Tornado---cookie、csrf、檔案上傳、驗證碼
阿新 • • 發佈:2019-02-19
cookie
import tornado.ioloop
import tornado.web
class MainHandler(tornado.web.RequestHandler):
def get(self):
if not self.get_cookie("mycookie"):
self.set_cookie("mycookie", "myvalue")
self.write("Your cookie was not set yet!")
else:
self.write("Your cookie was set!" 加密cookie
Cookie 很容易被惡意的客戶端偽造。加入你想在 cookie 中儲存當前登陸使用者的 id 之類的資訊,你需要對 cookie 作簽名以防止偽造。Tornado 通過 set_secure_cookie 和 get_secure_cookie 方法直接支援了這種功能。 要使用這些方法,你需要在建立應用時提供一個金鑰,名字為 cookie_secret。 你可以把它作為一個關鍵詞引數傳入應用的設定中:
簽名Cookie的本質是:
寫cookie過程:
將值進行base64加密
對除值以外的內容進行簽名,雜湊演算法(無法逆向解析)
拼接 簽名 + 加密值
讀cookie過程:
讀取 簽名 + 加密值
對簽名進行驗證
base64解密,獲取值內容
class MainHandler(tornado.web.RequestHandler):
def get(self):
if not self.get_secure_cookie("mycookie"):
self.set_secure_cookie("mycookie", "myvalue")
self.write("Your cookie was not set yet!")
else:
self.write("Your cookie was set!")
application = tornado.web.Application([
(r"/", MainHandler),
], cookie_secret="61oETzKXQAGaYdkL5gEmGeJJFuYh7EQnp2XdTP1o/Vo=")基於cookie的登陸
import tornado.ioloop
import tornado.web
class LoginHandler(tornado.web.RequestHandler):
def get(self):
self.render('login.html',msg="")
def post(self, *args, **kwargs):
user = self.get_argument('user')
pwd = self.get_argument('pwd')
if user == 'safly' and pwd == '123':
self.set_cookie('xxxxxxxx',user)
self.redirect('/index')
else:
self.render('login.html',msg='使用者名稱或密碼錯誤')
############################################
class CookieAuthHandler(object):
def prepare(self):
user = self.get_cookie('xxxxxxxx')
print("CookieAuthHandler",user)
if not user:
self.redirect('/login')
class IndexHandler(CookieAuthHandler,tornado.web.RequestHandler):
def get(self,*args, **kwargs):
self.write('歡迎登入')
settings = {
'template_path':'templates',
'static_path':'static'
}
application = tornado.web.Application([
(r"/login", LoginHandler),
(r"/index", IndexHandler),
],**settings)
if __name__ == "__main__":
application.listen(8888)
tornado.ioloop.IOLoop.instance().start()頁面
<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="UTF-8">
<title></title>
</head>
<body>
<form method="post">
<input type="text" name="user">
<input type="text" name="pwd">
<input type="submit" value="提交">{{msg}}
</form>
</body>基於tornado的csrf
s1.py
import tornado.ioloop
import tornado.web
class XcrfHandler(tornado.web.RequestHandler):
def get(self, *args, **kwargs):
self.render('login.html')
def post(self, *args, **kwargs):
self.write('Csrf_POST')
class XX(tornado.web.RequestHandler):
def get(self, *args, **kwargs):
print("xx get")
self.render('login.html')
def post(self, *args, **kwargs):
print("xx post")
self.write('Csrf_POST')
settings = {
"xsrf_cookies": True,
'template_path':'templates',
'static_path':'static'
}
application = tornado.web.Application([
(r"/csrf", XcrfHandler),
(r"/xx", XX),
], **settings)
if __name__ == "__main__":
application.listen(8888)
tornado.ioloop.IOLoop.instance().start()login.html
<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="UTF-8">
<title></title>
<link href='{{static_url("common.css")}}' rel="stylesheet"/>
</head>
<body>
<form method="post" action="/csrf/">
{% raw xsrf_form_html() %}
<p><input type="text" name="username" placeholder="使用者名稱"></p>
<p><input type="password" name="password" placeholder="密碼"></p>
<p><input type="submit" value="提交"></p>
</form>
<button id="b_tn" value="csrf" name="_tn">提交</button>
<script src="/static/jquery-3.3.1.min.js"></script>
<script src="/static/jquery.cookie.js"></script>
<script>
function getCookie(name) {
var r = document.cookie.match("\\b" + name + "=([^;]*)\\b");
return r ? r[1] : undefined;
}
$.ajax({
url: "/xx",
data: {
_xsrf: getCookie("_xsrf"),
name: "safly"
},
dataType: "text",
type: "POST",
success: function (response) {
console.info(response)
}
});
</script>
</body>
上傳檔案
Form表單上傳
#!/usr/bin/env python
# -*- coding:utf-8 -*-
import tornado.ioloop
import tornado.web
class MainHandler(tornado.web.RequestHandler):
def get(self):
self.render('login.html')
def post(self, *args, **kwargs):
file_metas = self.request.files["fff"]
# print(file_metas)
for meta in file_metas:
file_name = meta['filename']
print("file_name",file_name)
with open(file_name,'wb') as up:
up.write(meta['body'])
settings = {
'template_path': 'templates',
}
application = tornado.web.Application([
(r"/index", MainHandler),
], **settings)
if __name__ == "__main__":
application.listen(8000)
tornado.ioloop.IOLoop.instance().start()
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>上傳檔案</title>
</head>
<body>
<form id="my_form" name="form" action="/index" method="POST" enctype="multipart/form-data" >
<input name="fff" id="my_file" type="file" />
<input type="submit" value="提交" />
</form>
</body>
</html>
XMLHttpRequest上傳
<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="UTF-8">
<title></title>
</head>
<body>
<input type="file" id="img" />
<input type="button" onclick="UploadFile();" value="提交"/>
<script>
function UploadFile(){
var fileObj = document.getElementById("img").files[0];
var form = new FormData();
form.append("k1", "v1");
form.append("fff", fileObj);
var xhr = new XMLHttpRequest();
xhr.open("post", '/index', true);
xhr.send(form);
}
</script>
</body>
</html>
#!/usr/bin/env python
# -*- coding:utf-8 -*-
import tornado.ioloop
import tornado.web
class MainHandler(tornado.web.RequestHandler):
def get(self):
self.render('login.html')
def post(self, *args, **kwargs):
file_metas = self.request.files["fff"]
# print(file_metas)
for meta in file_metas:
file_name = meta['filename']
with open(file_name,'wb') as up:
up.write(meta['body'])
settings = {
'template_path': 'templates',
}
application = tornado.web.Application([
(r"/index", MainHandler),
], **settings)
if __name__ == "__main__":
application.listen(8000)
tornado.ioloop.IOLoop.instance().start()
jquery方式
<body>
<input type="file" id="img" />
<input type="button" onclick="UploadFile();" />
<script src="/static/jquery-3.3.1.min.js"></script>
<script>
function UploadFile(){
var fileObj = $("#img")[0].files[0];
var form = new FormData();
form.append("k1", "v1");
form.append("fff", fileObj);
$.ajax({
type:'POST',
url: '/index',
data: form,
processData: false, // tell jQuery not to process the data
contentType: false, // tell jQuery not to set contentType
success: function(arg){
console.log(arg);
}
})
}
</script>
</body>驗證碼
#!/usr/bin/env python
# -*- coding:utf-8 -*-
import tornado.ioloop
import tornado.web
import io
import check_code
class CheckCodeHandler(tornado.web.RequestHandler):
def get(self):
mstream = io.BytesIO()
img, code = check_code.create_validate_code()
img.save(mstream, "GIF")
# self.session["CheckCode"] = code
print(mstream.getvalue())
self.write(mstream.getvalue())
class MainHandler(tornado.web.RequestHandler):
def get(self):
self.render('index.html')
settings = {
'template_path': 'template',
'static_path': 'static',
'static_url_prefix': '/static/',
