def test_check_url_origin(self): self.assertTrue(check_url_origin("http://one.com", "http://one.com/ha/ha/ha")) self.assertTrue(check_url_origin("http://one.com", "http://one.com:80/ho/ho/ho")) self.assertFalse(check_url_origin("http://one.com", "https://evil.com/i/hack/you")) self.assertFalse(check_url_origin("http://one.com", "https://one.com/he/he#he")) self.assertTrue(check_url_origin("https://one.com:443/blah", "https://one.com/he/he#he")) self.assertTrue(check_url_origin("https://one.com:123", "https://one.com:123/he/he#he")) self.assertFalse(check_url_origin("https://one.com:123", "https://one.com:456/he/he#he"))
def test_check_url_origin(self): self.assertTrue( check_url_origin("http://one.com", "http://one.com/ha/ha/ha")) self.assertTrue( check_url_origin("http://one.com", "http://one.com:80/ho/ho/ho")) self.assertFalse( check_url_origin("http://one.com", "https://evil.com/i/hack/you")) self.assertFalse( check_url_origin("http://one.com", "https://one.com/he/he#he")) self.assertTrue( check_url_origin("https://one.com:443/blah", "https://one.com/he/he#he")) self.assertTrue( check_url_origin("https://one.com:123", "https://one.com:123/he/he#he")) self.assertFalse( check_url_origin("https://one.com:123", "https://one.com:456/he/he#he"))
def _check_referer_header(self, request, audience): """Check if the request has a referer that matches the audience. If the "check_referer" setting is True, this method checks that the incoming request has a HTTP Referer header from the same origin as the assertion audience. This ensures some measure of protection against CSRF attacks, as the attacker would need to spoof the Referer header in order to execute an unauthorized login request. By default this check is only performed for secure connections; the referer header is often missing and easily spoofable on insecure connections so it's usually not worth it. """ check_referer = self.check_referer if check_referer is None: check_referer = (request.environ["wsgi.url_scheme"] == "https") if check_referer: if request.referer is None: return False referer = urljoin(request.host_url, request.referer) if not check_url_origin(audience, referer): return False return True
def _check_referer_header(self, request, audience): """Check if the request has a referer that matches the audience. If the "check_referer" setting is True, this method checks that the incoming request has a HTTP Referer header from the same origin as the assertion audience. This ensures some measure of protection against CSRF attacks, as the attacker would need to spoof the Referer header in order to execute an unauthorized login request. By default this check is only performed for secure connections; the referer header is often missing and easily spoofable on insecure connections so it's usually not worth it. """ check_referer = self.check_referer if check_referer is None: check_referer = (request.environ["wsgi.url_scheme"] == "https") if check_referer: if request.referer is None: return False referer = urljoin(request.host_url, request.referer) if not check_url_origin(audience, referer): return False return True