def __call__(self, environ, start_response): request = Request(environ) session = environ["beaker.session"] csrftoken = session.get("csrftoken") if not csrftoken: csrftoken = session["csrftoken"] = str(random.getrandbits(128)) session.save() if request.method == "POST": if self.unprotected_path is not None and request.path_info.startswith(self.unprotected_path): resp = request.get_response(self.app) resp.headers["X-Frame-Options"] = "SAMEORIGIN" resp.set_cookie("csrftoken", csrftoken, max_age=3600) return resp(environ, start_response) # check for incoming csrf token try: request_csrf_token = environ.get("HTTP_X_CSRFTOKEN", request.POST.get("csrftoken")) if request_csrf_token != csrftoken: resp = HTTPForbidden("CSRF - Aborted.") else: resp = request.get_response(self.app) except KeyError: resp = HTTPForbidden("Forbidden: Administrator has been notified.") else: resp = request.get_response(self.app) if resp.status_int != 200: return resp(environ, start_response) resp.headers["X-Frame-Options"] = "SAMEORIGIN" resp.set_cookie("csrftoken", csrftoken, max_age=3600) if resp.content_type.split(";")[0] in ["text/html", "application/xhtml+xml"]: # ensure we don't add the 'id' attribute twice (HTML validity) id_attr = itertools.chain(('id="csrftoken"',), itertools.repeat("")) def add_csrf_field(match): """Returns the matched <form> tag and adds the <input> element""" return match.group() + ( '<input type="hidden" ' + id_attr.next() + ' name="csrftoken" value="' + csrftoken + '" />' ) # Modify any POST forms and fix content-length body = re.compile(r"(<form\W.*)", re.IGNORECASE) resp.body = body.sub(add_csrf_field, resp.body) return resp(environ, start_response)
def __call__(self, context, request): if self.use_subpath: return call_app_with_subpath_as_path_info(request, self.app) return request.get_response(self.app)
def __call__(self, context, request): return request.get_response(self.process)