#! /usr/local/bin/python -u
import sys
import os
import traceback
import string
import time
import cgi
import re
import types
import config
import auth
import home
import tools
def main(environ=os.environ):
start = time.time()
pard = {}
pard['ERROR'] = ''
pard['html'] = ''
pard['file_upload'] = []
html = ''
error_log = ''
error_sid = ''
command = ''
id_utente = ''
sys.stderr = sys.stdout
pard['header'] = 'Content-type: text/html\n\n'
#pard['header'] = 'Content-type: text/html; charset="iso-8859-1"\n\n' ##SECURITY
#filtro = re.compile(r'[&;`\'\\\"\*\?~<>^\(\)[]\{\}\$\n\r]', re.IGNORECASE) ##SECURITY
#filtro = re.compile(r'^(http|ftp|https)://[-A-Za-z0-9._/]+$', re.IGNORECASE) ### url security normal
#filtro = re.compile(r'^(http|ftp|https)://[-A-Za-z0-9._]+(\/([A-Za-z0-9\-\_\.\!\~\*\'\(\)\%\?]+))*/?$', re.IGNORECASE) ### url security strict
#####filtro = re.compile(r'((\%3C)|<)(.+?)((\%3E)|>)', re.IGNORECASE) #XSS paranoid filter BUONO!!!
#####filtro = re.compile(r'(\%3D)|(=)[^\n]*(\%27)|(\')|(\-\-)|(##)|(\%3B)|(;)|union', re.IGNORECASE) #SQL paranoid filter BUONO!!!
#QUERY_STRING, HTTP_REFERER, REQUEST_URI
#sys.stdout.write(pard['header'])
#sys.stdout.write(repr(os.environ))
try:
pard = config.global_parameters(pard)
for k in environ.keys():
if not k in pard.keys():
pard[k] = environ[k]
pard['HTTP_REFERER'] = pard.get('HTTP_REFERER', '')
#pard['tok'] = pard.get('tok', '')
#form = cgi.parse(mylocalfile)
form = cgi.FieldStorage(keep_blank_values=1)
# import urlparse
# try:
# request_body_size = int(environ.get('CONTENT_LENGTH', 0))
# except (ValueError):
# request_body_size = 0
# fp = sys.stdin
# request_body = fp.read(request_body_size)
# form = dict(urlparse.parse_qsl(request_body))
#form = cgi.parse_qs(request_body, keep_blank_values=1)
if form.has_key('tok') and form.getvalue('tok', '') == 'ban_analyze_save':
buf = repr(form)
buf = buf.replace('FieldStorage(None, None, [MiniFieldStorage', '').replace('])', '')
buf = buf.split(', MiniFieldStorage')
buffer = {}
for item in buf:
(k, v) = eval(item)
buffer[k] = v
for k in form.keys():
if not k in pard.keys():
if (k[0:12] == 'file_upload_') and (form[k].filename != ''):
pard['file_upload'].append({'filename': form[k].filename, 'content': form.getvalue(k, ''), 'form_id': k})
else:
if form.has_key('tok') and form.getvalue('tok', '') == 'ban_analyze_save':
pard[k] = buffer[k]
else:
pard[k] = form.getvalue(k, '')
######pard[k] = cgi.escape(pard[k]) SECURITY MOLTO IMPORTANTE
### SECURITY USING SUB
#if type(pard[k]) == types.ListType:
# for r in pard[k]:
# pard[k][i] = filtro.sub('', r)
#else:
# pard[k] = filtro.sub('', pard[k])
### SECURITY USING ENCODE
#if type(pard[k]) == types.ListType:
# for r in pard[k]:
# pard[k][i] = cgi.escape(pard[k])
#else:
# pard[k] = cgi.escape(pard[k])
### END SECURITY
if (pard['REMOTE_ADDR'] == '62.149.197.207') and pard['TRUSTED_IP'].has_key('62.149.197.207') and (pard['tok'] in pard['TRUSTED_IP']['62.149.197.207']['tok']):
flag = 'GO'
pard['module'] = pard['TOKEN'][pard['tok']]['module']
pard['program'] = pard['TOKEN'][pard['tok']]['program']
elif (pard['REMOTE_ADDR'] == '62.149.198.131') and pard['TRUSTED_IP'].has_key('62.149.198.131') and (pard['tok'] in pard['TRUSTED_IP']['62.149.198.131']['tok']):
flag = 'GO'
pard['module'] = pard['TOKEN'][pard['tok']]['module']
pard['program'] = pard['TOKEN'][pard['tok']]['program']
else:
pard = auth.check_sid(pard)
if pard['flag_sid'] == 'NEW':
pard['tmp_sid'] = auth.calc_sid(pard)
pard['module'] = 'auth'
pard['program'] = 'login'
else:
#sys.stdout.write(pard['header'])
#sys.stdout.write(repr(pard['tok']))
try:
pard['module'] = pard['TOKEN'][pard['tok']]['module']
pard['program'] = pard['TOKEN'][pard['tok']]['program']
#pard['action'] = pard['TOKEN'][pard['tok']]['action']
