def GET(self):
l.info('GET adduser')
expire_cookie()
cap = captcha.displayhtml(web.captcha_public_key,
use_ssl=True,
error="Something broke.")
return render.adduser(cap)
def POST(self):
l.info('POST logon')
i = web.input()
if 'username' not in i:
l.error('username field required for POST')
return logon_redirect()
if 'password' not in i:
l.error('password field required for POST')
return logon_redirect()
# XXX: validate inputs
username = str(i['username'])
password = str(i['password'])
if not RE_USERNAME.match(username):
l.warn('username does not match %s' % RE_USERNAME.pattern)
return render.error(web.ctx.fullpath, 'BADREQ', 'malformed username')
if not RE_PASSWORD.match(password):
l.warn('password does not match %s' % RE_PASSWORD.pattern)
return render.error(web.ctx.fullpath, 'BADREQ', 'malformed password')
h = hashlib.sha1()
# hash password
h.update(password)
# hash with salt
h.update(username)
db_guid = web.d.getValidUser(username, h.hexdigest())
if not db_guid:
# invalid credentials
return logon_redirect()
create_cookie(str(db_guid), username)
return web.seeother('/')
def POST(self):
l.info('POST logon')
i = web.input()
if 'username' not in i:
l.error('username field required for POST')
return logon_redirect()
if 'password' not in i:
l.error('password field required for POST')
return logon_redirect()
# XXX: validate inputs
username = str(i['username'])
password = str(i['password'])
if not RE_USERNAME.match(username):
l.warn('username does not match %s' % RE_USERNAME.pattern)
return render.error(web.ctx.fullpath, 'BADREQ',
'malformed username')
if not RE_PASSWORD.match(password):
l.warn('password does not match %s' % RE_PASSWORD.pattern)
return render.error(web.ctx.fullpath, 'BADREQ',
'malformed password')
h = hashlib.sha1()
# hash password
h.update(password)
# hash with salt
h.update(username)
db_guid = web.d.getValidUser(username, h.hexdigest())
if not db_guid:
# invalid credentials
return logon_redirect()
create_cookie(str(db_guid), username)
return web.seeother('/')
def feed_clean(file_name: str) -> None:
"""cleans a podcast feed's folder"""
feed_file_folder: str = os.path.split(file_name)[0]
xml_element_tree: ET.ElementTree = ET.parse(file_name)
xml_root: ET.Element = xml_element_tree.getroot()
# loop modified objects:
enclosure_file_names: MutableSet[str] = set()
enclosure_relative_folder: Optional[str] = None
for item in xml_root.findall("./channel/item/enclosure"):
enclosure_url: str = item.attrib["url"]
url_parse_result: ParseResult = urlparse(enclosure_url)
if enclosure_relative_folder is None:
enclosure_relative_folder = os.path.dirname(url_parse_result.path)
enclosure_file_names.add(os.path.basename(url_parse_result.path))
if enclosure_relative_folder is None:
l.warn(f"No enclosures in feed file {file_name}")
return
enclosure_abs_folder = os.path.join(feed_file_folder, enclosure_relative_folder[1:])
existing_file_names: List[str] = os.listdir(enclosure_abs_folder)
files_to_delete: List[str] = [
os.path.join(enclosure_abs_folder, f)
for f in existing_file_names
if f not in enclosure_file_names
]
l.info(
f"Feed file {file_name} - deleting {len(files_to_delete)} out of {len(existing_file_names)} files"
)
for file_name in files_to_delete:
os.unlink(file_name)
def POST(self):
l.info('POST adduser')
i = web.input()
if 'username' not in i:
l.error('username field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing username')
if 'password' not in i:
l.error('password field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing password')
if 'password2' not in i:
l.error('password2 field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ',
'missing password2')
if 'recaptcha_challenge_field' not in i:
l.error('recaptcha_challenge_field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ',
'missing recaptcha_challenge_field')
if 'recaptcha_response_field' not in i:
l.error('recaptcha_response_field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ',
'missing_recaptcha_response_field')
# XXX: validate inputs
username = str(i['username'])
password = str(i['password'])
password2 = str(i['password2'])
if password != password2:
l.warn("passwords don't match. not creating user.")
