def __call__(self, environ, start_response):
request = Request(environ)
session = environ['beaker.session']
csrf_token = session.get('csrf')
if not csrf_token:
csrf_token = session['csrf'] = str(random.getrandbits(128))
session.save()
if request.method == 'POST':
# check to see if we want to process the post at all
if (self.unprotected_path is not None
and request.path_info.startswith(self.unprotected_path)):
resp = request.get_response(self.app)
resp.headers['X-Frame-Options'] = 'SAMEORIGIN'
resp.set_cookie('csrf', csrf_token, max_age=3600)
return resp(environ, start_response)
# check incoming token
try:
account_data = request.POST.get('account', None)
request_csrf_token = environ.get('HTTP_X_CSRF',
request.POST.get('csrftoken'))
if account_data is None and request_csrf_token != csrf_token:
resp = HTTPForbidden(_ERROR_MSG)
metrics.track(request, 'invalid-session')
resp.headers['X-Error'] = 'CSRF'
else:
resp = request.get_response(self.app)
except KeyError:
resp = HTTPForbidden(_ERROR_MSG)
resp.headers['X-Error'] = 'CSRF'
# if we're a get, we don't do any checking
else:
resp = request.get_response(self.app)
if resp.status_int != 200:
return resp(environ, start_response)
resp.headers['X-Frame-Options'] = 'SAMEORIGIN'
resp.set_cookie('csrf', csrf_token, max_age=3600)
if resp.content_type.split(';')[0] in _HTML_TYPES:
# ensure we don't add the 'id' attribute twice (HTML validity)
idattributes = itertools.chain(('id="csrfmiddlewaretoken"', ),
itertools.repeat(''))
def add_csrf_field(match):
"""Returns the matched <form> tag plus the added <input> element"""
return match.group() + '<div style="display:none;">' + \
'<input type="hidden" ' + idattributes.next() + \
' name="csrftoken" value="' + csrf_token + \
'" /></div>'
# Modify any POST forms and fix content-length
resp.body = _POST_FORM_RE.sub(add_csrf_field, resp.body)
return resp(environ, start_response)
def __call__(self, environ, start_response):
request = Request(environ)
session = environ['beaker.session']
csrf_token = session.get('csrf')
if not csrf_token:
csrf_token = session['csrf'] = str(random.getrandbits(128))
session.save()
if request.method == 'POST':
# check to see if we want to process the post at all
if (self.unprotected_path is not None
and request.path_info.startswith(self.unprotected_path)):
resp = request.get_response(self.app)
resp.headers['X-Frame-Options'] = 'SAMEORIGIN'
resp.set_cookie('csrf', csrf_token, max_age=3600)
return resp(environ, start_response)
# check incoming token
try:
account_data = request.POST.get('account', None)
request_csrf_token = environ.get('HTTP_X_CSRF', request.POST.get('csrftoken'))
if account_data is None and request_csrf_token != csrf_token:
resp = HTTPForbidden(_ERROR_MSG)
metrics.track(request, 'invalid-session')
resp.headers['X-Error'] = 'CSRF'
else:
resp = request.get_response(self.app)
except KeyError:
resp = HTTPForbidden(_ERROR_MSG)
resp.headers['X-Error'] = 'CSRF'
# if we're a get, we don't do any checking
else:
resp = request.get_response(self.app)
if resp.status_int != 200:
return resp(environ, start_response)
resp.headers['X-Frame-Options'] = 'SAMEORIGIN'
resp.set_cookie('csrf', csrf_token, max_age=3600)
if resp.content_type.split(';')[0] in _HTML_TYPES:
# ensure we don't add the 'id' attribute twice (HTML validity)
idattributes = itertools.chain(('id="csrfmiddlewaretoken"',),
itertools.repeat(''))
def add_csrf_field(match):
"""Returns the matched <form> tag plus the added <input> element"""
return match.group() + '<div style="display:none;">' + \
'<input type="hidden" ' + idattributes.next() + \
' name="csrftoken" value="' + csrf_token + \
'" /></div>'
# Modify any POST forms and fix content-length
resp.body = _POST_FORM_RE.sub(add_csrf_field, resp.body)
return resp(environ, start_response)
def __call__(self, environ, start_response):
request = Request(environ)
session = environ["beaker.session"]
csrftoken = session.get("csrftoken")
if not csrftoken:
csrftoken = session["csrftoken"] = str(random.getrandbits(128))
session.save()
if request.method == "POST":
if self.unprotected_path is not None and request.path_info.startswith(self.unprotected_path):
resp = request.get_response(self.app)
resp.headers["X-Frame-Options"] = "SAMEORIGIN"
resp.set_cookie("csrftoken", csrftoken, max_age=3600)
return resp(environ, start_response)
# check for incoming csrf token
try:
request_csrf_token = environ.get("HTTP_X_CSRFTOKEN", request.POST.get("csrftoken"))
if request_csrf_token != csrftoken:
resp = HTTPForbidden("CSRF - Aborted.")
else:
resp = request.get_response(self.app)
except KeyError:
resp = HTTPForbidden("Forbidden: Administrator has been notified.")
else:
resp = request.get_response(self.app)
if resp.status_int != 200:
return resp(environ, start_response)
resp.headers["X-Frame-Options"] = "SAMEORIGIN"
resp.set_cookie("csrftoken", csrftoken, max_age=3600)
if resp.content_type.split(";")[0] in ["text/html", "application/xhtml+xml"]:
# ensure we don't add the 'id' attribute twice (HTML validity)
id_attr = itertools.chain(('id="csrftoken"',), itertools.repeat(""))
def add_csrf_field(match):
"""Returns the matched <form> tag and adds the <input> element"""
return match.group() + (
'<input type="hidden" ' + id_attr.next() + ' name="csrftoken" value="' + csrftoken + '" />'
)
# Modify any POST forms and fix content-length
body = re.compile(r"(<form\W.*)", re.IGNORECASE)
resp.body = body.sub(add_csrf_field, resp.body)
return resp(environ, start_response)
def __call__(self, environ, start_response):
request = Request(environ)
session = environ['beaker.session']
session.save()
if request.method == 'POST':
# check to see if we want to process the post at all
if (self.unprotected_path is not None
and request.path_info.startswith(self.unprotected_path)):
resp = request.get_response(self.app)
return resp(environ, start_response)
csrf_token = session.id
# check incoming token
try:
request_csrf_token = request.POST['csrfmiddlewaretoken']
if request_csrf_token != csrf_token:
resp = HTTPForbidden(_ERROR_MSG)
else:
resp = request.get_response(self.app)
except KeyError:
resp = HTTPForbidden(_ERROR_MSG)
# if we're a get, we don't do any checking
else:
resp = request.get_response(self.app)
if resp.status_int != 200:
return resp(environ, start_response)
session = environ['beaker.session']
csrf_token = session.id
if resp.content_type.split(';')[0] in _HTML_TYPES:
# ensure we don't add the 'id' attribute twice (HTML validity)
idattributes = itertools.chain(('id="csrfmiddlewaretoken"',),
itertools.repeat(''))
def add_csrf_field(match):
"""Returns the matched <form> tag plus the added <input> element"""
return match.group() + '<div style="display:none;">' + \
'<input type="hidden" ' + idattributes.next() + \
' name="csrfmiddlewaretoken" value="' + csrf_token + \
'" /></div>'
# Modify any POST forms and fix content-length
resp.body = _POST_FORM_RE.sub(add_csrf_field, resp.body)
return resp(environ, start_response)
