def __call__(self, environ, start_response): request = Request(environ) session = environ['beaker.session'] csrf_token = session.get('csrf') if not csrf_token: csrf_token = session['csrf'] = str(random.getrandbits(128)) session.save() if request.method == 'POST': # check to see if we want to process the post at all if (self.unprotected_path is not None and request.path_info.startswith(self.unprotected_path)): resp = request.get_response(self.app) resp.headers['X-Frame-Options'] = 'SAMEORIGIN' resp.set_cookie('csrf', csrf_token, max_age=3600) return resp(environ, start_response) # check incoming token try: account_data = request.POST.get('account', None) request_csrf_token = environ.get('HTTP_X_CSRF', request.POST.get('csrftoken')) if account_data is None and request_csrf_token != csrf_token: resp = HTTPForbidden(_ERROR_MSG) metrics.track(request, 'invalid-session') resp.headers['X-Error'] = 'CSRF' else: resp = request.get_response(self.app) except KeyError: resp = HTTPForbidden(_ERROR_MSG) resp.headers['X-Error'] = 'CSRF' # if we're a get, we don't do any checking else: resp = request.get_response(self.app) if resp.status_int != 200: return resp(environ, start_response) resp.headers['X-Frame-Options'] = 'SAMEORIGIN' resp.set_cookie('csrf', csrf_token, max_age=3600) if resp.content_type.split(';')[0] in _HTML_TYPES: # ensure we don't add the 'id' attribute twice (HTML validity) idattributes = itertools.chain(('id="csrfmiddlewaretoken"', ), itertools.repeat('')) def add_csrf_field(match): """Returns the matched <form> tag plus the added <input> element""" return match.group() + '<div style="display:none;">' + \ '<input type="hidden" ' + idattributes.next() + \ ' name="csrftoken" value="' + csrf_token + \ '" /></div>' # Modify any POST forms and fix content-length resp.body = _POST_FORM_RE.sub(add_csrf_field, resp.body) return resp(environ, start_response)
def __call__(self, environ, start_response): request = Request(environ) session = environ['beaker.session'] csrf_token = session.get('csrf') if not csrf_token: csrf_token = session['csrf'] = str(random.getrandbits(128)) session.save() if request.method == 'POST': # check to see if we want to process the post at all if (self.unprotected_path is not None and request.path_info.startswith(self.unprotected_path)): resp = request.get_response(self.app) resp.headers['X-Frame-Options'] = 'SAMEORIGIN' resp.set_cookie('csrf', csrf_token, max_age=3600) return resp(environ, start_response) # check incoming token try: account_data = request.POST.get('account', None) request_csrf_token = environ.get('HTTP_X_CSRF', request.POST.get('csrftoken')) if account_data is None and request_csrf_token != csrf_token: resp = HTTPForbidden(_ERROR_MSG) metrics.track(request, 'invalid-session') resp.headers['X-Error'] = 'CSRF' else: resp = request.get_response(self.app) except KeyError: resp = HTTPForbidden(_ERROR_MSG) resp.headers['X-Error'] = 'CSRF' # if we're a get, we don't do any checking else: resp = request.get_response(self.app) if resp.status_int != 200: return resp(environ, start_response) resp.headers['X-Frame-Options'] = 'SAMEORIGIN' resp.set_cookie('csrf', csrf_token, max_age=3600) if resp.content_type.split(';')[0] in _HTML_TYPES: # ensure we don't add the 'id' attribute twice (HTML validity) idattributes = itertools.chain(('id="csrfmiddlewaretoken"',), itertools.repeat('')) def add_csrf_field(match): """Returns the matched <form> tag plus the added <input> element""" return match.group() + '<div style="display:none;">' + \ '<input type="hidden" ' + idattributes.next() + \ ' name="csrftoken" value="' + csrf_token + \ '" /></div>' # Modify any POST forms and fix content-length resp.body = _POST_FORM_RE.sub(add_csrf_field, resp.body) return resp(environ, start_response)
def __call__(self, environ, start_response): request = Request(environ) session = environ["beaker.session"] csrftoken = session.get("csrftoken") if not csrftoken: csrftoken = session["csrftoken"] = str(random.getrandbits(128)) session.save() if request.method == "POST": if self.unprotected_path is not None and request.path_info.startswith(self.unprotected_path): resp = request.get_response(self.app) resp.headers["X-Frame-Options"] = "SAMEORIGIN" resp.set_cookie("csrftoken", csrftoken, max_age=3600) return resp(environ, start_response) # check for incoming csrf token try: request_csrf_token = environ.get("HTTP_X_CSRFTOKEN", request.POST.get("csrftoken")) if request_csrf_token != csrftoken: resp = HTTPForbidden("CSRF - Aborted.") else: resp = request.get_response(self.app) except KeyError: resp = HTTPForbidden("Forbidden: Administrator has been notified.") else: resp = request.get_response(self.app) if resp.status_int != 200: return resp(environ, start_response) resp.headers["X-Frame-Options"] = "SAMEORIGIN" resp.set_cookie("csrftoken", csrftoken, max_age=3600) if resp.content_type.split(";")[0] in ["text/html", "application/xhtml+xml"]: # ensure we don't add the 'id' attribute twice (HTML validity) id_attr = itertools.chain(('id="csrftoken"',), itertools.repeat("")) def add_csrf_field(match): """Returns the matched <form> tag and adds the <input> element""" return match.group() + ( '<input type="hidden" ' + id_attr.next() + ' name="csrftoken" value="' + csrftoken + '" />' ) # Modify any POST forms and fix content-length body = re.compile(r"(<form\W.*)", re.IGNORECASE) resp.body = body.sub(add_csrf_field, resp.body) return resp(environ, start_response)
def __call__(self, environ, start_response): request = Request(environ) session = environ['beaker.session'] session.save() if request.method == 'POST': # check to see if we want to process the post at all if (self.unprotected_path is not None and request.path_info.startswith(self.unprotected_path)): resp = request.get_response(self.app) return resp(environ, start_response) csrf_token = session.id # check incoming token try: request_csrf_token = request.POST['csrfmiddlewaretoken'] if request_csrf_token != csrf_token: resp = HTTPForbidden(_ERROR_MSG) else: resp = request.get_response(self.app) except KeyError: resp = HTTPForbidden(_ERROR_MSG) # if we're a get, we don't do any checking else: resp = request.get_response(self.app) if resp.status_int != 200: return resp(environ, start_response) session = environ['beaker.session'] csrf_token = session.id if resp.content_type.split(';')[0] in _HTML_TYPES: # ensure we don't add the 'id' attribute twice (HTML validity) idattributes = itertools.chain(('id="csrfmiddlewaretoken"',), itertools.repeat('')) def add_csrf_field(match): """Returns the matched <form> tag plus the added <input> element""" return match.group() + '<div style="display:none;">' + \ '<input type="hidden" ' + idattributes.next() + \ ' name="csrfmiddlewaretoken" value="' + csrf_token + \ '" /></div>' # Modify any POST forms and fix content-length resp.body = _POST_FORM_RE.sub(add_csrf_field, resp.body) return resp(environ, start_response)