def upload_status(request): if request.method == 'GET': if request.GET['key']: csrftoken = request.META.get( "CSRF_COOKIE") if "CSRF_COOKIE" in request.META else None cache_exist = cache.get(csrftoken) request_csrftoken = request.GET['key'] match = True try: from django.middleware.csrf import _sanitize_token, _compare_salted_tokens request_csrftoken = _sanitize_token(request_csrftoken) match = _compare_salted_tokens(request_csrftoken, csrftoken) except: pass if cache_exist and match: value = cache.get(csrftoken) return HttpResponse(json.dumps(value), content_type="application/json") elif not _compare_salted_tokens(key, csrftoken): return HttpResponse(json.dumps( {'error': "csrf value not match"}), content_type="application/json") else: return HttpResponse(json.dumps( {'error': "No csrf value in cache"}), content_type="application/json") else: return HttpResponse(json.dumps( {'error': 'No parameter key in GET request'}), content_type="application/json") else: return HttpResponse(json.dumps({'error': 'No GET request'}), content_type="application/json")
def _check_csrf(self, state): # validate state parameter if state is None or \ not re.search('[a-zA-Z0-9]', state) or \ not len(state) == CSRF_TOKEN_LENGTH or \ not _compare_salted_tokens(state, get_token(self.request)): self.context['message'] = {'error': 'bad_state'}
def get(self, request, **kwargs): provider = kwargs.get('provider') if provider == 'naver': csrf_token = request.GET.get('state') code = request.GET.get('code') if not _compare_salted_tokens( csrf_token, request.COOKIES.get( 'csrftoken')): # state(csrf_token)이 잘못된 경우 messages.error(request, '잘못된 경로로 로그인하셨습니다.', extra_tags='social_error') return HttpResponseRedirect(self.failure_url) is_success, data = self.login_or_create_with_naver( csrf_token, code) if not is_success: # 로그인 or 생성 실패 if type( data ) is list: # profile.confirm 이 False 일때는 data가 리스트형태로 리턴 user = data[2] self.send_verification_email(user) messages.error(request, data[0], extra_tags='social_error') return HttpResponseRedirect(data[1]) else: messages.error(request, data, extra_tags='social_error') return HttpResponseRedirect( data if is_success else self.failure_url) else: return HttpResponseRedirect(self.failure_url)
def check_csrf_token(request, *args, **kwargs): csrf_token = _sanitize_token(request.GET.get(token_key, '')) match = _compare_salted_tokens( csrf_token, request.COOKIES.get(settings.CSRF_COOKIE_NAME, '')) if not match: raise PermissionDenied else: return view_func(request, *args, **kwargs)
def check_csrf_token(request, *args, **kwargs): csrf_token = _sanitize_token(request.GET.get(token_key, "")) match = _compare_salted_tokens( csrf_token, request.COOKIES.get(settings.CSRF_COOKIE_NAME, "")) if not match and getattr(settings, "CSRF_VERIFY_TOKEN", True): raise PermissionDenied else: return view_func(request, *args, **kwargs)
def get(self, request): code = request.GET.get('code') state = request.GET.get('state', None) csrf_token = request.META.get("CSRF_COOKIE", None) if not code: raise Http404 # if csrf_token doesn't match, raise 403 if not _compare_salted_tokens(state, csrf_token): raise Http403 # fetch access token r = requests.post(STRIPE_TOKEN_URL, data = {'client_secret': settings.STRIPE_SECRET_KEY, 'grant_type': 'authorization_code', 'code': code, 'scope': 'read_only'}) response_json = r.json() if r.ok: stripe_user_id = response_json['stripe_user_id'] # livemode = response_json['livemode'] sa, created = StripeAccount.objects.get_or_create(stripe_user_id=stripe_user_id) # if livemode: # sa.livemode_access_token = response_json['access_token'] # sa.livemode_stripe_publishable_key = response_json['stripe_publishable_key'] # else: # sa.testmode_access_token = response_json['access_token'] # sa.testmode_stripe_publishable_key = response_json['stripe_publishable_key'] sa.scope = response_json['scope'] # sa.token_type = response_json['token_type'] # sa.refresh_token = response_json['refresh_token'] if not sa.creator: sa.creator = request.user sa.creator_username = request.user.username sa.owner = request.user sa.owner_username = request.user.username sa.status_detail='active' sa.save() # retrieve account info stripe.api_key = settings.STRIPE_SECRET_KEY stripe.api_version = settings.STRIPE_API_VERSION stripe_set_app_info(stripe) account = stripe.Account.retrieve(stripe_user_id) sa.account_name = account.get('display_name', '') sa.email = account.get('email', '') sa.default_currency = account.get('default_currency', '') sa.country = account.get('country', '') sa.save() msg_string = _('Success!') else: sa = None msg_string = '{0} - {1}'.format(response_json['error'], response_json['error_description']) return render(request, self.template_name, {'sa': sa, 'msg_string': msg_string})
