深入浅出Flask PIN

def get_pin_and_cookie_name(    app: "WSGIApplication",) -> t.Union[t.Tuple[str, str], t.Tuple[None, None]]:    """Given an application object this returns a semi-stable 9 digit pin    code and a random key.  The hope is that this is stable between    restarts to not make debugging particularly frustrating.  If the pin    was forcefully disabled this returns `None`.
    Second item in the resulting tuple is the cookie name for remembering.    """    pin = os.environ.get("WERKZEUG_DEBUG_PIN")    rv = None    num = None
    # Pin was explicitly disabled    if pin == "off":        return None, None
    # Pin was provided explicitly    if pin is not None and pin.replace("-", "").isdigit():        # If there are separators in the pin, return it directly        if "-" in pin:            rv = pin        else:            num = pin
    modname = getattr(app, "__module__", t.cast(object, app).__class__.__module__)    username: t.Optional[str]
    try:        # getuser imports the pwd module, which does not exist in Google        # App Engine. It may also raise a KeyError if the UID does not        # have a username, such as in Docker.        username = getpass.getuser()    except (ImportError, KeyError):        username = None
    mod = sys.modules.get(modname)
    # This information only exists to make the cookie unique on the    # computer, not as a security feature.    probably_public_bits = [        username,        modname,        getattr(app, "__name__", type(app).__name__),        getattr(mod, "__file__", None),    ]
    # This information is here to make it harder for an attacker to    # guess the cookie name.  They are unlikely to be contained anywhere    # within the unauthenticated debug page.    private_bits = [str(uuid.getnode()), get_machine_id()]
    h = hashlib.sha1()    for bit in chain(probably_public_bits, private_bits):        if not bit:            continue        if isinstance(bit, str):            bit = bit.encode("utf-8")        h.update(bit)    h.update(b"cookiesalt")
    cookie_name = f"__wzd{h.hexdigest()[:20]}"
    # If we need to generate a pin we salt it a bit more so that we don't    # end up with the same value and generate out 9 digits    if num is None:        h.update(b"pinsalt")        num = f"{int(h.hexdigest(), 16):09d}"[:9]
    # Format the pincode in groups of digits for easier remembering if    # we don't have a result yet.    if rv is None:        for group_size in 5, 4, 3:            if len(num) % group_size == 0:                rv = "-".join(                    num[x : x + group_size].rjust(group_size, "0")                    for x in range(0, len(num), group_size)                )                break        else:            rv = num
    return rv, cookie_name

import hashlibfrom itertools import chain
probably_public_bits = [    'root',  # username    'flask.app',  # modname    'Flask',  # getattr(app, '__name__', getattr(app.__class__, '__name__'))    '/usr/local/lib/python3.7/site-packages/flask/app.py'  # getattr(mod, '__file__', None),]
# This information is here to make it harder for an attacker to# guess the cookie name.  They are unlikely to be contained anywhere# within the unauthenticated debug page.private_bits = [    '2485377957890',  # str(uuid.getnode()),  /sys/class/net/ens33/address    # Machine Id: /etc/machine-id + /proc/sys/kernel/random/boot_id + /proc/self/cgroup    '861c92e8075982bcac4a021de9795f6e3291673c8c872ca3936bcaa8a071948b']
h = hashlib.sha1()for bit in chain(probably_public_bits, private_bits):    if not bit:        continue    if isinstance(bit, str):        bit = bit.encode("utf-8")    h.update(bit)h.update(b"cookiesalt")
cookie_name = f"__wzd{h.hexdigest()[:20]}"
# If we need to generate a pin we salt it a bit more so that we don't# end up with the same value and generate out 9 digitsnum = Noneif num is None:    h.update(b"pinsalt")    num = f"{int(h.hexdigest(), 16):09d}"[:9]
# Format the pincode in groups of digits for easier remembering if# we don't have a result yet.rv = Noneif rv is None:    for group_size in 5, 4, 3:        if len(num) % group_size == 0:            rv = "-".join(                num[x: x + group_size].rjust(group_size, "0")                for x in range(0, len(num), group_size)            )            break    else:        rv = num
print(rv)

import hashlibfrom itertools import chain
probably_public_bits = [    'root',  # username    'flask.app',  # modname    'Flask',  # getattr(app, '__name__', getattr(app.__class__, '__name__'))    '/usr/local/lib/python3.7/site-packages/flask/app.py'  # getattr(mod, '__file__', None),]
# This information is here to make it harder for an attacker to# guess the cookie name.  They are unlikely to be contained anywhere# within the unauthenticated debug page.private_bits = [    '2485377957890',  # str(uuid.getnode()),  /sys/class/net/ens33/address    # Machine Id: /etc/machine-id + /proc/sys/kernel/random/boot_id + /proc/self/cgroup    '861c92e8075982bcac4a021de9795f6e3291673c8c872ca3936bcaa8a071948b']
h = hashlib.sha1()for bit in chain(probably_public_bits, private_bits):    if not bit:        continue    if isinstance(bit, str):        bit = bit.encode("utf-8")    h.update(bit)h.update(b"cookiesalt")
cookie_name = f"__wzd{h.hexdigest()[:20]}"
# If we need to generate a pin we salt it a bit more so that we don't# end up with the same value and generate out 9 digitsnum = Noneif num is None:    h.update(b"pinsalt")    num = f"{int(h.hexdigest(), 16):09d}"[:9]
# Format the pincode in groups of digits for easier remembering if# we don't have a result yet.rv = Noneif rv is None:    for group_size in 5, 4, 3:        if len(num) % group_size == 0:            rv = "-".join(                num[x: x + group_size].rjust(group_size, "0")                for x in range(0, len(num), group_size)            )            break    else:        rv = num
print(rv)

from flask import Flask, requestapp = Flask(__name__)

@app.route("/")def hello():    return '合天网安实验室-实践型网络安全在线学习平台；真实环境，在线实操学网络安全。'

@app.route("/file")def file():    filename = request.args.get('filename')    try:        with open(filename, 'r') as f:            return f.read()    except:        return 0

if __name__ == "__main__":    app.run(host="0.0.0.0", port=9000, debug=True)