What file can be uploaded on a webapp built on django framework if it's allowing unrestricted file upload? When I uploaded a shell.py it simply rendered as text in the browser but html and javascript are executing fine.
if you can execute that file when django render, maybe you can try first a os.system("whoami") and then you can change that for a cmd and pass commands calling that file on your browser/burp/curl. if accept any file, it's really easy
Related
I have a Flask app integrating a Dash application.
My Flask application use Flask-Login to handle login, which is working well.
However I have a bug in my Dash application that only happens in production: my dash application shows files (images) located in a data folder. It needs serving file at URL such as http://127.0.0.1:5000/data/person1/person1_image.jpg or whatever the root URL is.
So what I did is I created a route for this such as:
#bp.route("/data/<path:filename>")
#login_required
def data_folder(filename):
"""Serve files located in person subfolder inside folder"""
return send_from_directory(current_app.config["DATA_FOLDER"], filename)
Which works "well" in local developpement. The first time I open the page the image don't show, but when I refresh it does.
But in production, no matter how many time I refresh the page the image doesn't show.
When I check the network tab of Firefox I get this:
302 https://my_domain.com/data/person1/person1_image.jpg
200 https://my_domain.com/login?next=/data/person1/person1_image.jpg
So it appears that when trying to fetch the ressource, it redirect me to the login page, while I'm already logged in ! (As the initial page is also login-protected and I am acessing it.)
Could this be a cookie thing ? In my config.py I have this:
SESSION_COOKIE_SAMESITE = "Lax"
SESSION_COOKIE_SECURE = "True"
Thanks for your help !
I'm using django-mailbox in my app.
It works but it syncs mail by "python manage.py getmail" in shell.
Now my goal is to refresh new incoming mail by html template.
Is there any such way?
TY
You can run management commands from your code
Pls see https://docs.djangoproject.com/en/2.2/ref/django-admin/#running-management-commands-from-your-code
so basically
from django.core import management
management.call_command('getmail')
If you add create a custom view and call
management.call_command('getmail')
You should have your desired behavior
I write integration tests, which go through the whole HTTP stack:
requests library connects to http server
http server routes request to the django application
django application processes the request
If there is an uncaught exception in the django application I get the HTML debug page, since settings.DEBUG is True.
In most cases I like this page, but here want to have a simple ascii traceback which can I can show in our Continuous Application tool (Jenkins).
How to get an ascii traceback if I test my application with an url client library?
Rendering of this page with DEBUG=True is done in BaseHandler. which calls django.views.debug.technical_500_response view for all uncaught exceptions. But when DEBUG=False another view is called django.views.defaults.server_error. So you have 2 options
write custom middleware that will catch all uncaught exceptions and render them as plain text
https://docs.djangoproject.com/en/1.10/topics/http/middleware/#process-exception
Create separate setting file for jenkinks set here DEBUG=False and in your urls.py for if jenkins_env set handler500=custom_technical_500_response
which will render your exceptions the way you need
https://docs.djangoproject.com/en/1.10/ref/views/#http-internal-server-error-view and
https://docs.djangoproject.com/en/1.10/ref/urls/#handler500
I can't seem to get the EMBED-API Server-side Authorization demo to work:
https://ga-dev-tools.appspot.com/embed-api/server-side-authorization/
In the demo it says the following:
Once the library is installed you can add the following python module
to your project and invoke the get_access_token() method to get an
access token that you can use to authorize the Embed API.
# service-account.py
from oauth2client.service_account import ServiceAccountCredentials
# The scope for the OAuth2 request.
SCOPE = 'https://www.googleapis.com/auth/analytics.readonly'
# The location of the key file with the key data.
KEY_FILEPATH = 'path/to/json-key.json'
# Defines a method to get an access token from the ServiceAccount object.
def get_access_token():
return ServiceAccountCredentials.from_json_keyfile_name(
KEY_FILEPATH, SCOPE).get_access_token().access_token
I've succesfully done all the previous steps, but this one I just can't get my head around. Where do I put this code? It seems as if it should be put in a .py file.
Can someone please help?
It depends on your implementation, but basically you want to run your service account code on your server, and have the access token passed to your client application so it can make authorized requests from the browser.
The whole app is open sourced and you can see where the service account code is in the source code.
As in the demo, if you are using django or app engine it is easy to put python server code in your site which will return the token and replace the value in template code.
Add that code in service-account.py file and upload it on your server using FTP. I saved the code using dreamweaver, updated the path and added following line at the end of the service-account.py file:
print get_access_token()
Upload .JSON file in same directory and ran the command python service-account.py to get access_token.
I used flask to make a web portal for the users to register but when I run the html file using a local host, the display looks like below:
This html file is not actually an html file but rather a Jinja template. Thus, you need it to be served via your flask app render_template function. So it makes not sense to open this page via browser as html.