Esempio n. 1
0
 def _checkCSRF(self):
     token = request.headers.get('X-CSRF-Token') or request.form.get('csrf_token')
     if token is None:
         # Might be a WTForm with a prefix. In that case the field name is '<prefix>-csrf_token'
         token = next((v for k, v in request.form.iteritems() if k.endswith('-csrf_token')), None)
     if self.CSRF_ENABLED and request.method != 'GET' and token != session.csrf_token:
         msg = _(u"It looks like there was a problem with your current session. Please use your browser's back "
                 u"button, reload the page and try again.")
         raise BadRequest(msg)
     elif not self.CSRF_ENABLED and current_app.debug and request.method != 'GET':
         # Warn if CSRF is not enabled for a RH in new code
         module = self.__class__.__module__
         if module.startswith('indico.modules.') or module.startswith('indico.core.'):
             msg = (u'{} request sent to {} which has no CSRF checks. Set `CSRF_ENABLED = True` in the class to '
                    u'enable them.').format(request.method, self.__class__.__name__)
             warnings.warn(msg, RuntimeWarning)
     # legacy csrf check (referer-based):
     # Check referer for POST requests. We do it here so we can properly use indico's error handling
     if Config.getInstance().getCSRFLevel() < 3 or request.method != 'POST':
         return
     referer = request.referrer
     # allow empty - otherwise we might lock out paranoid users blocking referers
     if not referer:
         return
     # valid http referer
     if referer.startswith(Config.getInstance().getBaseURL()):
         return
     # valid https referer - if https is enabled
     base_secure = Config.getInstance().getBaseSecureURL()
     if base_secure and referer.startswith(base_secure):
         return
     raise BadRefererError('This operation is not allowed from an external referer.')
Esempio n. 2
0
 def _checkCSRF(self):
     # Check referer for POST requests. We do it here so we can properly use indico's error handling
     if Config.getInstance().getCSRFLevel() < 3 or request.method != 'POST':
         return
     referer = request.referrer
     # allow empty - otherwise we might lock out paranoid users blocking referers
     if not referer:
         return
     # valid http referer
     if referer.startswith(Config.getInstance().getBaseURL()):
         return
     # valid https referer - if https is enabled
     base_secure = Config.getInstance().getBaseSecureURL()
     if base_secure and referer.startswith(base_secure):
         return
     raise BadRefererError(
         'This operation is not allowed from an external referer.')