diff --git a/burpui/__init__.py b/burpui/__init__.py index 9b53aadf..2ef0e38a 100644 --- a/burpui/__init__.py +++ b/burpui/__init__.py @@ -191,6 +191,7 @@ def init(conf=None, debug=0, logfile=None, gunicorn=True, unittest=False): red = Redis(host=host, port=port) app.config['SESSION_TYPE'] = 'redis' app.config['SESSION_REDIS'] = red + app.config['SESSION_COOKIE_SECURE'] = app.scookie ses = Session() ses.init_app(app) except: diff --git a/burpui/misc/auth/handler.py b/burpui/misc/auth/handler.py index 2cf35002..7ced07e0 100644 --- a/burpui/misc/auth/handler.py +++ b/burpui/misc/auth/handler.py @@ -85,4 +85,7 @@ class UserHandler(BUIuser): return self.authenticated def get_id(self): - return self.id + try: + return unicode(self.id) + except NameError: + return str(self.id) diff --git a/burpui/server.py b/burpui/server.py index f9c18dc9..c7ff8ac9 100644 --- a/burpui/server.py +++ b/burpui/server.py @@ -31,6 +31,7 @@ g_acl = '' g_storage = '' g_redis = '' g_zip64 = 'False' +g_scookie = 'False' class BUIServer(Flask): @@ -69,7 +70,7 @@ class BUIServer(Flask): 'sslkey': g_sslkey, 'version': g_version, 'auth': g_auth, 'standalone': g_standalone, 'acl': g_acl, 'liverefresh': g_liverefresh, 'storage': g_storage, - 'redis': g_redis, 'zip64': g_zip64 + 'redis': g_redis, 'zip64': g_zip64, 'scookie': g_scookie } config = ConfigParser.ConfigParser(self.defaults) with open(conf) as fp: @@ -175,6 +176,12 @@ class BUIServer(Flask): 'redis', 'Production' ) + self.scookie = self._safe_config_get( + config.getboolean, + 'scookie', + 'Production', + cast=bool + ) # Experimental features self.zip64 = self._safe_config_get( diff --git a/burpui/utils.py b/burpui/utils.py index ae173f0b..c4d83819 100644 --- a/burpui/utils.py +++ b/burpui/utils.py @@ -171,19 +171,20 @@ class BUIcompress(): def basic_login_from_request(request, app): - creds = request.headers.get('Authorization') - if creds: - creds = creds.replace('Basic ', '', 1) - try: - import base64 - login, password = base64.b64decode(creds.encode('utf-8')).decode('utf-8').split(':') - except: # pragma: no cover - pass - if login: - user = app.uhandler.user(login) - if user.active and user.login(login, password): - from flask.ext.login import login_user - login_user(user) - return user + if app.auth != 'none': + creds = request.headers.get('Authorization') + if creds: + creds = creds.replace('Basic ', '', 1) + try: + import base64 + login, password = base64.b64decode(creds.encode('utf-8')).decode('utf-8').split(':') + except: # pragma: no cover + pass + if login: + user = app.uhandler.user(login) + if user.active and user.login(login, password): + from flask.ext.login import login_user + login_user(user) + return user return None diff --git a/docker/docker-burpui/assets/config/burp-ui/burpui.cfg b/docker/docker-burpui/assets/config/burp-ui/burpui.cfg index d1d2a0a6..1ed3d0d4 100644 --- a/docker/docker-burpui/assets/config/burp-ui/burpui.cfg +++ b/docker/docker-burpui/assets/config/burp-ui/burpui.cfg @@ -39,6 +39,8 @@ liverefresh: 5 storage: redis # redis server to connect to redis: demo-redis:6379 +# whether to use secure cookie or not +scookie: false ## burp1 backend specific options #[Burp1] diff --git a/share/burpui/etc/burpui.sample.cfg b/share/burpui/etc/burpui.sample.cfg index 986f3b04..8fcd774c 100644 --- a/share/burpui/etc/burpui.sample.cfg +++ b/share/burpui/etc/burpui.sample.cfg @@ -40,6 +40,8 @@ liverefresh: 5 storage: default # redis server to connect to redis: localhost:6379 +# whether to use secure cookie or not +scookie: false [Experimental] ## This section contains some experimental features that have not been deeply