/usr/share/pyshared/mod_python/Cookie.py is in libapache2-mod-python 3.3.1-11.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 | # vim: set sw=4 expandtab :
#
# Copyright 2004 Apache Software Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License"); you
# may not use this file except in compliance with the License. You
# may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied. See the License for the specific language governing
# permissions and limitations under the License.
#
# Originally developed by Gregory Trubetskoy.
#
# $Id: Cookie.py 472053 2006-11-07 10:11:01Z grahamd $
"""
This module contains classes to support HTTP State Management
Mechanism, also known as Cookies. The classes provide simple
ways for creating, parsing and digitally signing cookies, as
well as the ability to store simple Python objects in Cookies
(using marshalling).
The behaviour of the classes is designed to be most useful
within mod_python applications.
The current state of HTTP State Management standardization is
rather unclear. It appears that the de-facto standard is the
original Netscape specification, even though already two RFC's
have been put out (RFC2109 (1997) and RFC2965 (2000)). The
RFC's add a couple of useful features (e.g. using Max-Age instead
of Expires, but my limited tests show that Max-Age is ignored
by the two browsers tested (IE and Safari). As a result of this,
perhaps trying to be RFC-compliant (by automatically providing
Max-Age and Version) could be a waste of cookie space...
"""
import time
import re
import hmac
import marshal
import base64
# import apache
class CookieError(Exception):
pass
class metaCookie(type):
def __new__(cls, clsname, bases, clsdict):
_valid_attr = (
"version", "path", "domain", "secure",
"comment", "expires", "max_age",
# RFC 2965
"commentURL", "discard", "port",
# Microsoft Extension
"httponly" )
# _valid_attr + property values
# (note __slots__ is a new Python feature, it
# prevents any other attribute from being set)
__slots__ = _valid_attr + ("name", "value", "_value",
"_expires", "__data__")
clsdict["_valid_attr"] = _valid_attr
clsdict["__slots__"] = __slots__
def set_expires(self, value):
if type(value) == type(""):
# if it's a string, it should be
# valid format as per Netscape spec
try:
t = time.strptime(value, "%a, %d-%b-%Y %H:%M:%S GMT")
except ValueError:
raise ValueError, "Invalid expires time: %s" % value
t = time.mktime(t)
else:
# otherwise assume it's a number
# representing time as from time.time()
t = value
value = time.strftime("%a, %d-%b-%Y %H:%M:%S GMT",
time.gmtime(t))
self._expires = "%s" % value
def get_expires(self):
return self._expires
clsdict["expires"] = property(fget=get_expires, fset=set_expires)
return type.__new__(cls, clsname, bases, clsdict)
class Cookie(object):
"""
This class implements the basic Cookie functionality. Note that
unlike the Python Standard Library Cookie class, this class represents
a single cookie (not a list of Morsels).
"""
__metaclass__ = metaCookie
DOWNGRADE = 0
IGNORE = 1
EXCEPTION = 3
def parse(Class, str, **kw):
"""
Parse a Cookie or Set-Cookie header value, and return
a dict of Cookies. Note: the string should NOT include the
header name, only the value.
"""
dict = _parse_cookie(str, Class, **kw)
return dict
parse = classmethod(parse)
def __init__(self, name, value, **kw):
"""
This constructor takes at least a name and value as the
arguments, as well as optionally any of allowed cookie attributes
as defined in the existing cookie standards.
"""
self.name, self.value = name, value
for k in kw:
setattr(self, k.lower(), kw[k])
# subclasses can use this for internal stuff
self.__data__ = {}
def __str__(self):
"""
Provides the string representation of the Cookie suitable for
sending to the browser. Note that the actual header name will
not be part of the string.
This method makes no attempt to automatically double-quote
strings that contain special characters, even though the RFC's
dictate this. This is because doing so seems to confuse most
browsers out there.
"""
result = ["%s=%s" % (self.name, self.value)]
for name in self._valid_attr:
if hasattr(self, name):
if name in ("secure", "discard", "httponly"):
result.append(name)
else:
result.append("%s=%s" % (name, getattr(self, name)))
return "; ".join(result)
def __repr__(self):
return '<%s: %s>' % (self.__class__.__name__,
str(self))
class SignedCookie(Cookie):
"""
This is a variation of Cookie that provides automatic
cryptographic signing of cookies and verification. It uses
the HMAC support in the Python standard library. This ensures
that the cookie has not been tamprered with on the client side.
Note that this class does not encrypt cookie data, thus it
is still plainly visible as part of the cookie.
