def test_check_url_origin(self):
self.assertTrue(check_url_origin("http://one.com",
"http://one.com/ha/ha/ha"))
self.assertTrue(check_url_origin("http://one.com",
"http://one.com:80/ho/ho/ho"))
self.assertFalse(check_url_origin("http://one.com",
"https://evil.com/i/hack/you"))
self.assertFalse(check_url_origin("http://one.com",
"https://one.com/he/he#he"))
self.assertTrue(check_url_origin("https://one.com:443/blah",
"https://one.com/he/he#he"))
self.assertTrue(check_url_origin("https://one.com:123",
"https://one.com:123/he/he#he"))
self.assertFalse(check_url_origin("https://one.com:123",
"https://one.com:456/he/he#he"))
def test_check_url_origin(self):
self.assertTrue(
check_url_origin("http://one.com", "http://one.com/ha/ha/ha"))
self.assertTrue(
check_url_origin("http://one.com", "http://one.com:80/ho/ho/ho"))
self.assertFalse(
check_url_origin("http://one.com", "https://evil.com/i/hack/you"))
self.assertFalse(
check_url_origin("http://one.com", "https://one.com/he/he#he"))
self.assertTrue(
check_url_origin("https://one.com:443/blah",
"https://one.com/he/he#he"))
self.assertTrue(
check_url_origin("https://one.com:123",
"https://one.com:123/he/he#he"))
self.assertFalse(
check_url_origin("https://one.com:123",
"https://one.com:456/he/he#he"))
def _check_referer_header(self, request, audience):
"""Check if the request has a referer that matches the audience.
If the "check_referer" setting is True, this method checks that the
incoming request has a HTTP Referer header from the same origin as the
assertion audience. This ensures some measure of protection against
CSRF attacks, as the attacker would need to spoof the Referer header
in order to execute an unauthorized login request.
By default this check is only performed for secure connections; the
referer header is often missing and easily spoofable on insecure
connections so it's usually not worth it.
"""
check_referer = self.check_referer
if check_referer is None:
check_referer = (request.environ["wsgi.url_scheme"] == "https")
if check_referer:
if request.referer is None:
return False
referer = urljoin(request.host_url, request.referer)
if not check_url_origin(audience, referer):
return False
return True
def _check_referer_header(self, request, audience):
"""Check if the request has a referer that matches the audience.
If the "check_referer" setting is True, this method checks that the
incoming request has a HTTP Referer header from the same origin as the
assertion audience. This ensures some measure of protection against
CSRF attacks, as the attacker would need to spoof the Referer header
in order to execute an unauthorized login request.
By default this check is only performed for secure connections; the
referer header is often missing and easily spoofable on insecure
connections so it's usually not worth it.
"""
check_referer = self.check_referer
if check_referer is None:
check_referer = (request.environ["wsgi.url_scheme"] == "https")
if check_referer:
if request.referer is None:
return False
referer = urljoin(request.host_url, request.referer)
if not check_url_origin(audience, referer):
return False
return True
