This file is indexed.

/usr/lib/python2.7/dist-packages/M2Crypto/AuthCookie.py is in python-m2crypto 0.21.1-3ubuntu5.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
"""Secure Authenticator Cookies

Copyright (c) 1999-2002 Ng Pheng Siong. All rights reserved."""

# M2Crypto
import Rand, m2

# Python. Cookie is bundled with Python 2.x. 
import Cookie, binascii, re, time


_MIX_FORMAT = 'exp=%s&data=%s&digest='
_MIX_RE     = re.compile('exp=(\d+\.\d+)&data=(.+)&digest=(\S*)')

def mix(expiry, data, format=_MIX_FORMAT):
    return format % (repr(expiry), data)

def unmix(dough, regex=_MIX_RE):
    mo = regex.match(dough)
    if mo:
        return float(mo.group(1)), mo.group(2)
    else:
        return None

def unmix3(dough, regex=_MIX_RE):
    mo = regex.match(dough)
    if mo:
        return float(mo.group(1)), mo.group(2), mo.group(3)
    else:
        return None


_TOKEN = '_M2AUTH_'

class AuthCookieJar:

    _keylen = 20

    def __init__(self):
        self._key = Rand.rand_bytes(self._keylen)
    
    def _hmac(self, key, data):
        return binascii.b2a_base64(m2.hmac(key, data, m2.sha1()))[:-1]
        
    def makeCookie(self, expiry, data):
        dough = mix(expiry, data)
        return AuthCookie(expiry, data, dough, self._hmac(self._key, dough))

    def isGoodCookie(self, cookie):
        assert isinstance(cookie, AuthCookie)
        if cookie.isExpired():
            return 0
        c = self.makeCookie(cookie._expiry, cookie._data)
        return (c._expiry == cookie._expiry) \
            and (c._data == cookie._data) \
            and (c._mac == cookie._mac) \
            and (c.output() == cookie.output())

    def isGoodCookieString(self, cookie_str):
        c = Cookie.SmartCookie()        
        c.load(cookie_str)
        if not c.has_key(_TOKEN):
            return 0
        undough = unmix3(c[_TOKEN].value)
        if undough is None:
            return 0
        exp, data, mac = undough
        c2 = self.makeCookie(exp, data)
        return (not c2.isExpired()) and (c2._mac == mac)


class AuthCookie:
    
    def __init__(self, expiry, data, dough, mac):
        self._expiry = expiry
        self._data = data
        self._mac = mac
        self._cookie = Cookie.SmartCookie()
        self._cookie[_TOKEN] = '%s%s' % (dough, mac)
        self._name = '%s%s' % (dough, mac)  # XXX WebKit only.

    def expiry(self):
        """Return the cookie's expiry time."""
        return self._expiry

    def data(self):
        """Return the data portion of the cookie."""
        return self._data

    def mac(self):
        """Return the cookie's MAC."""
        return self._mac

    def output(self):
        """Return the cookie's output in "Set-Cookie" format."""
        return self._cookie.output()

    def value(self):
        """Return the cookie's output minus the "Set-Cookie: " portion.
        """
        return self._cookie[_TOKEN].value

    def isExpired(self):
        """Return 1 if the cookie has expired, 0 otherwise."""
        return (time.time() > self._expiry)

    # XXX Following methods are for WebKit only. These should be pushed 
    # to WKAuthCookie.
    def name(self):
        return self._name

    def headerValue(self):
        return self.value()