"""
def parse(Class, s, secret, mismatch=Cookie.DOWNGRADE, **kw):
dict = _parse_cookie(s, Class, **kw)
del_list = []
for k in dict:
c = dict[k]
try:
c.unsign(secret)
except CookieError:
if mismatch == Cookie.EXCEPTION:
raise
elif mismatch == Cookie.IGNORE:
del_list.append(k)
else:
# downgrade to Cookie
dict[k] = Cookie.parse(Cookie.__str__(c))[k]
for k in del_list:
del dict[k]
return dict
parse = classmethod(parse)
def __init__(self, name, value, secret=None, **kw):
Cookie.__init__(self, name, value, **kw)
self.__data__["secret"] = secret
def hexdigest(self, str):
if not self.__data__["secret"]:
raise CookieError, "Cannot sign without a secret"
_hmac = hmac.new(self.__data__["secret"], self.name)
_hmac.update(str)
return _hmac.hexdigest()
def __str__(self):
result = ["%s=%s%s" % (self.name, self.hexdigest(self.value),
self.value)]
for name in self._valid_attr:
if hasattr(self, name):
if name in ("secure", "discard", "httponly"):
result.append(name)
else:
result.append("%s=%s" % (name, getattr(self, name)))
return "; ".join(result)
def unsign(self, secret):
sig, val = self.value[:32], self.value[32:]
mac = hmac.new(secret, self.name)
mac.update(val)
if mac.hexdigest() == sig:
self.value = val
self.__data__["secret"] = secret
else:
raise CookieError, "Incorrectly Signed Cookie: %s=%s" % (self.name, self.value)
class MarshalCookie(SignedCookie):
"""
This is a variation of SignedCookie that can store more than
just strings. It will automatically marshal the cookie value,
therefore any marshallable object can be used as value.
The standard library Cookie module provides the ability to pickle
data, which is a major security problem. It is believed that unmarshalling
(as opposed to unpickling) is safe, yet we still err on the side of caution
which is why this class is a subclass of SignedCooke making sure what
we are about to unmarshal passes the digital signature test.
Here is a link to a sugesstion that marshalling is safer than unpickling
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&selm=7xn0hcugmy.fsf%40ruckus.brouhaha.com
"""
def parse(Class, s, secret, mismatch=Cookie.DOWNGRADE, **kw):
dict = _parse_cookie(s, Class, **kw)
del_list = []
for k in dict:
c = dict[k]
try:
c.unmarshal(secret)
except CookieError:
if mismatch == Cookie.EXCEPTION:
raise
elif mismatch == Cookie.IGNORE:
del_list.append(k)
else:
# downgrade to Cookie
dict[k] = Cookie.parse(Cookie.__str__(c))[k]
for k in del_list:
del dict[k]
return dict
parse = classmethod(parse)
def __str__(self):
m = base64.encodestring(marshal.dumps(self.value))
# on long cookies, the base64 encoding can contain multiple lines
# separated by \n or \r\n
m = ''.join(m.split())
result = ["%s=%s%s" % (self.name, self.hexdigest(m), m)]
for name in self._valid_attr:
if hasattr(self, name):
if name in ("secure", "discard", "httponly"):
result.append(name)
else:
result.append("%s=%s" % (name, getattr(self, name)))
return "; ".join(result)
def unmarshal(self, secret):
self.unsign(secret)
try:
data = base64.decodestring(self.value)
except:
raise CookieError, "Cannot base64 Decode Cookie: %s=%s" % (self.name, self.value)
try:
self.value = marshal.loads(data)
except (EOFError, ValueError, TypeError):
raise CookieError, "Cannot Unmarshal Cookie: %s=%s" % (self.name, self.value)
# This is a simplified and in some places corrected
# (at least I think it is) pattern from standard lib Cookie.py
_cookiePattern = re.compile(
r"(?x)" # Verbose pattern
r"[,\ ]*" # space/comma (RFC2616 4.2) before attr-val is eaten
r"(?P<key>" # Start of group 'key'
r"[^;\ =]+" # anything but ';', ' ' or '='
r")" # End of group 'key'
r"\ *(=\ *)?" # a space, then may be "=", more space
r"(?P<val>" # Start of group 'val'
r'"(?:[^\\"]|\\.)*"' # a doublequoted string
r"|" # or
r"[^;]*" # any word or empty string
r")" # End of group 'val'
r"\s*;?" # probably ending in a semi-colon
)
def _parse_cookie(str, Class, names=None):
# XXX problem is we should allow duplicate
# strings
result = {}
matchIter = _cookiePattern.finditer(str)
for match in matchIter:
key, val = match.group("key"), match.group("val")
# We just ditch the cookies names which start with a dollar sign since
# those are in fact RFC2965 cookies attributes. See bug [#MODPYTHON-3].
if key[0]!='$' and names is None or key in names:
result[key] = Class(key, val)
return result
def add_cookie(req, cookie, value="", **kw):
"""
Sets a cookie in outgoing headers and adds a cache
directive so that caches don't cache the cookie.
"""
# is this a cookie?
if not isinstance(cookie, Cookie):
# make a cookie
cookie = Cookie(cookie, value, **kw)
if not req.headers_out.has_key("Set-Cookie"):
req.headers_out.add("Cache-Control", 'no-cache="set-cookie"')
req.headers_out.add("Set-Cookie", str(cookie))
def get_cookies(req, Class=Cookie, **kw):
"""
A shorthand for retrieveing and parsing cookies given
a Cookie class. The class must be one of the classes from
this module.
"""
if not req.headers_in.has_key("cookie"):
return {}
cookies = req.headers_in["cookie"]
if type(cookies) == type([]):
cookies = '; '.join(cookies)
return Class.parse(cookies, **kw)
def get_cookie(req, name, Class=Cookie, **kw):
cookies = get_cookies(req, Class, names=[name], **kw)
if cookies.has_key(name):
return cookies[name]
|