Exemple #1
0
    def csrfProtect(self, requestToken=None):
        if shared._csrfExempt:
            return

        if not request.method in ['POST', 'PUT', 'PATCH', 'DELETE']:
            return

        sessionToken = session.get('_csrfToken', None)
        if not sessionToken:
            # CSRF token missing
            abort(403)

        config = ConfigManager.getConfig()
        secretKey = config['SECRET_KEY']

        hmacCompare = hmac.new(secretKey, str(sessionToken).encode('utf-8'), digestmod=sha1)
        token = requestToken if requestToken is not None else request.form.get('_csrfToken')

        if hmacCompare.hexdigest() != token:
            # invalid CSRF token
            if self.csrfHandler:
                self.csrfHandler(*self.app.matchRequest())
            else:
                abort(403)

        if not self.checkCSRFExpire(token):
            # CSRF token expired
            abort(403)
Exemple #2
0
 def checkCSRFExpire(self, requestToken):
     csrfCreateAt = session.get('_csrfTokenAdded', None)
     expire = self.app.config.get('CSRF_EXPIRE', None)
     if expire is None:
         return True
     now = datetime.datetime.now()
     currentTime = time.mktime(now.timetuple())
     term = currentTime - csrfCreateAt
     if term > expire:
         return False
     return True