def csrf_handler(app, request, next_handler): token = get_token(request) header = get_header(request) if request.method not in SAFE_HTTP_METHODS: if request.resource_config.csrf_exempt: log.debug('CSRF: exempt: {}'.format(request.url)) else: if request.scheme == 'https': if request.referer is None: _forbid('no REFERER for secure request') if not _same_origin(request.url, request.referer): _forbid('origins differ: got {}; expected {}'.format( request.referer, request.url)) if token in request.session: expected_token = request.session[token] else: _forbid('token not present in session') if token in request.cookies: cookie_token = request.unmask_csrf_token( request.cookies[token]) if not constant_time_compare(cookie_token, expected_token): _forbid( 'cookie token mismatch: got {}; expected {}'.format( cookie_token, expected_token)) else: _forbid('token not present in cookies') if token in request.POST: post_token = request.unmask_csrf_token(request.POST[token]) if not constant_time_compare(post_token, expected_token): _forbid('POST token mismatch: got {}; expected {}'.format( post_token, expected_token)) del request.POST[token] elif header in request.headers: token = request.unmask_csrf_token(request.headers[header]) if not constant_time_compare(token, expected_token): _forbid( 'header token mismatch: got {}; expected {}'.format( token, expected_token)) else: _forbid('no token present (in POST params or headers)') log.debug('CSRF: token validated') response = next_handler(app, request) if request.method in ('GET', 'HEAD'): one_year_from_now = datetime.utcnow() + timedelta(days=365) token = request.masked_csrf_token response.set_cookie(token, token, expires=one_year_from_now) log.debug('CSRF: cookie set') return response
def csrf_handler(app, request, next_handler): if request.method not in SAFE_HTTP_METHODS: if request.resource_config.csrf_exempt: log.debug("CSRF: exempt: {}".format(request.url)) else: if request.scheme == "https": if request.referer is None: _forbid("no REFERER for secure request") if not _same_origin(request.url, request.referer): _forbid("origins differ: got {}; expected {}".format(request.referer, request.url)) if KEY in request.session: expected_token = request.session[KEY] else: _forbid("token not present in session") if KEY in request.cookies: cookie_token = request.unmask_csrf_token(request.cookies[KEY]) if not constant_time_compare(cookie_token, expected_token): _forbid("cookie token mismatch: got {}; expected {}".format(cookie_token, expected_token)) else: _forbid("token not present in cookies") if KEY in request.POST: post_token = request.unmask_csrf_token(request.POST[KEY]) if not constant_time_compare(post_token, expected_token): _forbid("POST token mismatch: got {}; expected {}".format(post_token, expected_token)) del request.POST[KEY] elif HEADER in request.headers: token = request.unmask_csrf_token(request.headers[HEADER]) if not constant_time_compare(token, expected_token): _forbid("header token mismatch: got {}; expected {}".format(token, expected_token)) else: _forbid("no token present (in POST params or headers)") log.debug("CSRF: token validated") response = next_handler(app, request) if request.method in ("GET", "HEAD"): one_year_from_now = datetime.utcnow() + timedelta(days=365) token = request.masked_csrf_token response.set_cookie(KEY, token, expires=one_year_from_now) log.debug("CSRF: cookie set") return response
def passwords_equal(plain_text_password, hashed_password): """Compare a plain text password to a hashed password.""" plain_text_password_hashed = hash_password( plain_text_password, hashed_password) return constant_time_compare(plain_text_password_hashed, hashed_password)