further improvements to RESTful API: enforce security headers across …

…all HTTP responses properly and make consistent responses across methods (#297)
sqlmapproject · Dec 14, 2012 · 3d9779f · 3d9779f
1 parent 7b43837
commit 3d9779f
Showing 1 changed file with 15 additions and 4 deletions.
diff --git a/lib/utils/restapi.py b/lib/utils/restapi.py
@@ -20,15 +20,16 @@
 from extra.bottle.bottle import debug
 from extra.bottle.bottle import error
 from extra.bottle.bottle import get
+from extra.bottle.bottle import hook
 from extra.bottle.bottle import post
 from extra.bottle.bottle import request
 from extra.bottle.bottle import response
-from extra.bottle.bottle import Response
 from extra.bottle.bottle import run
 from extra.bottle.bottle import static_file
 from extra.bottle.bottle import template
 from lib.controller.controller import start
 from lib.core.convert import hexencode
+from lib.core.data import paths
 from lib.core.datatype import AttribDict
 from lib.core.data import cmdLineOptions
 from lib.core.data import kb
@@ -38,12 +39,11 @@
 from lib.core.settings import UNICODE_ENCODING
 from lib.core.settings import RESTAPI_SERVER_PORT
 
+
 # local global variables
 session_ids = []
 admin_id = ""
 
-Response(headers={"X-Frame-Options": "sameorigin", "X-XSS-Protection": "1; mode=block"})
-
 
 # Generic functions
 def jsonize(data):
@@ -61,6 +61,16 @@ def is_admin(session_id):
         return True
 
 
+@hook('after_request')
+def security_headers():
+    """
+    Set some headers across all HTTP responses
+    """
+    response.headers["Server"] = "Server"
+    response.headers["X-Frame-Options"] = "sameorigin"
+    response.headers["X-XSS-Protection"] = "1; mode=block"
+
+
 # HTTP Status Code functions
 @error(401) # Access Denied
 def error401(error):
@@ -107,7 +117,7 @@ def session_destroy():
     session_id = request.json.get("sessionid", "")
     if session_id in session_ids:
         session_ids.remove(session_id)
-        return "Done"
+        return jsonize({"success": True})
     else:
         abort(500)
 
@@ -132,6 +142,7 @@ def session_flush():
     global session_ids
     if is_admin(request.json.get("sessionid", "")):
         session_ids = []
+        return jsonize({"success": True})
     else:
         abort(401)