Commit 5b0c65c6 authored by Benjamin "Ziirish" SANS's avatar Benjamin "Ziirish" SANS
Browse files

fix: client-side caching issue

parent cd4275d5
......@@ -10,6 +10,7 @@
"""
import os
import sys
import uuid
import logging
from flask import Blueprint, Response, request, current_app, session
......@@ -29,7 +30,14 @@ EXEMPT_METHODS = set(['OPTIONS'])
def cache_key():
return '{}-{}-{}-{}'.format(current_user.name, request.path, request.values, session.get('language', ''))
key = '{}-{}-{}-{}-{}'.format(
session.get('login', uuid.uuid4()),
request.path,
request.values,
request.headers.get('X-Session-Tag', ''),
session.get('language', '')
)
return key
def api_login_required(func):
......@@ -84,15 +92,23 @@ class Api(ApiPlus):
ext == '.py' and
name not in ['__init__', '.', '..']):
mod = '.' + name
if name not in self.CELERY_REQUIRED or config['WITH_CELERY']:
if name not in self.CELERY_REQUIRED or \
config['WITH_CELERY']:
self.logger.debug('Loading API module: {}'.format(mod))
try:
import_module(mod, __name__)
except: # pragma: no cover
import traceback
self.logger.critical('Unable to load {}:\n{}'.format(mod, traceback.format_exc()))
self.logger.critical(
'Unable to load {}:\n{}'.format(
mod,
traceback.format_exc()
)
)
else:
self.logger.warning('Skipping API module: {}'.format(mod))
self.logger.warning(
'Skipping API module: {}'.format(mod)
)
def acl_admin_required(self, message='Access denied', code=403):
def decorator(func):
......@@ -121,7 +137,10 @@ class Api(ApiPlus):
@wraps(func)
def decorated(resource, *args, **kwargs):
if config['BUI_DEMO']:
resource.abort(405, 'Sorry, this feature is not available on the demo')
resource.abort(
405,
'Sorry, this feature is not available on the demo'
)
return func(resource, *args, **kwargs)
return decorated
return decorator
......@@ -137,7 +156,13 @@ class Api(ApiPlus):
apibp = Blueprint('api', __name__, url_prefix='/api')
api = Api(apibp, title='Burp-UI API', description='Burp-UI API to interact with burp', doc='/doc', decorators=[api_login_required])
api = Api(
apibp,
title='Burp-UI API',
description='Burp-UI API to interact with burp',
doc='/doc',
decorators=[api_login_required]
)
@api.errorhandler(BUIserverException)
......
......@@ -23,7 +23,7 @@ class UserAuthHandler(BUIhandler):
back = self.app.auth
for au in back:
if au == me:
self.app.logger.error('Recursive import not permited!')
self.app.logger.critical('Recursive import not permitted!')
continue
try:
(modpath, _) = __name__.rsplit('.', 1)
......
......@@ -8,6 +8,7 @@
"""
import math
import uuid
from flask import request, render_template, redirect, url_for, abort, \
flash, Blueprint as FlaskBlueprint, session, current_app
......@@ -405,6 +406,8 @@ def login():
if 'login' in session and session['login'] != form.username.data:
session.clear()
session['login'] = form.username.data
if 'tag_id' not in session:
session['tag_id'] = uuid.uuid4()
session['language'] = form.language.data
user = bui.uhandler.user(form.username.data, refresh)
if user.is_active and user.login(form.password.data):
......
......@@ -3,9 +3,12 @@ var NOTIF_WARNING = 1;
var NOTIF_ERROR = 2;
var NOTIF_INFO = 3;
var SESSION_TAG = $('meta[name=session]').attr("content");
var _ajax_setup = function() {
$.ajaxSetup({
headers: { 'X-From-UI': true },
headers: { 'X-From-UI': true, 'X-Session-Tag': SESSION_TAG },
data: { '_session': SESSION_TAG },
});
};
_ajax_setup();
......
......@@ -4,8 +4,9 @@
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="">
<meta name="author" content="">
<meta name="description" content="Burp-UI is a web-ui for burp backup written in python with Flask and jQuery/Bootstrap">
<meta name="author" content="Ziirish">
<meta name="session" content="{% if 'tag_id' in session %}{{ session['tag_id'] }}{% endif %}">
<link rel="shortcut icon" href="{{ url_for('static', filename='images/favicon.ico') }}">
<title>Burp-UI</title>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment