Пример #1
0
 def test_custom_template_does_not_exist(self):
     """
     An exception is raised if a nonexistent template is supplied.
     """
     factory = RequestFactory()
     request = factory.post('/')
     with self.assertRaises(TemplateDoesNotExist):
         csrf_failure(request, template_name="nonexistent.html")
Пример #2
0
 def test_custom_template_does_not_exist(self):
     """
     An exception is raised if a nonexistent template is supplied.
     """
     factory = RequestFactory()
     request = factory.post('/')
     with self.assertRaises(TemplateDoesNotExist):
         csrf_failure(request, template_name="nonexistent.html")
Пример #3
0
def csrf_failure(request,reason="",*args,**kwargs):
    if "HTTP_ACCEPT" not in request.META:
        return csrf.csrf_failure(request,reason=reason,*args,**kwargs)
    if request.META["HTTP_ACCEPT"]!="application/json":
        return csrf.csrf_failure(request,reason=reason,*args,**kwargs)
    if settings.DEBUG:
        content=b'{ "reason": "%s" }' % reason.encode()
    else:
        content=b'{}'
    return HttpResponseForbidden(content,content_type="application/json")
Пример #4
0
def csrf_failure(request, reason=''):
    """
    CSRF-failure view which converts the failed POST request into a GET
    and calls the original view with a sensible error message presented
    to the user.
    :param request: the HttpRequest
    :param reason: non-localised failure description
    """
    if _csrf_failed_view.no_moj_csrf:
        from django.views.csrf import csrf_failure

        return csrf_failure(request, reason=reason)

    # present a sensible error message to users
    if reason == REASON_NO_CSRF_COOKIE:
        reason = _('Please try again.') + ' ' + \
                 _('Make sure you haven’t disabled cookies.')
    elif reason == REASON_NO_REFERER:
        reason = _('Please try again.') + ' ' + \
                 _('Make sure you are using a modern web browser '
                   'such as Firefox or Google Chrome.')
    else:
        reason = _('Your browser failed a security check.') + ' ' + \
                 _('Please try again.')
    messages.error(request, reason)

    # convert into GET request and show view again
    request.method = 'GET'
    request.POST = QueryDict()

    # call the original view but set response status to forbidden
    response = _csrf_failed_view.callback(request, *_csrf_failed_view.args, **_csrf_failed_view.kwargs)
    if response.status_code == 200:
        response.status_code = 403
    return response
Пример #5
0
 def test_templatetag_with_csrf_failure(self):
     # Generate a fictitious GET request
     request = self.factory.get("/tests/test_403_csrf.html")
     # Simulate a CSRF failure by calling the View directly
     # This template is using the `provider_login_url` templatetag
     response = csrf.csrf_failure(request,
                                  template_name="tests/test_403_csrf.html")
     # Ensure that CSRF failures with this template
     # tag succeed with the expected 403 response
     self.assertEqual(response.status_code, 403)
Пример #6
0
def debug_csrf_failure(request, reason=""):
    """
raised own CsrfFailure() exception to get the normal debug page on
Csrf failures.
See also:
https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/#rejected-requests
More Info: See DocString above.
"""
    if not settings.DEBUG:
        # Use original HttpResponseForbidden:
        return csrf_failure(request, reason)

    raise CsrfFailure("csrf failure debug: %r" % reason)
Пример #7
0
def csrf_failure(request, reason=""):
    """
    Overrides the 403 CSRF failure template for bad origins in order to provide more
    userful information about how to resolve the issue.
    """

    if ("HTTP_ORIGIN" in request.META
            and reason == REASON_BAD_ORIGIN % request.META["HTTP_ORIGIN"]):
        context = {
            "title": _("Forbidden"),
            "main": _("CSRF verification failed. Request aborted."),
            "reason": reason,
            "origin": request.META["HTTP_ORIGIN"],
        }
        template = loader.get_template("error/403_csrf_bad_origin.html")
        return HttpResponseForbidden(template.render(context),
                                     content_type="text/html")

    return csrf.csrf_failure(request, reason, "403_csrf.html")
Пример #8
0
    def wrapper(request):
        # On vérifie que le csrf est bon
        encrypted_token = request.POST.get('csrfencrypt')
        current_timestamp = time.time()

        if encrypted_token:
            # On déchiffre le token
            clear_token = decrypt(encrypted_token)
            timestamp, secret, session_id = clear_token.split('-')
            print(clear_token)
            # On vérifie les champs
            if (secret == CSRF_SECRET_KEY and
                    session_id == request.session.session_key and
                    int(timestamp)//100 == time.time()//100):  # A 99 secondes près
                print('OK')

                return func(request)
        else:
            print('NOP')
            # Sinon, on redirige vers la page d'erreur
            return csrf_failure(request)
Пример #9
0
def csrf_failure(request, reason=''):
    """
    CSRF-failure view which converts the failed POST request into a GET
    and calls the original view with a sensible error message presented
    to the user.
    :param request: the HttpRequest
    :param reason: non-localised failure description
    """
    if _csrf_failed_view.no_moj_csrf:
        from django.views.csrf import csrf_failure

        return csrf_failure(request, reason=reason)

    # present a sensible error message to users
    if reason == REASON_NO_CSRF_COOKIE:
        reason = _('Please try again.') + ' ' + \
                 _('Make sure you haven’t disabled cookies.')
    elif reason == REASON_NO_REFERER:
        reason = _('Please try again.') + ' ' + \
                 _('Make sure you are using a modern web browser '
                   'such as Firefox or Google Chrome.')
    else:
        reason = _('Your browser failed a security check.') + ' ' + \
                 _('Please try again.')
    messages.error(request, reason)

    # convert into GET request and show view again
    request.method = 'GET'
    request.POST = QueryDict()

    # call the original view but set response status to forbidden
    response = _csrf_failed_view.callback(request, *_csrf_failed_view.args,
                                          **_csrf_failed_view.kwargs)
    if response.status_code == 200:
        response.status_code = 403
    return response
Пример #10
0
def csrf_failure(request, reason="", template_name=CSRF_FAILURE_TEMPLATE_NAME, force_display=False):
    if not settings.DEBUG or force_display:
        return render(request, 'errors/403_csrf.html', {})

    return csrf.csrf_failure(request, reason=reason)