def _check_csrf(self, state): # CSRF validation does not work with http if config.DEBUG and self.request.scheme == "http": return # validate state parameter if (state is None or not re.search("[a-zA-Z0-9]", state) or not len(state) == CSRF_TOKEN_LENGTH or not _compare_salted_tokens(state, get_token(self.request))): self.context["message"] = {"error": "bad_state"}
def clean_csrf_token(cls, csrf_token, payload): is_valid = _compare_salted_tokens(csrf_token, payload["csrfToken"]) if not is_valid: raise ValidationError({ "csrfToken": ValidationError( "Invalid csrf token", code=AccountErrorCode.JWT_INVALID_CSRF_TOKEN.value, ) })
def test_login_example(self): """ Example of successful login as user would do for real, starting at base url and getting all other urls and info from there. """ # Create test user and get username & password for use below user = self.new_user() username = password = user.getOmeName().val # Django client, not logged in yet django_client = Client() # Start at the /api/ url to list versions... request_url = reverse('api_versions') rsp = get_json(django_client, request_url) # Pick the last version version = rsp['data'][-1] base_url = version['url:base'] # Base url will give a bunch of other urls base_rsp = get_json(django_client, base_url) login_url = base_rsp['url:login'] servers_url = base_rsp['url:servers'] login_url = base_rsp['url:login'] token_url = base_rsp['url:token'] # See what servers we can log in to servers_rsp = get_json(django_client, servers_url) server_id = servers_rsp['data'][0]['id'] # Need a CSRF token token_rsp = get_json(django_client, token_url) token = token_rsp['data'] # Can also get this from our session cookies csrf_token = django_client.cookies['csrftoken'].value assert csrf._compare_salted_tokens(token, csrf_token) is True # Now we have all info we need for login. # Set the header, so we don't need to do this for every POST/PUT/DELETE # OR we could add it to each POST as 'csrfmiddlewaretoken' django_client = Client(HTTP_X_CSRFTOKEN=token) data = { 'username': username, 'password': password, 'server': server_id, # 'csrfmiddlewaretoken': token, } login_rsp = django_client.post(login_url, data) login_json = json.loads(login_rsp.content) assert login_json['success'] event_context = login_json['eventContext'] # eventContext gives a bunch of info member_of_groups = event_context['memberOfGroups'] current_group = event_context['groupId'] user_id = event_context['userId'] assert len(member_of_groups) == 2 # includes 'user' group assert current_group in member_of_groups assert user_id > 0
def authenticate_client(self, msg: Dict[str, Any]) -> None: if self.authenticated: self.session.send_message({'req_id': msg['req_id'], 'type': 'response', 'response': {'result': 'error', 'msg': 'Already authenticated'}}) return user_profile = get_user_profile(self.browser_session_id) if user_profile is None: raise JsonableError(_('Unknown or missing session')) self.session.user_profile = user_profile if 'csrf_token' not in msg['request']: # Debugging code to help with understanding #6961 logging.error("Invalid websockets auth request: %s" % (msg['request'],)) raise JsonableError(_('CSRF token entry missing from request')) if not _compare_salted_tokens(msg['request']['csrf_token'], self.csrf_token): raise JsonableError(_('CSRF token does not match that in cookie')) if 'queue_id' not in msg['request']: raise JsonableError(_("Missing 'queue_id' argument")) queue_id = msg['request']['queue_id'] client = get_client_descriptor(queue_id) if client is None: raise BadEventQueueIdError(queue_id) if user_profile.id != client.user_profile_id: raise JsonableError(_("You are not the owner of the queue with id '%s'") % (queue_id,)) self.authenticated = True register_connection(queue_id, self) response = {'req_id': msg['req_id'], 'type': 'response', 'response': {'result': 'success', 