issuhub.com

[Python编程(第4版)].(Programming.Python.4th.Edition).Mark.Lutz.文字版

(yzsuai) #1

Secure cookies


It’s possible to replace the form fields and query parameter PyMailCGI currently gen-
erates with client-side cookies marked as secure. Such cookies are automatically en-
crypted when sent. Unfortunately again, marking a cookie as secure simply means that
it can be transmitted only if the communications channel with the host is secure. It
does not provide any additional encryption. Because of this, this option really just begs
the question; it still requires an HTTPS server.


The secret.py module


As you can probably tell, web security is a larger topic than we have time to address
here. Because of that, the secret.py module in Example 16-13 finesses the issue, by
trying a variety of approaches in turn:



  • If you are able to fetch and install the third-party PyCrypto system described earlier,
    the module will use that package’s AES tools to manually encrypt password data
    when transmitted together with a username.

  • If not, it will try rotor next, if you’re able to find and install the original rotor
    module in the version of Python that you’re using.

  • And finally, it falls back on a very simplistic default character code shuffling ob-
    fuscation scheme, which you can replace with one of your own if you install this
    program on the Internet at large.


See Example 16-13 for more details; it uses function definitions nested in if statements
to generate the selected encryption scheme’s functions at run time.


Example 16-13. PP4E\Internet\Web\PyMailCgi\cgi-bin\secret.py


"""
###############################################################################
PyMailCGI encodes the POP password whenever it is sent to/from client over
the Net with a username, as hidden text fields or explicit URL params; uses
encode/decode functions in this module to encrypt the pswd--upload your own
version of this module to use a different encryption mechanism or key; pymail
doesn't save the password on the server, and doesn't echo pswd as typed,
but this isn't 100% safe--this module file itself might be vulnerable;
HTTPS may be better and simpler but Python web server classes don't support;
###############################################################################
"""


import sys, time
dayofweek = time.localtime(time.time())[6] # for custom schemes
forceReadablePassword = False


###############################################################################


string encoding schemes


###############################################################################


1282 | Chapter 16: The PyMailCGI Server

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.