#16 Nginx location 指令

2019-05-22
Syntax : location [ = | ~ | ~* | ^~ ] uri { ... }
location @name { ... }
Default: —
Context: server, location
  1. 执行顺序是:完整匹配(= uri) > 前缀匹配(^~ uri/uri) > 正则匹配(~/~*)。
  2. 优先级是:完整匹配 > 正则匹配 > 前缀匹配(越长优先级越高)。
  3. 完整匹配、正则匹配匹配上之后直接返回,前缀匹配则不是。

#15 记一次 XSS 漏洞发现过程

2019-04-09

某用户委托安全公司对本司(SendCloud)短信发送业务做安全检测,发现咱们的上游通道某一环节的安全漏洞。
跟踪这个过程,真的十分有趣。
这是 XSS 第一次发生在我身边,怎么也不会想到有人会犯这么弱智的错误。最基本的页面输出转义都没做。
页面内容输出转义、SQL 防注入、表单的 CSRF token 校验,应该算是 Web 站点搭建的基础工作吧!

#13 常见 Web 缓存服务

2019-01-06

Apache,Nginx 都有缓存功能,再加上 Redis 做动态数据的缓存,再加上 CDN,所以我还没有用过专门的缓存服务。
但是这些服务真是大名鼎鼎,即便不用,我也可以先列出来做个简单的了解。

#9 Werkzeug WSGI 框架

2017-01-30

示例

from werkzeug.wrappers import Request, Response
from werkzeug.routing import Map, Rule

class Application:
    def __init__(self):
        self.url_map = Map([
            Rule('/', endpoint='hello')
        ])

    def hello(self, request):
        text = 'Hello, World!'
        response = Response(text, content_type='text/plain')
        return response

    @Request.application
    def __call__(self, request):
        adapter = self.url_map.bind_to_environ(request.environ)
        endpoint, values = adapter.match()

        handler = getattr(self, endpoint)
        return handler(request, **values)

if __name__ == '__main__':
    from werkzeug.serving import run_simple
    app = Application()
    run_simple('localhost', 5000, app)

Werkzeug 与协程(async/await

Werkzeug 1.x 开始已经提供了对协程的支持。
PS:WSGI 规范是基于同步的设计,没有较好的适配异步编程,所以后面一些更年轻的框架选择了 ASGI(Async Server Gateway Interface)。
PS:2014/03/01, WSGI
PS:2021/11/06, 体验 ASGI

import asyncio
from werkzeug.wrappers import Request, Response
from werkzeug.routing import Map, Rule

class Application:
    def __init__(self):
        self.url_map = Map([
            Rule('/', endpoint='hello')
        ])

    async def hello(self, request):
        text = 'Hello, World!'
        response = Response(text, content_type='text/plain')
        return response

    @Request.application
    async def __call__(self, request):
        adapter = self.url_map.bind_to_environ(request.environ)
        endpoint, values = adapter.match()

        handler = getattr(self, endpoint)
        response = await handler(request, **values)
        return response

if __name__ == '__main__':
    from werkzeug.serving import run_simple
    app = Application()
    run_simple('localhost', 5000, app)

附:版本历史

版本 时间
2.3.4 May 9, 2023
2.3.3 May 1, 2023
2.3.2 Apr 29, 2023
2.3.1 Apr 27, 2023
2.3.0 Apr 26, 2023
2.2.3 Feb 15, 2023
2.2.2 Aug 9, 2022
2.2.1 Jul 28, 2022
2.2.0 Jul 24, 2022
2.1.2 Apr 29, 2022
2.1.1 Apr 2, 2022
2.1.0 Mar 29, 2022
2.0.3 Feb 8, 2022
2.0.2 Oct 6, 2021
2.0.1 May 18, 2021
2.0.0 May 12, 2021
1.0.1 Apr 1, 2020
1.0.0 Feb 7, 2020
0.16.1 Jan 27, 2020
0.16.0 Sep 19, 2019
0.15.6 Sep 5, 2019
0.15.5 Jul 17, 2019
0.15.4 May 15, 2019
0.15.3 May 15, 2019
0.15.2 Apr 3, 2019
0.15.1 Mar 22, 2019
0.15.0 Mar 20, 2019
0.14.1 Jan 1, 2018
0.14 Dec 31, 2017
0.13 Dec 8, 2017
0.12.2 May 16, 2017
0.12.1 Mar 16, 2017
0.12 Mar 10, 2017
0.11.15 Dec 31, 2016
0.11.14 Dec 31, 2016
0.11.13 Dec 27, 2016
0.11.12 Dec 26, 2016
0.11.11 Aug 31, 2016
0.11.10 May 24, 2016
0.11.9 Apr 25, 2016
0.11.8 Apr 15, 2016
0.11.7 Apr 15, 2016
0.11.6 Apr 14, 2016
0.11.5 Mar 23, 2016
0.11.4 Feb 15, 2016
0.11.3 Dec 20, 2015
0.11.2 Nov 12, 2015
0.11.1 Nov 10, 2015
0.11 Nov 8, 2015
0.10.4 Mar 26, 2015
0.10.3 Mar 26, 2015
0.10.2 Mar 26, 2015
0.10.1 Feb 4, 2015
0.10 Jan 30, 2015
0.9.6 Jun 7, 2014
0.9.5 Jun 7, 2014
0.9.4 Aug 26, 2013
0.9.3 Jul 25, 2013
0.9.2 Jul 18, 2013
0.9.1 Jun 14, 2013
0.9 Jun 13, 2013
0.8.3 Feb 5, 2012
0.8.2 Dec 16, 2011
0.8.1 Sep 30, 2011
0.8 Sep 30, 2011
0.7.2 Sep 30, 2011
0.7.1 Jul 26, 2011
0.7 Jul 24, 2011
0.6.2 Apr 24, 2010
0.6.1 Apr 13, 2010
0.6 Feb 19, 2010
0.5.1 Jul 10, 2009
0.5 Apr 25, 2009
0.4.1 Jan 11, 2009
0.4 Nov 23, 2008
0.3.1 Jun 24, 2008
0.3 Jun 15, 2008
0.2 Feb 14, 2008
0.1 Dec 10, 2007

#8 The Pallets Projects

2017-01-30

这个组织下的每个项目单拿出来都是响当当的存在:

  • Click — Beautiful, composable command line interface creation kit.
  • Flask — a flexible and popular web development framework
  • ItsDangerous — Safely pass trusted data to untrusted environments and back.
  • Jinja — a full featured template engine for Python
  • MarkupSafe — Safely add untrusted strings to HTML/XML markup.
  • Quart — an async reimplementation of flask
  • Werkzeug — The comprehensive WSGI web application library.
  • Click 命令行工具
  • Flask 轻量级 Web 框架
  • ItsDangerous
  • Jinja 知名模板库
  • MackupSafe
  • Quart
  • Werkzeug Web 工具箱(WSGI),Flask 的底层