Mageia Bugzilla – Attachment 4459 Details for
Bug 11224
multiple vulnerabilities in python-oauth2 (CVE-2013-4346, CVE-2013-4347)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
client.py
client.py (text/x-python), 6.68 KB, created by
claire robinson
on 2013-10-26 12:42:15 CEST
(
hide
)
Description:
client.py
Filename:
MIME Type:
Creator:
claire robinson
Created:
2013-10-26 12:42:15 CEST
Size:
6.68 KB
patch
obsolete
>""" >The MIT License > >Copyright (c) 2007 Leah Culver > >Permission is hereby granted, free of charge, to any person obtaining a copy >of this software and associated documentation files (the "Software"), to deal >in the Software without restriction, including without limitation the rights >to use, copy, modify, merge, publish, distribute, sublicense, and/or sell >copies of the Software, and to permit persons to whom the Software is >furnished to do so, subject to the following conditions: > >The above copyright notice and this permission notice shall be included in >all copies or substantial portions of the Software. > >THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR >IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, >FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE >AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER >LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, >OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN >THE SOFTWARE. > >Example consumer. This is not recommended for production. >Instead, you'll want to create your own subclass of OAuthClient >or find one that works with your web framework. >""" > >import httplib >import time >import oauth2 > ># settings for the local test consumer >SERVER = 'localhost' >PORT = 8080 > ># fake urls for the test server (matches ones in server.py) >REQUEST_TOKEN_URL = 'https://photos.example.net/request_token' >ACCESS_TOKEN_URL = 'https://photos.example.net/access_token' >AUTHORIZATION_URL = 'https://photos.example.net/authorize' >CALLBACK_URL = 'http://printer.example.com/request_token_ready' >RESOURCE_URL = 'http://photos.example.net/photos' > ># key and secret granted by the service provider for this consumer application - same as the MockOAuthDataStore >CONSUMER_KEY = 'key' >CONSUMER_SECRET = 'secret' > ># example client using httplib with headers >class SimpleClient(oauth2.Client): > > def __init__(self, server, port=httplib.HTTP_PORT, request_token_url='', access_token_url='', authorization_url=''): > self.server = server > self.port = port > self.request_token_url = request_token_url > self.access_token_url = access_token_url > self.authorization_url = authorization_url > self.connection = httplib.HTTPConnection("%s:%d" % (self.server, self.port)) > > def fetch_request_token(self, oauth_request): > # via headers > # -> OAuthToken > self.connection.request(oauth_request.method, self.request_token_url, headers=oauth_request.to_header()) > response = self.connection.getresponse() > return oauth2.Token.from_string(response.read()) > > def fetch_access_token(self, oauth_request): > # via headers > # -> OAuthToken > self.connection.request(oauth_request.method, self.access_token_url, headers=oauth_request.to_header()) > response = self.connection.getresponse() > return oauth2.Token.from_string(response.read()) > > def authorize_token(self, oauth_request): > # via url > # -> typically just some okay response > self.connection.request(oauth_request.method, oauth_request.to_url()) > response = self.connection.getresponse() > return response.read() > > def access_resource(self, oauth_request): > # via post body > # -> some protected resources > headers = {'Content-Type' :'application/x-www-form-urlencoded'} > self.connection.request('POST', RESOURCE_URL, body=oauth_request.to_postdata(), headers=headers) > response = self.connection.getresponse() > return response.read() > >def run_example(): > > # setup > print '** OAuth Python Library Example **' > client = SimpleClient(SERVER, PORT, REQUEST_TOKEN_URL, ACCESS_TOKEN_URL, AUTHORIZATION_URL) > consumer = oauth2.Consumer(CONSUMER_KEY, CONSUMER_SECRET) > signature_method_plaintext = oauth2.SignatureMethod_PLAINTEXT() > signature_method_hmac_sha1 = oauth2.SignatureMethod_HMAC_SHA1() > pause() > > # get request token > print '* Obtain a request token ...' > pause() > parameters = {'oauth_callback': CALLBACK_URL} > oauth_request = oauth2.Request.from_consumer_and_token(consumer, parameters=parameters, http_url=client.request_token_url) > oauth_request.sign_request(signature_method_plaintext, consumer, None) > print 'REQUEST (via headers)' > print 'parameters: %s' % str(get_parameters(oauth_request)) > pause() > token = client.fetch_request_token(oauth_request) > print 'GOT' > print 'key: %s' % str(token.key) > print 'secret: %s' % str(token.secret) > print 'callback confirmed? %s' % str(token.callback_confirmed) > pause() > > print '* Authorize the request token ...' > pause() > oauth_request = oauth2.Request.from_token_and_callback(token=token, http_url=client.authorization_url) > print 'REQUEST (via url query string)' > print 'parameters: %s' % str(get_parameters(oauth_request)) > pause() > # this will actually occur only on some callback > response = client.authorize_token(oauth_request) > print 'GOT' > print response > # sad way to get the verifier > import urlparse, cgi > query = urlparse.urlparse(response)[4] > params = cgi.parse_qs(query, keep_blank_values=False) > verifier = params['oauth_verifier'][0] > print 'verifier: %s' % verifier > pause() > > # get access token > print '* Obtain an access token ...' > pause() > parameters = {'oauth_verifier': verifier} > oauth_request = oauth2.Request.from_consumer_and_token(consumer, token=token, parameters=parameters, http_url=client.access_token_url) > oauth_request.sign_request(signature_method_plaintext, consumer, token) > print 'REQUEST (via headers)' > print 'parameters: %s' % str(get_parameters(oauth_request)) > pause() > token = client.fetch_access_token(oauth_request) > print 'GOT' > print 'key: %s' % str(token.key) > print 'secret: %s' % str(token.secret) > pause() > > # access some protected resources > print '* Access protected resources ...' > pause() > parameters = {'file': 'vacation.jpg', 'size': 'original'} # resource specific params > oauth_request = oauth2.Request.from_consumer_and_token(consumer, token=token, http_method='POST', http_url=RESOURCE_URL, parameters=parameters) > oauth_request.sign_request(signature_method_hmac_sha1, consumer, token) > print 'REQUEST (via post body)' > print 'parameters: %s' % str(get_parameters(oauth_request)) > pause() > params = client.access_resource(oauth_request) > print 'GOT' > print 'non-oauth parameters: %s' % params > pause() > >def get_parameters(ob): > return dict([(k, v) for (k, v) in ob.iteritems() if k.startswith('oauth_')]) > >def pause(): > print '' > time.sleep(1) > >if __name__ == '__main__': > run_example() > print 'Done.'
""" The MIT License Copyright (c) 2007 Leah Culver Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Example consumer. This is not recommended for production. Instead, you'll want to create your own subclass of OAuthClient or find one that works with your web framework. """ import httplib import time import oauth2 # settings for the local test consumer SERVER = 'localhost' PORT = 8080 # fake urls for the test server (matches ones in server.py) REQUEST_TOKEN_URL = 'https://photos.example.net/request_token' ACCESS_TOKEN_URL = 'https://photos.example.net/access_token' AUTHORIZATION_URL = 'https://photos.example.net/authorize' CALLBACK_URL = 'http://printer.example.com/request_token_ready' RESOURCE_URL = 'http://photos.example.net/photos' # key and secret granted by the service provider for this consumer application - same as the MockOAuthDataStore CONSUMER_KEY = 'key' CONSUMER_SECRET = 'secret' # example client using httplib with headers class SimpleClient(oauth2.Client): def __init__(self, server, port=httplib.HTTP_PORT, request_token_url='', access_token_url='', authorization_url=''): self.server = server self.port = port self.request_token_url = request_token_url self.access_token_url = access_token_url self.authorization_url = authorization_url self.connection = httplib.HTTPConnection("%s:%d" % (self.server, self.port)) def fetch_request_token(self, oauth_request): # via headers # -> OAuthToken self.connection.request(oauth_request.method, self.request_token_url, headers=oauth_request.to_header()) response = self.connection.getresponse() return oauth2.Token.from_string(response.read()) def fetch_access_token(self, oauth_request): # via headers # -> OAuthToken self.connection.request(oauth_request.method, self.access_token_url, headers=oauth_request.to_header()) response = self.connection.getresponse() return oauth2.Token.from_string(response.read()) def authorize_token(self, oauth_request): # via url # -> typically just some okay response self.connection.request(oauth_request.method, oauth_request.to_url()) response = self.connection.getresponse() return response.read() def access_resource(self, oauth_request): # via post body # -> some protected resources headers = {'Content-Type' :'application/x-www-form-urlencoded'} self.connection.request('POST', RESOURCE_URL, body=oauth_request.to_postdata(), headers=headers) response = self.connection.getresponse() return response.read() def run_example(): # setup print '** OAuth Python Library Example **' client = SimpleClient(SERVER, PORT, REQUEST_TOKEN_URL, ACCESS_TOKEN_URL, AUTHORIZATION_URL) consumer = oauth2.Consumer(CONSUMER_KEY, CONSUMER_SECRET) signature_method_plaintext = oauth2.SignatureMethod_PLAINTEXT() signature_method_hmac_sha1 = oauth2.SignatureMethod_HMAC_SHA1() pause() # get request token print '* Obtain a request token ...' pause() parameters = {'oauth_callback': CALLBACK_URL} oauth_request = oauth2.Request.from_consumer_and_token(consumer, parameters=parameters, http_url=client.request_token_url) oauth_request.sign_request(signature_method_plaintext, consumer, None) print 'REQUEST (via headers)' print 'parameters: %s' % str(get_parameters(oauth_request)) pause() token = client.fetch_request_token(oauth_request) print 'GOT' print 'key: %s' % str(token.key) print 'secret: %s' % str(token.secret) print 'callback confirmed? %s' % str(token.callback_confirmed) pause() print '* Authorize the request token ...' pause() oauth_request = oauth2.Request.from_token_and_callback(token=token, http_url=client.authorization_url) print 'REQUEST (via url query string)' print 'parameters: %s' % str(get_parameters(oauth_request)) pause() # this will actually occur only on some callback response = client.authorize_token(oauth_request) print 'GOT' print response # sad way to get the verifier import urlparse, cgi query = urlparse.urlparse(response)[4] params = cgi.parse_qs(query, keep_blank_values=False) verifier = params['oauth_verifier'][0] print 'verifier: %s' % verifier pause() # get access token print '* Obtain an access token ...' pause() parameters = {'oauth_verifier': verifier} oauth_request = oauth2.Request.from_consumer_and_token(consumer, token=token, parameters=parameters, http_url=client.access_token_url) oauth_request.sign_request(signature_method_plaintext, consumer, token) print 'REQUEST (via headers)' print 'parameters: %s' % str(get_parameters(oauth_request)) pause() token = client.fetch_access_token(oauth_request) print 'GOT' print 'key: %s' % str(token.key) print 'secret: %s' % str(token.secret) pause() # access some protected resources print '* Access protected resources ...' pause() parameters = {'file': 'vacation.jpg', 'size': 'original'} # resource specific params oauth_request = oauth2.Request.from_consumer_and_token(consumer, token=token, http_method='POST', http_url=RESOURCE_URL, parameters=parameters) oauth_request.sign_request(signature_method_hmac_sha1, consumer, token) print 'REQUEST (via post body)' print 'parameters: %s' % str(get_parameters(oauth_request)) pause() params = client.access_resource(oauth_request) print 'GOT' print 'non-oauth parameters: %s' % params pause() def get_parameters(ob): return dict([(k, v) for (k, v) in ob.iteritems() if k.startswith('oauth_')]) def pause(): print '' time.sleep(1) if __name__ == '__main__': run_example() print 'Done.'
View Attachment As Raw
Actions:
View
Attachments on
bug 11224
:
4458
| 4459