur.execute(qstr)
        ret = cur.fetchone()

        if ret == None:
            alog("invalid user %s" % user)
            serv.send_error(401)
            return

        alog("Fetching refresh token for user %s. . ." % user)

        passwd = ret["password"]
        userid = ret["userid"]

        if passwd != password:
            alog("Invalid password for %s, got: '%s', pass: '******'" %
                 (user, password, ret["password"]))
            serv.send_error(401)
            return

        tok = gen_token("R", userid)
        exprtime = datetime.datetime.now() + datetime.timedelta(days=12)

        alog("Refresh token for %s: %s" % (user, tok))

        cols = ["tokenid", "userid", "type", "permissions", "expiration"]
        values = [tok, userid, toktypes["R"], default_permission, exprtime]
        types = [sq.token, sq.int, sq.int, sq.int, sq.datetime]

        try:
            qstr = sql_insertinto("authtokens", cols, values, types)
        except SQLParamError:
            do_param_error("cols: " + str(cols) + ", values:" + str(values))
            serv.send_error(401)
            return
        """
    qstr = "INSERT INTO authtokens (tokenid,userid,type,permissions,expiration) VALUES("
    
    qstr += estr(tok)+","+estr(userid)+","
    qstr += estr(toktypes["R"])+","+estr(default_permission)+","
    qstr += estr(exprtime)+")"
    """

        cur.execute(qstr)
        con.commit()

        body = json.dumps({"refresh_token": str(tok), "result": 1})
        body = bstr(body)

        serv.gen_headers("GET", len(body), json_mimetype)
        serv.wfile.write(body)
예제 #10
0
 def do_PUT(self, serv):
   alog("fileapi access" + serv.path)
   
   qs = get_qs(serv.path)
   if "accessToken" not in qs or "uploadToken" not in qs:
     elog("fileapi: invalid tokens")
     serv.send_error(400)
     return
   
   tok = qs["accessToken"][0]
   utoken = qs["uploadToken"][0]
   
   userid = do_auth(tok)
   
   if userid == None:
     elog("invalid authorization")
     serv.send_error(401)
     return
   
   status = UploadStatus(utoken)
   if status.invalid:
     elog("invalid upload token ", utoken)
     serv.send_error(401)
     return
     
   if "Content-Range" not in serv.headers:
     elog("missing header " + json.dumps(serv.headers))
     serv.send_error(400)
     return
     
   r = serv.headers["Content-Range"].strip()
   
   if not r.startswith("bytes"):
     elog("malformed request 1")
     serv.send_error(400)
     return
   
   r = r[len("bytes"):].strip()
   r = r.split("/")
   
   if r == None or len(r) != 2:
     elog("malformed request 2")
     serv.send_error(400)
     return
   
   try:
     max_size = int(r[1])
   except ValueError:
     elog("malformed request 3")
     serv.send_error(400)
     return
   
   r = r[0].split("-")
   
   if r == None or len(r) != 2:
     elog("malformed request 4")
     serv.send_error(400)
     return
   
   try:
     r = [int(r[0]), int(r[1])]
   except ValueError:
     elog("malformed request 4")
     serv.send_error(400)
     return
   
   if r[0] < 0 or r[1] < 0 or r[0] >= max_size or r[1] >= max_size \
     or r[0] > r[1]:
     elog("malformed request 5")
     serv.send_error(400)
     return
   
   if status.size == -1:
     status.size = max_size
   
   buflen = r[1]-r[0]+1
   buf = serv.rfile.read(buflen)
   
   if len(buf) != buflen:
     elog("malformed request 6")
     serv.send_error(400)
     return
   
   """
   if not status.file_init:
     status.file = open(status.realpath, "wb")
     csize = 1024*1024*1024
     ilen = math.ceil(max_size/csize);
     
     zerobuf = b""*csize;
    
     for i in range(ilen):
       if i == ilen-1:
         c = b""*(max_size%(csize+1))
       else:
         c = zerobuf;
       
     status.file.write(c)
     status.file.flush()
     status.file.close()
   #"""
   
   if r[0] == 0:
     mode = "wb"
   else:
     mode = "ab"
   
   status.file = open(status.realpath, mode);
   status.file.seek(r[0]);
   status.file.write(buf);
   status.file.flush()
   status.file.close()
   
   status.commit()
   
   body = json.dumps({"success" : True});
   body = bstr(body)
   
   serv.gen_headers("PUT", len(body), json_mimetype)
   serv.wfile.write(body)
예제 #11
0
    def do_GET(self):
        self.set_ipaddr()

        alog("GET " + self.path)

        if "Connection" in self.headers:
            keep_alive = self.headers["Connection"].strip().lower(
            ) == "keep-alive"
        else:
            keep_alive = False

        wf = self.wfile
        body = [b"yay, tst"]

        print(self.path)
        path = os.path.normpath(doc_root + self.path)

        if not os.path.exists(path):
            print("ble")
            if self.has_handler(self.path):
                self.exec_handler(self.path, "GET")
                return
            self.send_error(404)
            return

        if not self.path.startswith("/js_build/"):
            print(self.path)
            self.send_error(401)
            return

        if debug_file(path):
            always = True
            errbuf = run_build(path, always_build_file=always)

        if "js_build" in path and path.strip().endswith(".html"):
            errbuf = run_build(path, do_all=True)
        else:
            errbuf = None

        if errbuf != None:
            body = [self.format_err(errbuf)]
        else:
            f = open(path, "rb")

            csize = 1024 * 1024
            ret = f.read(csize)
            body = [ret]
            while ret not in ["", b'', None]:
                ret = f.read(csize)
                body.append(ret)

            f.close()

        if type(body) == str:
            body = [bytes.decode(body, "latin-1")]
        elif type(body) == bytes:
            body = [body]

        bodysize = 0
        for chunk in body:
            bodysize += len(chunk)

        if path.strip().endswith(".js"):
            mm = "application/javascript"
        else:
            mm = mime(path)[0]
        self.gen_headers("GET", bodysize, mm)

        b = b""
        for chunk in body:
            b += chunk

        wf.write(b)

        print(mm)