I am using QtWebkit to implement a browser in C++/Qt. When I open a new tab in it with a QWebView instance and load a URL using load() the page loads normally, but when it's a site where I'm logged in using cookies, it'll appear as though I'm not logged in at all, due to the cookies for that page not being sent along with the HTTP request (verified using SocketSniff).
The only thing I think that might make a difference would be the custom cookiejar I created, but I'm unsure what it might be since the cookiejar works fine otherwise. You can find the full source code at the Github link on the project page for the browser: http://www.mayaposch.com/wildfox.php and the Github link: https://github.com/MayaPosch/WildFox
Any clues are welcome :)
Well, I at last found out what the problem was. I narrowed it down to the custom cookiejar I implemented, which has an in-memory structure containing new and accessed cookies, and stores non-session cookies in an SQLite structure on disk. The problem was that after first loading a site, it'd find cookies in the SQLite database, load them into the in-memory structure, but not use them.
Small glitch with big consequences and very easy to figure out once you get down to it. My sincere apologies for wasting your time with this question. Hopefully this answer will help someone, though :)
Related
What I have been trying to find, with no answer yet, is how I could have a user click on link to a template, then instead of waiting for the whole page to load, allow the user to view what has already loaded while they wait for more load heavy content to arrive, similar to what Facebook does when you first get to a page and see things loading.
There is not much more I can say as the question is pretty self-explanatory. I have checked google and stack overflow.
In order to allow the use to view the loaded page and dynamically view the rest of the page, you use a technology known as AJAX. It allows you to make asynchronous calls to the database, which can be triggered by some JS event(like onscroll) and load the queried data without reloading the entire page.
AJAX in Django is pretty straightforward, though some knowledge of JQuery(or even Javascript) will be required. You may also use the python package django-dajax which will make things easier. I think you will find the following links useful:
Tango with Django ajax guide (one of the best, but a bit tough)
django-dajax docs
Hope this helps!
A question like this was asked before and the person got nothing but criticisms, hope this won't be the case here.
I have a website that allows a business to add their menu to my site, and some have requested to be able to import a menu (a pdf or jpg) that is already online elsewhere. So I made a form that saves a url to the db and then that url is used in the src of an iframe on my site.
I tested it all and it worked fine on my local machine (using Django development server). When I synced it over to my production server and saved the same url I was testing with, the iframe loads no content.
I imagine that it has something to do with trying to read an individual file from another server because it works if I make the url google.com or to an image that is under my domain name. Is there anything I can do to fix this? Storing a url instead of a pdf in my db is much more efficient so doing this way is preferred over uploading their menu to my site.
I don't think this question needs any code attached, but if you want to see some let me hear it.
Thanks
The menu you're testing with probably has the X-Frame-Options response header set.
Is there a reason you're putting the image/pdf as the src on an iframe instead of just using the img tag (or putting an img tag inside your iframe)? There's still no guarantee that will work for all pages, as some sites will refuse to serve media to an external page, but I suspect this is your problem in this case.
I have a website that I built using Django. Using the settings.py file, I send myself error messages that are generated from the site, partly so that I can see if I made any errors.
From time to time I get rather strange errors, and they seem to mostly be around about the same area of the site (where I wrote a little tutorial trying to explain how I set up a Django Blog Engine).
The errors I'm getting all appear like something I could have done in a typo.
For example, these two errors are very close together. I never had an 'x' or 'post' as a variable on those pages.
'/blog_engine/page/step-10-sub-templates/{{+x.get_absolute_url+}}/'
'/blog_engine/page/step-10-sub-templates/{{+post.get_absolute_url+}}/'
The user agent is:
'HTTP_USER_AGENT': 'Mozilla/5.0 (compatible; Purebot/1.1; +http://www.puritysearch.net/)',
Which I take it is a scraper bot, but I can't figure out what they would be able to get with this kind of attack.
At the risk of sounding stupid, what should I do? Is it a hack attempt or are they simply trying to copy my site?
Edit: I'll follow the advice already given, but I'm really curios as to why someone would run a script like this. Are they just trying to copy. It isn't hitting admin pages or even any of the forms. It would seem like harmless (aside from potential plagiarism) attempts to dig in and find content?
