Beispiel #1
0
 def gen_api_token(self):
     tok = M.ApiToken.query.get(user_id=c.user._id)
     if tok is None:
         tok = M.ApiToken(user_id=c.user._id)
     else:
         tok.secret_key = h.cryptographic_nonce()
     redirect(request.referer)
    def __call__(self, environ, start_response):
        req = Request(environ)

        # enforce POSTs
        cookie = req.cookies.get(self._cookie_name, None)
        if cookie is None:
            cookie = h.cryptographic_nonce()
        if req.method == 'POST':
            param = req.str_POST.pop(self._param_name, None)
            if cookie != param:
                log.warning('CSRF attempt detected, %r != %r', cookie, param)
                environ.pop('HTTP_COOKIE',
                            None)  # effectively kill the existing session
                if req.path.startswith('/auth/'):
                    # for operations where you're not logged in yet (e.g. login form, pwd recovery, etc), then killing
                    # the session doesn't help, so we block the request entirely
                    resp = exc.HTTPForbidden()
                    return resp(environ, start_response)

        # Set cookie for use in later forms:

        # in addition to setting a cookie, set this so its available on first response before cookie gets created in browser
        environ[self._cookie_name] = cookie

        def session_start_response(status, headers, exc_info=None):
            if dict(headers).get('Content-Type', '').startswith('text/html'):
                headers.append(
                    ('Set-cookie',
                     str('%s=%s; Path=/' % (self._cookie_name, cookie))))
            return start_response(status, headers, exc_info)

        return self._app(environ, session_start_response)
Beispiel #3
0
 def gen_api_token(self):
     tok = M.ApiToken.query.get(user_id=c.user._id)
     if tok is None:
         tok = M.ApiToken(user_id=c.user._id)
     else:
         tok.secret_key = h.cryptographic_nonce()
     redirect(request.referer)
Beispiel #4
0
    def __call__(self, environ, start_response):
        req = Request(environ)

        # enforce POSTs
        cookie = req.cookies.get(self._cookie_name, None)
        if cookie is None:
            cookie = h.cryptographic_nonce()
        if req.method == 'POST':
            param = req.POST.pop(self._param_name, None)
            if cookie != param:
                log.warning('CSRF attempt detected: cookie %r != param %r', cookie, param)
                environ.pop('HTTP_COOKIE', None)  # effectively kill the existing session
                if req.path.startswith('/auth/'):
                    # for operations where you're not logged in yet (e.g. login form, pwd recovery, etc), then killing
                    # the session doesn't help, so we block the request entirely
                    resp = exc.HTTPForbidden()
                    return resp(environ, start_response)

        # Set cookie for use in later forms:

        # in addition to setting a cookie, set this so its available on first response before cookie gets created in browser
        environ[self._cookie_name] = cookie

        def session_start_response(status, headers, exc_info=None):
            if dict(headers).get('Content-Type', '').startswith('text/html'):
                headers.append(
                    ('Set-cookie',
                     str('%s=%s; Path=/' % (self._cookie_name, cookie))))
            return start_response(status, headers, exc_info)

        return self._app(environ, session_start_response)
Beispiel #5
0
 def __call__(self, environ, start_response):
     req = Request(environ)
     cookie = req.cookies.get(self._cookie_name, None)
     if cookie is None:
         cookie = h.cryptographic_nonce()
     if req.method == 'POST':
         param = req.str_POST.pop(self._param_name, None)
         if cookie != param:
             log.warning('CSRF attempt detected, %r != %r', cookie, param)
             environ.pop('HTTP_COOKIE', None)
     def session_start_response(status, headers, exc_info = None):
         headers.append(
             ('Set-cookie',
              str('%s=%s; Path=/' % (self._cookie_name, cookie))))
         return start_response(status, headers, exc_info)
     return self._app(environ, session_start_response)
 def __call__(self, environ, start_response):
     req = Request(environ)
     cookie = req.cookies.get(self._cookie_name, None)
     if cookie is None:
         cookie = h.cryptographic_nonce()
     if req.method == 'POST':
         param = req.str_POST.pop(self._param_name, None)
         if cookie != param:
             log.warning('CSRF attempt detected, %r != %r', cookie, param)
             environ.pop('HTTP_COOKIE', None)
     def session_start_response(status, headers, exc_info = None):
         headers.append(
             ('Set-cookie',
              str('%s=%s; Path=/' % (self._cookie_name, cookie))))
         return start_response(status, headers, exc_info)
     return self._app(environ, session_start_response)
Beispiel #7
0
    def __call__(self, environ, start_response):
        req = Request(environ)

        # enforce POSTs
        cookie = req.cookies.get(self._cookie_name, None)
        if cookie is None:
            cookie = h.cryptographic_nonce()
        # protect application/x-www-form-urlencoded or multipart/form-data (or maybe blank) from browser forms
        if req.method == 'POST' and req.content_type != 'application/json':
            try:
                param = req.POST.pop(self._param_name, None)
            except KeyError:
                log.debug('error getting %s from POST', self._param_name, exc_info=True)
                param = None
            if cookie != param:
                log.warning('CSRF attempt detected: cookie %r != param %r', cookie, param)
                environ.pop('HTTP_COOKIE', None)  # effectively kill the existing session
                if req.path.startswith('/auth/'):
                    # for operations where you're not logged in yet (e.g. login form, pwd recovery, etc), then killing
                    # the session doesn't help, so we block the request entirely
                    resp = exc.HTTPForbidden()
                    return resp(environ, start_response)

        # Set cookie for use in later forms:

        # in addition to setting a cookie, set this so its available on first response before cookie gets created in browser
        environ[self._cookie_name] = cookie

        def session_start_response(status, headers, exc_info=None):
            if dict(headers).get('Content-Type', '').startswith('text/html'):
                use_secure = 'secure; ' if environ['beaker.session'].secure else ''
                headers.append(
                    (str('Set-cookie'),
                     str('%s=%s; %sPath=/' % (self._cookie_name, cookie, use_secure))))
            return start_response(status, headers, exc_info)

        return self._app(environ, session_start_response)
Beispiel #8
0
 def gen_secret(self):
     return h.cryptographic_nonce(20)
Beispiel #9
0
 def gen_secret(self):
     return h.cryptographic_nonce(20)