sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-11-04 09:57:38 +03:00
Code Issues Packages Projects Releases Wiki Activity

apply a little bit of secure coding practices to the API

Browse Source
This commit is contained in:
Bernardo Damele 2013-01-27 12:26:40 +00:00
parent 4d95573e6c
commit d07881b6c3
1 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lib/utils/api.py
View File

@ -122,7 +122,7 @@ def init_options():
return options return options
@hook("after_request") @hook("after_request")
def security_headers(): def security_headers(json_header=True):
""" """
Set some headers across all HTTP responses Set some headers across all HTTP responses
""" """
@ -133,6 +133,7 @@ def security_headers():
response.headers["Pragma"] = "no-cache" response.headers["Pragma"] = "no-cache"
response.headers["Cache-Control"] = "no-cache" response.headers["Cache-Control"] = "no-cache"
response.headers["Expires"] = "0" response.headers["Expires"] = "0"
if json_header:
response.content_type = "application/json; charset=UTF-8" response.content_type = "application/json; charset=UTF-8"
############################## ##############################
@ -141,18 +142,22 @@ def security_headers():
@error(401) # Access Denied @error(401) # Access Denied
def error401(error=None): def error401(error=None):
security_headers(False)
return "Access denied" return "Access denied"
@error(404) # Not Found @error(404) # Not Found
def error404(error=None): def error404(error=None):
security_headers(False)
return "Nothing here" return "Nothing here"
@error(405) # Method Not Allowed (e.g. when requesting a POST method via GET) @error(405) # Method Not Allowed (e.g. when requesting a POST method via GET)
def error405(error=None): def error405(error=None):
security_headers(False)
return "Method not allowed" return "Method not allowed"
@error(500) # Internal Server Error @error(500) # Internal Server Error
def error500(error=None): def error500(error=None):
security_headers(False)
return "Internal server error" return "Internal server error"
############################# #############################
@ -390,15 +395,14 @@ def scan_log_limited(taskid, start, end):
if taskid not in tasks: if taskid not in tasks:
abort(500, "Invalid task ID") abort(500, "Invalid task ID")
# Temporary "protection" against SQL injection FTW ;) if not start.isdigit() or not end.isdigit() or end < start:
if not start.isdigit() or not end.isdigit() or end <= start:
abort(500, "Invalid start or end value, must be digits") abort(500, "Invalid start or end value, must be digits")
start = max(1, int(start)) start = max(1, int(start))
end = max(1, int(end)) end = max(1, int(end))
# Read a subset of log messages from the temporary I/O database # Read a subset of log messages from the temporary I/O database
procs[taskid].ipc_database_cursor.execute("SELECT id, time, level, message FROM logs WHERE id >= %d AND id <= %d" % (start, end)) procs[taskid].ipc_database_cursor.execute("SELECT id, time, level, message FROM logs WHERE id >= ? AND id <= ?", (start, end))
db_log_messages = procs[taskid].ipc_database_cursor.fetchall() db_log_messages = procs[taskid].ipc_database_cursor.fetchall()
for (id_, time_, level, message) in db_log_messages: for (id_, time_, level, message) in db_log_messages: