''' Onionr - P2P Microblogging Platform & Social network This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . ''' import flask from flask import request, Response import configparser, sys, random, threading ''' Main API ''' class API: def __init__(self, config, debug): self.config = config self.debug = debug app = flask.Flask(__name__) bindPort = int(self.config['CLIENT']['PORT']) clientToken = self.config['CLIENT']['CLIENT HMAC'] if not debug: hostNums = [random.randint(1, 255), random.randint(1, 255), random.randint(1, 255)] self.host = '127.' + str(hostNums[0]) + '.' + str(hostNums[1]) + '.' + str(hostNums[2]) else: self.host = '127.0.0.1' @app.before_request def beforeReq(): return @app.after_request def afterReq(resp): resp.headers['Access-Control-Allow-Origin'] = '*' resp.headers['server'] = 'Onionr' resp.headers['content-type'] = 'text/plain' resp.headers["Content-Security-Policy"] = "default-src 'none'" resp.headers['x-frame-options'] = 'deny' return resp @app.route('/client/hello') def hello_world(): self.validateHost() resp = Response('Hello, World!' + request.host) return resp @app.errorhandler(404) def notfound(err): resp = Response("\_(0_0)_/ I got nothin") resp.headers = getHeaders(resp) return resp print('Starting client on ' + self.host + ':' + str(bindPort)) print('Client token:', clientToken) app.run(host=self.host, port=bindPort, debug=True, threaded=True) def validateHost(self): if self.debug: return # Validate host header, to protect against DNS rebinding attacks if request.host != '127.0.0.1:' + str(self.config['CLIENT']['PORT']): sys.exit(1) # Validate x-requested-with, to protect against CSRF/metadata leaks try: request.headers['x-requested-with'] except: sys.exit(1)