ROOTPLOIT
Server: LiteSpeed
System: Linux in-mum-web1878.main-hosting.eu 5.14.0-570.21.1.el9_6.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Jun 11 07:22:35 EDT 2025 x86_64
User: u435929562 (435929562)
PHP: 7.4.33
Disabled: system, exec, shell_exec, passthru, mysql_list_dbs, ini_alter, dl, symlink, link, chgrp, leak, popen, apache_child_terminate, virtual, mb_send_mail
$ pwd: /opt/go/pkg/mod/github.com/aws/[email protected]/service/cloudfront/sign/
Upload Files
File: //opt/go/pkg/mod/github.com/aws/[email protected]/service/cloudfront/sign/sign_cookie.go
package sign

import (
	"crypto/rsa"
	"fmt"
	"net/http"
	"strings"
	"time"
)

const (
	// CookiePolicyName name of the policy cookie
	CookiePolicyName = "CloudFront-Policy"
	// CookieSignatureName name of the signature cookie
	CookieSignatureName = "CloudFront-Signature"
	// CookieKeyIDName name of the signing Key ID cookie
	CookieKeyIDName = "CloudFront-Key-Pair-Id"
)

// A CookieOptions optional additional options that can be applied to the signed
// cookies.
type CookieOptions struct {
	Path   string
	Domain string
	Secure bool
}

// apply will integration the options provided into the base cookie options
// a new copy will be returned. The base CookieOption will not be modified.
func (o CookieOptions) apply(opts ...func(*CookieOptions)) CookieOptions {
	if len(opts) == 0 {
		return o
	}

	for _, opt := range opts {
		opt(&o)
	}

	return o
}

// A CookieSigner provides signing utilities to sign Cookies for Amazon CloudFront
// resources. Using a private key and Credential Key Pair key ID the CookieSigner
// only needs to be created once per Credential Key Pair key ID and private key.
//
// More information about signed Cookies and their structure can be found at:
// http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-custom-policy.html
//
// To sign a Cookie, create a CookieSigner with your private key and credential
// pair key ID. Once you have a CookieSigner instance you can call Sign or
// SignWithPolicy to sign the URLs.
//
// The signer is safe to use concurrently, but the optional cookies options
// are not safe to modify concurrently.
type CookieSigner struct {
	keyID   string
	privKey *rsa.PrivateKey

	Opts CookieOptions
}

// NewCookieSigner constructs and returns a new CookieSigner to be used to for
// signing Amazon CloudFront URL resources with.
func NewCookieSigner(keyID string, privKey *rsa.PrivateKey, opts ...func(*CookieOptions)) *CookieSigner {
	signer := &CookieSigner{
		keyID:   keyID,
		privKey: privKey,
		Opts:    CookieOptions{}.apply(opts...),
	}

	return signer
}

// Sign returns the cookies needed to allow user agents to make arbetrary
// requests to cloudfront for the resource(s) defined by the policy.
//
// Sign will create a CloudFront policy with only a resource and condition of
// DateLessThan equal to the expires time provided.
//
// The returned slice cookies should all be added to the Client's cookies or
// server's response.
//
// Example:
//
//	s := sign.NewCookieSigner(keyID, privKey)
//
//	// Get Signed cookies for a resource that will expire in 1 hour
//	cookies, err := s.Sign("*", time.Now().Add(1 * time.Hour))
//	if err != nil {
//	    fmt.Println("failed to create signed cookies", err)
//	    return
//	}
//
//	// Or get Signed cookies for a resource that will expire in 1 hour
//	// and set path and domain of cookies
//	cookies, err := s.Sign("*", time.Now().Add(1 * time.Hour), func(o *sign.CookieOptions) {
//	    o.Path = "/"
//	    o.Domain = ".example.com"
//	})
//	if err != nil {
//	    fmt.Println("failed to create signed cookies", err)
//	    return
//	}
//
//	// Server Response via http.ResponseWriter
//	for _, c := range cookies {
//	    http.SetCookie(w, c)
//	}
//
//	// Client request via the cookie jar
//	if client.CookieJar != nil {
//	    for _, c := range cookies {
//	       client.Cookie(w, c)
//	    }
//	}
func (s CookieSigner) Sign(u string, expires time.Time, opts ...func(*CookieOptions)) ([]*http.Cookie, error) {
	scheme, err := cookieURLScheme(u)
	if err != nil {
		return nil, err
	}

	resource, err := CreateResource(scheme, u)
	if err != nil {
		return nil, err
	}

	p := NewCannedPolicy(resource, expires)
	return createCookies(p, s.keyID, s.privKey, s.Opts.apply(opts...))
}

