The email address of the user logged in
su
The suburl to redirect to (optional)
+ t
+ The timestamp of the authentication, in seconds-since-epoch. This
+ should be validated against the current time, and authentication
+ tokens older than e.g. 10 seconds should be refused.
#. This dictionary of information is then URL-encoded.
#. The resulting URL-encoded string is padded with spaces to an even
import urllib
from Crypto.Cipher import AES
from Crypto import Random
+import time
from pgweb.util.decorators import ssl_required
from pgweb.util.contexts import NavContext
if su:
info['su'] = request.GET['su']
- # URL-encode the structure
- s = urllib.urlencode(info)
+ # Turn this into an URL. Make sure the timestamp is always first, that makes
+ # the first block more random..
+ s = "t=%s&%s" % (int(time.time()), urllib.urlencode(info))
# Encrypt it with the shared key (and IV!)
r = Random.new()
from Crypto.Cipher import AES
from urllib import quote_plus
import base64
+import time
import urllib
from optparse import OptionParser
if options.suburl:
info['su'] = options.suburl
- s = urllib.urlencode(info)
+ # Turn this into an URL. Make sure the timestamp is always first, that makes
+ # the first block more random..
+ # Since this is a fake authentication, put it 5 minutes into the future to
+ # give more time to copy/paste it.
+ s = "t=%s&%s" % (int(time.time()+300), urllib.urlencode(info))
r = Random.new()
iv = r.read(16)
projects / pgweb.git / commitdiff