pard['menu_id'] = pard['TOKEN'][pard['tok']]['menu_id']
pard['menu_selected'] = pard['menu_id']
except:
pard['flag_sid'] = 'NEW'
pard['tmp_sid'] = auth.calc_sid(pard)
pard['module'] = 'auth'
pard['program'] = 'login'
command = pard['module'] + '.' + pard['program'] + '(pard)'
if command not in ['auth.login(pard)', 'auth.check_authentication(pard)']:
pard = auth.load_sid_data(pard)
pard['auth_module'] = auth.load_auth_module(pard)
#tools.dump3(pard, pard['module'])
#tools.dump3(pard, pard['auth_module'])
#tools.dump3(pard, pard['menu_selected'])
#tools.dump3(pard, pard['sid_autorizzazioni'])
if ((pard['menu_selected'] in pard['sid_autorizzazioni']) and (pard['module'] in pard['auth_module'])):
flag = 'GO'
else:
flag = 'STOP'
else:
flag = 'LOGIN'
if flag in ('GO', 'LOGIN'):
if os.path.isfile(pard['BIN_DIR'] + '/' + pard['module'] + '.py') or os.path.isfile(pard['BIN_DIR'] + '/' + pard['module'] + '.pyc'):
if __import__(pard['module']).__dict__.has_key(pard['program']):
pard = __import__(pard['module']).__dict__[pard['program']](pard)
else:
pard = home.build_not_authorized(pard)
stop = time.time()
except:
stop = time.time()
pard['ERROR'] = build_exception()
#try:
pard = home.error_manager(pard)
#except:
# pard['html'] = 'Error manager!'
sys.stdout.write(pard['header'])
sys.stdout.write(pard['html'])
pard['sid_id_utente'] = pard.get('sid_id_utente', '')
error_log = log_hit(start, stop, pard['REMOTE_ADDR'], pard['sid_id_utente'], command, len(pard['html']), pard['ERROR'], pard)
error_sid = log_sid(start, stop, len(html), pard)
if error_log:
sys.stdout.write(error_log)
if error_sid:
sys.stdout.write(error_sid)
#exec_time = repr(stop - start)[0:5]
#print '
%s%s" % (escape("".join(list[:-1])), escape(list[-1])) del tb return buf def escape(s, quote=None): s = s.replace("&", "&") # Must be done first! s = s.replace("<", "<") s = s.replace(">", ">") if quote: s = s.replace('"', """) return s def log_hit(start, stop, ip, id_utente, command, bytes, error, pard): try: action = pard.get('tok', '') id_utente = pard.get('sid_id_utente', '') h = pard.get('html', '') bytes = len(h) exec_time = repr(stop - start)[0:5] log_file = open(pard['APPLICATION_LOG_FILE'], 'a') log_date = time.asctime(time.localtime(time.time())) error_id = '' if error != '': error_id = string.split(repr(stop), '.')[0] error = string.replace(error[0], '\n', '\040') error = 'ERROR_FILE -> ' + error_id + '.err' log_buf = string.join([log_date, id_utente, ip, repr(bytes), exec_time, command, action, pard['HTTP_REFERER'], error], '\t') + '\n' log_file.write(log_buf) log_file.close() if error_id != '': error_file = pard['LOG_DIR'] + '/' + error_id + '.err' fp = open(error_file, 'w') fp.write(error + '\n') keys = pard.keys() keys.sort() for k in keys: if k not in ('MENU', 'MENU_TREE', 'MYSQL_PASSWORD', 'SQL_CHALLENGE', 'TOKEN', 'sid_password', 'password'): buf = repr(k) + ': ' + repr(pard[k]) + '\n' fp.write(buf) fp.close() auth.log_hit(log_buf, pard) return '' except: return build_exception() def log_sid(start, stop, bytes, pard): if pard.has_key('sid'): try: exec_time = repr(stop - start)[0:5] sid_file = auth.sid_get(pard) log_date = time.asctime(time.localtime(time.time())) pard['EXEC_TIME'] = exec_time pard['LOG_DATE'] = log_date pard['BYTES'] = repr(bytes) sid_buffer = pard.get('sid_buffer', {}) if sid_buffer == '': sid_buffer = {} sid_file['sid_buffer'] = sid_buffer result = auth.sid_set(pard, sid_file) return '' except: return build_exception() try: main() except: type, value, tb = sys.exc_info() list = traceback.format_tb(tb, limit=None) + traceback.format_exception_only(type, value) sys.stdout.write('Content-type: text/html\n\n') sys.stdout.write('General server error!' + string.join(list))