// Returns and validates the URL's scheme.
// http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-custom-policy.html#private-content-custom-policy-statement-cookies
func cookieURLScheme(u string) (string, error) {
	parts := strings.SplitN(u, "://", 2)
	if len(parts) != 2 {
		return "", fmt.Errorf("invalid cookie URL, missing scheme")
	}

	scheme := strings.ToLower(parts[0])
	if scheme != "http" && scheme != "https" && scheme != "http*" {
		return "", fmt.Errorf("invalid cookie URL scheme. Expect http, https, or http*. Go, %s", scheme)
	}

	return scheme, nil
}

// SignWithPolicy returns the cookies needed to allow user agents to make
// arbetrairy requets to cloudfront for the resource(s) defined by the policy.
//
// The returned slice cookies should all be added to the Client's cookies or
// server's response.
//
// Example:
//
//	s := sign.NewCookieSigner(keyID, privKey)
//
//	policy := &sign.Policy{
//	    Statements: []sign.Statement{
//	        {
//	            // Read the provided documentation on how to set this
//	            // correctly, you'll probably want to use wildcards.
//	            Resource: rawCloudFrontURL,
//	            Condition: sign.Condition{
//	                // Optional IP source address range
//	                IPAddress: &sign.IPAddress{SourceIP: "192.0.2.0/24"},
//	                // Optional date URL is not valid until
//	                DateGreaterThan: &sign.AWSEpochTime{time.Now().Add(30 * time.Minute)},
//	                // Required date the URL will expire after
//	                DateLessThan: &sign.AWSEpochTime{time.Now().Add(1 * time.Hour)},
//	            },
//	        },
//	    },
//	}
//
//	// Get Signed cookies for a resource that will expire in 1 hour
//	cookies, err := s.SignWithPolicy(policy)
//	if err != nil {
//	    fmt.Println("failed to create signed cookies", err)
//	    return
//	}
//
//	// Or get Signed cookies for a resource that will expire in 1 hour
//	// and set path and domain of cookies
//	cookies, err := s.SignWithPolicy(policy, func(o *sign.CookieOptions) {
//	    o.Path = "/"
//	    o.Domain = ".example.com"
//	})
//	if err != nil {
//	    fmt.Println("failed to create signed cookies", err)
//	    return
//	}
//
//	// Server Response via http.ResponseWriter
//	for _, c := range cookies {
//	    http.SetCookie(w, c)
//	}
//
//	// Client request via the cookie jar
//	if client.CookieJar != nil {
//	    for _, c := range cookies {
//	       client.Cookie(w, c)
//	    }
//	}
func (s CookieSigner) SignWithPolicy(p *Policy, opts ...func(*CookieOptions)) ([]*http.Cookie, error) {
	return createCookies(p, s.keyID, s.privKey, s.Opts.apply(opts...))
}

// Prepares the cookies to be attached to the header. An (optional) options
// struct is provided in case people don't want to manually edit their cookies.
func createCookies(p *Policy, keyID string, privKey *rsa.PrivateKey, opt CookieOptions) ([]*http.Cookie, error) {
	b64Sig, b64Policy, err := p.Sign(privKey)
	if err != nil {
		return nil, err
	}

	// Creates proper cookies
	cPolicy := &http.Cookie{
		Name:     CookiePolicyName,
		Value:    string(b64Policy),
		HttpOnly: true,
	}
	cSignature := &http.Cookie{
		Name:     CookieSignatureName,
		Value:    string(b64Sig),
		HttpOnly: true,
	}
	cKey := &http.Cookie{
		Name:     CookieKeyIDName,
		Value:    keyID,
		HttpOnly: true,
	}

	cookies := []*http.Cookie{cPolicy, cSignature, cKey}

	// Applie the cookie options
	for _, c := range cookies {
		c.Path = opt.Path
		c.Domain = opt.Domain
		c.Secure = opt.Secure
	}

	return cookies, nil
}
@ Telegram