1.1 --- a/OpenSecurity/bin/opensecurity_client_restful_server.py Thu Jan 09 10:44:42 2014 +0100
1.2 +++ b/OpenSecurity/bin/opensecurity_client_restful_server.py Fri Mar 07 14:32:12 2014 +0100
1.3 @@ -39,6 +39,8 @@
1.4 import urllib
1.5 import urllib2
1.6 import web
1.7 +import threading
1.8 +import time
1.9
1.10 # local
1.11 from environment import Environment
1.12 @@ -155,6 +157,9 @@
1.13 # pick the arguments
1.14 args = web.input()
1.15
1.16 + if "message" in args:
1.17 + print args.message
1.18 +
1.19 # we _need_ a type
1.20 if not "msgtype" in args:
1.21 raise web.badrequest('no msgtype given')
1.22 @@ -172,6 +177,43 @@
1.23 process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)
1.24 return "Ok"
1.25
1.26 +class PasswordSender(threading.Thread):
1.27 + remote_ip = None
1.28 + args = None
1.29 + def __init__(self, remote_ip, args):
1.30 + threading.Thread.__init__(self)
1.31 + self.args = args
1.32 + self.remote_ip = remote_ip
1.33 +
1.34 + def stop(self):
1.35 + self.running = False
1.36 +
1.37 + def run(self):
1.38 + # invoke the user dialog as a subprocess
1.39 + dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.py')
1.40 + process_command = [sys.executable, dlg_image, 'password', self.args.text]
1.41 + process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)
1.42 + result = process.communicate()[0]
1.43 + if process.returncode != 0:
1.44 + print 'password request has been aborted.'
1.45 + return
1.46 +
1.47 + # all ok, tell send request back appropriate destination
1.48 + try:
1.49 + password = result.split(':')[1].split("'")[1]
1.50 + except:
1.51 + print 'error in password parsing'
1.52 + return
1.53 +
1.54 + url_addr = 'http://' + self.remote_ip + ':58080/password'
1.55 + url_data = urllib.urlencode({ 'password': password})
1.56 + url = url_addr + '?' + url_data
1.57 + req = urllib2.Request(url)
1.58 + try:
1.59 + res = urllib2.urlopen(req)
1.60 + except:
1.61 + print 'failed to contact: ' + url_addr
1.62 + return
1.63
1.64 class os_password:
1.65 """OpenSecurity '/password' handler.
1.66 @@ -193,36 +235,8 @@
1.67 # remember remote ip
1.68 remote_ip = web.ctx.environ['REMOTE_ADDR']
1.69
1.70 - # invoke the user dialog as a subprocess
1.71 - dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.py')
1.72 - process_command = [sys.executable, dlg_image, 'password', args.text]
1.73 - process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)
1.74 - result = process.communicate()[0]
1.75 - if process.returncode != 0:
1.76 - return 'password request has been aborted.'
1.77 -
1.78 - # all ok, tell send request back appropriate destination
1.79 -
1.80 - # the returned value of the dialog is a jason object like
1.81 - # "{ 'password': 'THE_PASSWORD' }"
1.82 - # so we _could_ call eval(...) on this.
1.83 - #
1.84 - # However, anyone malicious enough _could_ encode a certain
1.85 - # "password" making some nasty things within that eval code. :(
1.86 - #
1.87 - # So this is plain old-school string hacking then ...
1.88 - try:
1.89 - password = result.split(':')[1].split("'")[1]
1.90 - except:
1.91 - raise web.internalerror('error in password parsing')
1.92 -
1.93 - url_addr = 'http://' + remote_ip + ':58080/password'
1.94 - url_data = urllib.urlencode({ 'password': password})
1.95 - req = urllib2.Request(url = url_addr + '?' + url_data)
1.96 - try:
1.97 - res = urllib2.urlopen(req)
1.98 - except:
1.99 - raise web.internalerror('failed to contact: ' + url_addr)
1.100 + sender = PasswordSender(remote_ip, args)
1.101 + sender.start()
1.102
1.103 return 'password told'
1.104