'cookie_secret': 'aiuasdhflashjdfoiuashdfiuh',
}
application = tornado.web.Application([
(r"/index", MainHandler),
(r"/check_code", CheckCodeHandler),
], **settings)
if __name__ == "__main__":
application.listen(8888)
tornado.ioloop.IOLoop.instance().start()check_code.py
#!/usr/bin/env python
#coding:utf-8
import random
from PIL import Image, ImageDraw, ImageFont, ImageFilter
_letter_cases = "abcdefghjkmnpqrstuvwxy" # 小寫字母,去除可能干擾的i,l,o,z
_upper_cases = _letter_cases.upper() # 大寫字母
_numbers = ''.join(map(str, range(3, 10))) # 數字
init_chars = ''.join((_letter_cases, _upper_cases, _numbers))
def create_validate_code(size=(120, 30),
chars=init_chars,
img_type="GIF",
mode="RGB",
bg_color=(255, 255, 255),
fg_color=(0, 0, 255),
font_size=18,
font_type="Monaco.ttf",
length=4,
draw_lines=True,
n_line=(1, 2),
draw_points=True,
point_chance = 2):
'''
@todo: 生成驗證碼圖片
@param size: 圖片的大小,格式(寬,高),預設為(120, 30)
@param chars: 允許的字元集合,格式字串
@param img_type: 圖片儲存的格式,預設為GIF,可選的為GIF,JPEG,TIFF,PNG
@param mode: 圖片模式,預設為RGB
@param bg_color: 背景顏色,預設為白色
@param fg_color: 前景色,驗證碼字元顏色,預設為藍色#0000FF
@param font_size: 驗證碼字型大小
@param font_type: 驗證碼字型,預設為 ae_AlArabiya.ttf
@param length: 驗證碼字元個數
@param draw_lines: 是否劃干擾線
@param n_lines: 干擾線的條數範圍,格式元組,預設為(1, 2),只有draw_lines為True時有效
@param draw_points: 是否畫干擾點
@param point_chance: 干擾點出現的概率,大小範圍[0, 100]
@return: [0]: PIL Image例項
@return: [1]: 驗證碼圖片中的字串
'''
width, height = size # 寬, 高
img = Image.new(mode, size, bg_color) # 建立圖形
draw = ImageDraw.Draw(img) # 建立畫筆
def get_chars():
'''生成給定長度的字串,返回列表格式'''
return random.sample(chars, length)
def create_lines():
'''繪製干擾線'''
line_num = random.randint(*n_line) # 干擾線條數
for i in range(line_num):
# 起始點
begin = (random.randint(0, size[0]), random.randint(0, size[1]))
#結束點
end = (random.randint(0, size[0]), random.randint(0, size[1]))
draw.line([begin, end], fill=(0, 0, 0))
def create_points():
'''繪製干擾點'''
chance = min(100, max(0, int(point_chance))) # 大小限制在[0, 100]
for w in range(width):
for h in range(height):
tmp = random.randint(0, 100)
if tmp > 100 - chance:
draw.point((w, h), fill=(0, 0, 0))
def create_strs():
'''繪製驗證碼字元'''
c_chars = get_chars()
strs = ' %s ' % ' '.join(c_chars) # 每個字元前後以空格隔開
font = ImageFont.truetype(font_type, font_size)
font_width, font_height = font.getsize(strs)
draw.text(((width - font_width) / 3, (height - font_height) / 3),
strs, font=font, fill=fg_color)
return ''.join(c_chars)
if draw_lines:
create_lines()
if draw_points:
create_points()
strs = create_strs()
# 圖形扭曲引數
params = [1 - float(random.randint(1, 2)) / 100,
0,
0,
0,
1 - float(random.randint(1, 10)) / 100,
float(random.randint(1, 2)) / 500,
0.001,
float(random.randint(1, 2)) / 500
]
img = img.transform(size, Image.PERSPECTIVE, params) # 建立扭曲
img = img.filter(ImageFilter.EDGE_ENHANCE_MORE) # 濾鏡,邊界加強(閾值更大)
return img, strs
index.html
<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="UTF-8">
<title></title>
</head>
<body>
<h1>hello</h1>
<form action="/index" method="post" enctype="multipart/form-data">
<p><input name="user" type="text" placeholder="使用者名稱" /></p>
<p><input name="pwd" type="password" placeholder="密碼" /></p>
<p>
<input name='code' type="text" placeholder="驗證碼" />
<img src="/check_code" onclick='ChangeCode();' id='imgCode'>
</p>
<input type="submit" />
</form>
<script type="text/javascript">
function ChangeCode() {
var code = document.getElementById('imgCode');
code.src += '?';
}
</script>
</body>
</html>