From your USER_AGENT info it looks like this is a web spider from puritysearch.net.
I suggest you do is put a CAPTCHA code in you website. Program it to trigger when something tries to access 10 pages in 10 seconds (mostly no humans would do this or figure out a proper criteria to trigger your CAPTCHA).
Also, maintain robots.txt file which most crawlers honor. Mention your rules in robots.txt. You can say the crawlers to keep off certain busy sections of your site etc.
If the problem persists, you might want to contact that particular site's system admin & try to figure out what's going on.
This way you will not be completely blocking crawlers (which are needed for your website to become popular) and at the same time you are making sure that your users get fast experience on your site.
Project HoneyPot has this bot listed as a malicious one http://www.projecthoneypot.org/ip_174.133.177.66 (check the comments there) and what you should probably do is ban that IP and/or Agent.
A client I'm working for has mysteriously ended up with some malicious scripting going on on their site. I'm a little baffled however because the site is static and not dynamically generated - no PHP, Rails, etc. At the bottom of the page though, somebody opened a new tag and a script. When I opened the file on the webserver and stripped the malicious stuff and re-uploaded, it was still there. How is this possible? And more importantly, how can I combat this?
EDIT:
To make it weirder, I just noticed the script only shows up in the source if the page is accessed directly as 'domain.com/index.html' but not as just 'domain.com'.
EDIT2:
At any rate, I found some php file (x76x09.php) sitting on the web server that must have been updating the html file despite my attempts to strip it of the script. I'm currently in the clear but I do have to do some work to make sure rogue files don't just appear again and cause problems. If anyone has any suggestions on this feel free to leave a comment, otherwise thanks for the help everyone! It was very much appreciated!
No it's not possible unless someone has access to your files. So in your case someone has access to your files.
Edit: It's best if you ask in serverfault.com regarding what to do in case the server is compromised, but:
change your shell passwords
have a look at /var/log/messages for login attempts
finger root
have a look at last modification time of those files
There is also a high propability that the files where altered via http by using a vulnerability of a software component you use together with the static files.
To the point about the site not having pages executing on the server, XSS is absolutely still possible using a DOM based attack. Usually this will relate to JavaScript execution outputting content to the page. Just last week WhiteHat Security had an XSS vulnerability identified on a purely “static” page.
It may well be that the attack vector relates to file level access but I suggest it’s also worthwhile taking a look at what’s going on JS wise.
You should probably talk to your hosting company about this. Also, check that your file permissions aren't more lenient than they should be for your particular environment.
That's happened to me before - this happens if they get your ftp details. So, whoever did it, obviously got ahold of your ftp details somehow.
Best thing to do is change your password and contact your webhosting company to figure out a better solution.
Unfortunately, FTP isn't the most secure...
I've been working through an issue with my django project. The issue is I've got one project, which will retrieve data for users of different clients. I need to know 'from where' a viewer is coming from (request.path [my original solution]). I've been looking at a number of different options which sound close to what I want to do, but I'm not sure what the best option is, not having done this before.
My first option was to add a url in the urls.py with a 'tag' or 'keyword' then look for that tag/keyword in the request.path, which I'd add as a session key. Then go onto get the data.
Something else I started looking at was the sites framework. After reading through the documentation, I'm still confused how sites actually works, so I'm not sure if this is the right option.
Another solution talked about using middleware, this came up in connection with the research into using the sites framework.
And then yet another talked about doing this in apache.
Could some one help point me in the right direction?
Cheers,
T
If you need to know from which URL came your user to your currrent page you should check the REFERER http header, available in request.META.get('HTTP_REFERER').
See http://docs.djangoproject.com/en/1.2/ref/request-response/#ref-request-response for more informations.
Be careful though, the referer meta is not mandatory and could be missing due to private browsing or direct access to the page from the URL bar.
It's not completely clear from your question, but if you're asking for the URL that the user was on before coming to the current page, you probably want request.META['HTTP_REFERRER'].
Edit after comment
That would be a very bad idea. Global variables are not safe given that you potentially have multiple requests being processed at the same time. The referrer is already available from the request, which can be accessed in all views and templates, so I don't know what else a middleware would give you.