def _checkCSRF(self): token = request.headers.get('X-CSRF-Token') or request.form.get('csrf_token') if token is None: # Might be a WTForm with a prefix. In that case the field name is '<prefix>-csrf_token' token = next((v for k, v in request.form.iteritems() if k.endswith('-csrf_token')), None) if self.CSRF_ENABLED and request.method != 'GET' and token != session.csrf_token: msg = _(u"It looks like there was a problem with your current session. Please use your browser's back " u"button, reload the page and try again.") raise BadRequest(msg) elif not self.CSRF_ENABLED and current_app.debug and request.method != 'GET': # Warn if CSRF is not enabled for a RH in new code module = self.__class__.__module__ if module.startswith('indico.modules.') or module.startswith('indico.core.'): msg = (u'{} request sent to {} which has no CSRF checks. Set `CSRF_ENABLED = True` in the class to ' u'enable them.').format(request.method, self.__class__.__name__) warnings.warn(msg, RuntimeWarning) # legacy csrf check (referer-based): # Check referer for POST requests. We do it here so we can properly use indico's error handling if Config.getInstance().getCSRFLevel() < 3 or request.method != 'POST': return referer = request.referrer # allow empty - otherwise we might lock out paranoid users blocking referers if not referer: return # valid http referer if referer.startswith(Config.getInstance().getBaseURL()): return # valid https referer - if https is enabled base_secure = Config.getInstance().getBaseSecureURL() if base_secure and referer.startswith(base_secure): return raise BadRefererError('This operation is not allowed from an external referer.')
def _checkCSRF(self): # Check referer for POST requests. We do it here so we can properly use indico's error handling if Config.getInstance().getCSRFLevel() < 3 or request.method != 'POST': return referer = request.referrer # allow empty - otherwise we might lock out paranoid users blocking referers if not referer: return # valid http referer if referer.startswith(Config.getInstance().getBaseURL()): return # valid https referer - if https is enabled base_secure = Config.getInstance().getBaseSecureURL() if base_secure and referer.startswith(base_secure): return raise BadRefererError( 'This operation is not allowed from an external referer.')