return render.error(web.ctx.fullpath, 'BADREQ',
'password mismatch')
if not RE_USERNAME.match(username):
l.warn('username does not match %s' % RE_USERNAME.pattern)
return render.error(web.ctx.fullpath, 'BADREQ',
'malformed username')
if not RE_PASSWORD.match(password):
l.warn('password does not match %s' % RE_PASSWORD.pattern)
return render.error(web.ctx.fullpath, 'BADREQ',
'malformed password')
challenge = i['recaptcha_challenge_field']
response = i['recaptcha_response_field']
result = captcha.submit(challenge, response, web.captcha_private_key,
web.ctx.ip)
if result.error_code:
l.warn('error validating captcha: %s' % result.error_code)
return render.error(web.ctx.fullpath, 'BADREQ',
'bad captcha: %s' % result.error_code)
if not result.is_valid:
l.warn('invalid captcha')
return render.error(web.ctx.fullpath, 'BADREQ', 'bad captcha')
h = hashlib.sha1()
# hash password
h.update(password)
# hash with salt
h.update(username)
l.debug('Creating new user %s' % username)
guid = web.d.addUser(username, h.hexdigest())
if not guid:
return render.error(web.ctx.fullpath, 'EXISTS', 'username exists')
create_cookie(str(guid), username)
return web.seeother('/')
def GET(self):
l.info('GET index')
if not logged_on():
return logon_redirect()
books = web.d.getBooks()
serial = web.cookies().get(COOKIE_NAME)
user = session.cookie.getData(serial)
return render.index(user, books)
def GET(self):
l.info('GET index')
if not logged_on():
return logon_redirect()
books = web.d.getBooks()
serial = web.cookies().get(COOKIE_NAME)
user = session.cookie.getData(serial)
return render.index(user, books)
def POST(self):
l.info('POST checkout')
if not logged_on():
return logon_redirect()
i = web.input()
if 'book' not in i:
l.error('book required for POST')
return web.seeother('/')
book = i['book']
serial = web.cookies().get(COOKIE_NAME)
user = session.cookie.getData(serial)
return render.checkout(user, book)
def POST(self):
l.info('POST checkout')
if not logged_on():
return logon_redirect()
i = web.input()
if 'book' not in i:
l.error('book required for POST')
return web.seeother('/')
book = i['book']
serial = web.cookies().get(COOKIE_NAME)
user = session.cookie.getData(serial)
return render.checkout(user, book)
def POST(self):
l.info('POST adduser')
i = web.input()
if 'username' not in i:
l.error('username field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing username')
if 'password' not in i:
l.error('password field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing password')
if 'password2' not in i:
l.error('password2 field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing password2')
if 'recaptcha_challenge_field' not in i:
l.error('recaptcha_challenge_field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing recaptcha_challenge_field')
if 'recaptcha_response_field' not in i:
l.error('recaptcha_response_field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing_recaptcha_response_field')
# XXX: validate inputs
username = str(i['username'])
password = str(i['password'])
password2 = str(i['password2'])
if password != password2:
l.warn("passwords don't match. not creating user.")
return render.error(web.ctx.fullpath, 'BADREQ', 'password mismatch')
if not RE_USERNAME.match(username):
l.warn('username does not match %s' % RE_USERNAME.pattern)
return render.error(web.ctx.fullpath, 'BADREQ', 'malformed username')
if not RE_PASSWORD.match(password):
l.warn('password does not match %s' % RE_PASSWORD.pattern)
return render.error(web.ctx.fullpath, 'BADREQ', 'malformed password')
challenge = i['recaptcha_challenge_field']
response = i['recaptcha_response_field']
result = captcha.submit(challenge, response, web.captcha_private_key, web.ctx.ip)
if result.error_code:
l.warn('error validating captcha: %s' % result.error_code)
return render.error(web.ctx.fullpath, 'BADREQ', 'bad captcha: %s' % result.error_code)
if not result.is_valid:
l.warn('invalid captcha')
return render.error(web.ctx.fullpath, 'BADREQ', 'bad captcha')
h = hashlib.sha1()
# hash password
h.update(password)
# hash with salt
h.update(username)
l.debug('Creating new user %s' % username)
guid = web.d.addUser(username, h.hexdigest())
if not guid:
return render.error(web.ctx.fullpath, 'EXISTS', 'username exists')
create_cookie(str(guid), username)
return web.seeother('/')
def POST(self):
l.info('POST purchase')
if not logged_on():
return logon_redirect()
i = web.input()
if 'name' not in i:
l.error('name required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing name')
if 'card' not in i:
l.error('card required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing card')
if 'ccv' not in i:
l.error('ccv required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing ccv')
if 'expmonth' not in i:
l.error('expmonth required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing expmonth')
if 'expyear' not in i:
l.error('expyear required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing expyear')
if 'book' not in i:
l.error('book required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing book')
name = i['name']
card = i['card']
book = i['book']
if not RE_NAME.match(name):
l.warn('name does not match %s' % RE_NAME.pattern)
return render.error(web.ctx.fullpath, 'BADREQ', 'malformed name')
if not RE_CARDNO.match(card):
l.warn('name does not match %s' % RE_CARDNO.pattern)
return render.error(web.ctx.fullpath, 'BADREQ', 'malformed card')
price = web.d.getPrice(book)
l.critical("getting cookie")
serial = web.cookies().get(COOKIE_NAME)
l.critical("got serial")
user = session.cookie.getData(serial)
l.critical("got cookie")
return render.purchase(user, name, card, book, price)
def POST(self):
l.info('POST purchase')
if not logged_on():
return logon_redirect()
i = web.input()
if 'name' not in i:
l.error('name required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing name')
if 'card' not in i:
l.error('card required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing card')
if 'ccv' not in i:
l.error('ccv required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing ccv')
if 'expmonth' not in i:
l.error('expmonth required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing expmonth')
if 'expyear' not in i:
l.error('expyear required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing expyear')
if 'book' not in i:
l.error('book required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing book')
name = i['name']
card = i['card']
book = i['book']
if not RE_NAME.match(name):
l.warn('name does not match %s' % RE_NAME.pattern)
return render.error(web.ctx.fullpath, 'BADREQ', 'malformed name')
if not RE_CARDNO.match(card):
l.warn('name does not match %s' % RE_CARDNO.pattern)
return render.error(web.ctx.fullpath, 'BADREQ', 'malformed card')
price = web.d.getPrice(book)
l.critical("getting cookie")
serial = web.cookies().get(COOKIE_NAME)
l.critical("got serial")
user = session.cookie.getData(serial)
l.critical("got cookie")
return render.purchase(user, name, card, book, price)
def GET(self):
l.info('GET purchase')
web.seeother('/')
l.critical("got serial")
user = session.cookie.getData(serial)
l.critical("got cookie")
return render.purchase(user, name, card, book, price)
if __name__ == "__main__":
# run from the same directory as the service file
os.chdir(rootdir)
c = config.Configurator()
c.load(configfile)
l.__init__(c.log, level=c.lvl)
try:
web.d = db.DB(c.db)
except IOError:
l.die("Failed to initialize database.")
try:
web.secret = c.secret
except IOError:
l.die("Failed to initialize secret key.")
web.captcha_public_key = c.captcha_public_key
web.captcha_private_key = c.captcha_private_key
if not web.captcha_public_key:
l.critical("SECURITY ERROR: Could not get captcha public key")
if not web.captcha_private_key:
l.critical("SECURITY ERROR: Could not get captcha private key")
l.info("Starting web service.")
web.config.debug = False
app = web.application(urls, globals())
session = web.session.Session(app, web.session.DiskStore('ctf-data/sessions'))
app.run()
def GET(self):
l.info('GET checkout')
web.seeother('/')
def GET(self):
l.info('GET adduser')
expire_cookie()
cap = captcha.displayhtml(web.captcha_public_key, use_ssl=True, error="Something broke.")
return render.adduser(cap)
def GET(self):
l.info('GET logon')
expire_cookie()
return render.logon()
def GET(self):
l.info('GET logoff')
return logon_redirect()
def GET(self):
l.info('GET logon')
expire_cookie()
return render.logon()
def GET(self):
l.info('GET logoff')
return logon_redirect()
def GET(self):
l.info('GET checkout')
web.seeother('/')
def GET(self):
l.info('GET purchase')
web.seeother('/')
l.critical("got cookie")
return render.purchase(user, name, card, book, price)
if __name__ == "__main__":
# run from the same directory as the service file
os.chdir(rootdir)
c = config.Configurator()
c.load(configfile)
l.__init__(c.log, level=c.lvl)
try:
web.d = db.DB(c.db)
except IOError:
l.die("Failed to initialize database.")
try:
web.secret = c.secret
except IOError:
l.die("Failed to initialize secret key.")
web.captcha_public_key = c.captcha_public_key
web.captcha_private_key = c.captcha_private_key
if not web.captcha_public_key:
l.critical("SECURITY ERROR: Could not get captcha public key")
if not web.captcha_private_key:
l.critical("SECURITY ERROR: Could not get captcha private key")
l.info("Starting web service.")
web.config.debug = False
app = web.application(urls, globals())
session = web.session.Session(app,
web.session.DiskStore('ctf-data/sessions'))
app.run()