def login(req, **params):
""" New login attempt. Clean out old session if present, and create new one. """
sess = Session(req)
if not sess.is_new():
sess.delete()
sess = Session(req)
if not sess.is_new():
req.status = apache.HTTP_BAD_REQUEST
return 'failed to create new session'
if 'u' not in params or 'p' not in params:
req.status = apache.HTTP_BAD_REQUEST
return 'some parameters were not provided'
ret = dict()
if params['u'] != 'einstein' or params['p'] != 'fuckbin':
ret['success'] = False
ret['error'] = 'bad username or password'
# note: session is not saved!
else:
ret['success'] = True
# keep some stuff in session...
sess['username'] = params['u']
sess['user_id'] = 1
sess.set_timeout(60 * 60 * 24 * 365 * 10) # 10 year
sess.save()
# grab the user's cookie, and save the seen leaks into the database
seen_ranges = urllib.unquote(Cookie.get_cookie(req, '__CJ_seen').value)
seen_ranges = json.loads(seen_ranges)
values = [[sess['user_id'], i] for seen_range in seen_ranges
for i in range(seen_range['start'], seen_range['end'] + 1)]
db = Database.get()
c = db.cursor()
c.executemany(
""" replace into user_seen (user_id, leak_id) values (%s, %s) """,
values)
db.commit()
c.close()
req.content_type = 'application/json'
return json.dumps(ret, ensure_ascii=False)
def seen(req, **params):
""" Return all leak id that this user has seen. """
sess = Session(req)
if sess.is_new():
req.status = apache.HTTP_BAD_REQUEST
return 'not logged in'
db = Database.get()
c = db.cursor()
q = """
select
us.leak_id
from
user_seen us
where
us.user_id = {user_id}
""".format(user_id=sess['user_id'])
c.execute(q)
r = c.fetchall()
c.close()
# reformat the list...
r = [e[0] for e in r]
req.content_type = 'application/json'
return json.dumps(dict(items=r), ensure_ascii=False)
def index(req):
session = Session(req, lock=False)
# output directory for uploaded files used in _upload_limit.py
session.lock()
session['outdir'] = outdir
session.save()
session.unlock()
return psp.PSP(req, 'test.html', vars={})
def clear(req, **params):
""" Obliterate the session. """
sess = Session(req)
if not sess.is_new():
sess.invalidate()
req.content_type = 'application/json'
return json.dumps(dict(success=True), ensure_ascii=False)
def get(req, **params):
""" Return logged-in username. """
sess = Session(req)
if sess.is_new():
req.content_type = 'application/json'
return 'null'
ret = dict()
ret['created'] = sess.created()
ret['user_id'] = sess['user_id']
ret['username'] = sess['username']
req.content_type = 'application/json'
return json.dumps(ret, ensure_ascii=False)
def fixuphandler(req):
if req.method == 'POST':
length = req.headers_in.get('Content-Length')
if length is None:
req.status = apache.HTTP_LENGTH_REQUIRED
req.write("{ 'code': 5, 'desc': 'content length required' }")
return apache.DONE
elif int(length) > UPLOAD_LIMIT:
req.status = apache.HTTP_REQUEST_ENTITY_TOO_LARGE
req.write("{ 'code': 4, 'desc': 'upload maximum size exceeded' }")
return apache.DONE
elif req.uri.startswith('/upload_file'):
# parse arguments
args = dict(
[part.split('=') for part in (req.args or "").split('&')])
filename = ""
if args.get('id'):
filename = urllib.unquote(os.path.split(args['id'])[1])
if filename == "":
req.write("{ 'code': 3, 'desc': 'id not supplied' }")
return apache.DONE
if not hasattr(req, "session"):
req.session = Session(req, lock=False)
session = req.session
session.lock()
if filename in os.listdir(session['outdir']):
session.unlock()
req.write("{ 'code': 1, 'desc': 'already exist' }")
return apache.DONE
session['temp_name_' + filename] = os.path.join(
session['outdir'], filename)
session['temp_size_' + filename] = int(length)
session.save()
file_factory = StorageFactory(session['outdir'])
session.unlock()
util.FieldStorage(req,
keep_blank_values=False,
file_callback=file_factory.create)
return apache.OK
def index(req, **params):
""" List recent leaks. Limit of 300 leaks shown.
parameters:
- after:
show leaks after this timestamp
- period:
show leaks that occured within this period (today, week, month)
"""
limit = ''
if 'after' in params:
if not params['after'].isdigit():
req.status = apache.HTTP_BAD_REQUEST
return '"after" param is not digits'
leak_id = int(params['after'])
where = 'l.leak_id >= %u' % leak_id
elif 'before' in params:
if not params['after'].isdigit():
req.status = apache.HTTP_BAD_REQUEST
return '"before" param is not digits'
leak_id = int(params['after'])
where = 'l.leak_id <= %u' % leak_id
limit = 'limit 10'
elif 'period' in params:
if params['period'] == 'initial':
# By default, load today's leaks, otherwise load the last 300 leaks from whenever...
where = 'DATE(FROM_UNIXTIME(l.date)) = DATE(SYSDATE())'
else:
req.status = apache.HTTP_BAD_REQUEST
return '"period" param has unknown value'
else:
req.status = apache.HTTP_BAD_REQUEST
return 'bad request'
sess = Session(req)
if sess.is_new():
seen = 'false'
else:
seen = '(select true from user_seen us where us.user_id = {user_id} and us.leak_id = l.leak_id)'.format(
user_id=sess['user_id'], )
db = Database.get()
c = db.cursor()
q = """
select
l.leak_id,
({seen}) as seen,
l.date, l.comment, l.reason, l.source
from
leaks l
where
{where} and
l.isparsed = 1
order by leak_id
{limit}
""".format(seen=seen, where=where, limit=limit)
c.execute(q)
r = list(c.fetchall())
if len(r) == 0 and 'period' in params and params['period'] == 'initial':
# last chance to get some latest entry...
c.execute("""
select
l.leak_id,
({seen}) as seen,
l.date, l.comment, l.reason, l.source
from
leaks l
where
l.isparsed = 1
order by leak_id desc
limit 200
""".format(seen=seen, where=where, limit=limit))
r = list(c.fetchall())
r.reverse()
if len(r) > 0:
leak_ids = [str(e[0]) for e in r]
c.execute("""
select
leak_id, name, value
from
leak_metadata
where
leak_id in ({ids})
""".format(ids=','.join(leak_ids)))
metadata = c.fetchall()
# append a dictionary at the end of every entry
for i in range(len(r)):
r[i] = list(r[i])
r[i].append({})
# insert metadata into dictionary
for i in range(len(r)):
for data in metadata:
if data[0] != r[i][0]:
continue
r[i][-1][data[1]] = data[2]
c.close()
req.content_type = 'application/json'
return json.dumps(dict(items=r), ensure_ascii=False)
def _wrapper(req, *args, **kwargs):
if not hasattr(req, "session"):
req.session = Session(req, lock=False)
return f(req, *args, **kwargs)