'msg': ''}} status_inquiries = msg['request'].get('status_inquiries') if status_inquiries is not None: results = {} # type: Dict[str, Dict[str, str]] for inquiry in status_inquiries: status = redis_client.hgetall(req_redis_key(inquiry)) # type: Dict[bytes, bytes] if len(status) == 0: result = {'status': 'not_received'} elif b'response' not in status: result = {'status': status[b'status'].decode('utf-8')} else: result = {'status': status[b'status'].decode('utf-8'), 'response': ujson.loads(status[b'response'])} results[str(inquiry)] = result response['response']['status_inquiries'] = results self.session.send_message(response) ioloop = tornado.ioloop.IOLoop.instance() ioloop.remove_timeout(self.timeout_handle)
def authenticate_client(self, msg: Dict[str, Any]) -> None: if self.authenticated: self.session.send_message({'req_id': msg['req_id'], 'type': 'response', 'response': {'result': 'error', 'msg': 'Already authenticated'}}) return user_profile = get_user_profile(self.browser_session_id) if user_profile is None: raise JsonableError(_('Unknown or missing session')) self.session.user_profile = user_profile if 'csrf_token' not in msg['request']: # Debugging code to help with understanding #6961 logging.error("CSRF token missing from websockets auth request: %s" % (msg['request'],)) raise JsonableError(_('CSRF token entry missing from request')) if not _compare_salted_tokens(msg['request']['csrf_token'], self.csrf_token): raise JsonableError(_('CSRF token does not match that in cookie')) if 'queue_id' not in msg['request']: raise JsonableError(_("Missing 'queue_id' argument")) queue_id = msg['request']['queue_id'] client = get_client_descriptor(queue_id) if client is None: raise BadEventQueueIdError(queue_id) if user_profile.id != client.user_profile_id: raise JsonableError(_("You are not the owner of the queue with id '%s'") % (queue_id,)) self.authenticated = True register_connection(queue_id, self) response = {'req_id': msg['req_id'], 'type': 'response', 'response': {'result': 'success', 'msg': ''}} status_inquiries = msg['request'].get('status_inquiries') if status_inquiries is not None: results = {} # type: Dict[str, Dict[str, str]] for inquiry in status_inquiries: status = redis_client.hgetall(req_redis_key(inquiry)) # type: Dict[bytes, bytes] if len(status) == 0: result = {'status': 'not_received'} elif b'response' not in status: result = {'status': status[b'status'].decode('utf-8')} else: result = {'status': status[b'status'].decode('utf-8'), 'response': ujson.loads(status[b'response'])} results[str(inquiry)] = result response['response']['status_inquiries'] = results self.session.send_message(response) ioloop = tornado.ioloop.IOLoop.instance() ioloop.remove_timeout(self.timeout_handle)
def process_view(self, request, callback, callback_args, callback_kwargs): referer = request.META.get('HTTP_REFERER') csrf_token = request.META.get('CSRF_COOKIE') if csrf_token is None: return self._reject(request, REASON_NO_CSRF_COOKIE) request_csrf_token = request.GET.get('state', '') request_csrf_token = _sanitize_token(request_csrf_token) if not _compare_salted_tokens(request_csrf_token, csrf_token): return self._reject(request, REASON_BAD_TOKEN) return self._accept(request)
def token(request): request_csrf_token = "" if request.method == "POST": try: request_csrf_token = request.POST.get('csrfmiddlewaretoken', '') except IOError: return HttpResponse('e') if request_csrf_token == "": request_csrf_token = request.META.get(settings.CSRF_HEADER_NAME, '') request_csrf_token = _sanitize_token(request_csrf_token) if not _compare_salted_tokens(request_csrf_token, csrf_token): return HttpResponse(request, REASON_BAD_TOKEN)
def get(self, request, *args, **kwargs): provider = kwargs.get('provider') if provider == 'naver': # 프로바이더가 naver 일 경우 csrf_token = request.GET.get('state') code = request.GET.get('code') if not _compare_salted_tokens(csrf_token, request.COOKIES.get('csrftoken')): # state(csrf_token)이 잘못된 경우 messages.error(request, '잘못된 경로로 로그인하셨습니다.', extra_tags='danger') return HttpResponseRedirect(self.failure_url) is_success, error = self.login_with_naver(csrf_token, code) if not is_success: # 로그인 실패할 경우 messages.error(request, error, extra_tags='danger') return HttpResponseRedirect(self.success_url if is_success else self.failure_url) return HttpResponseRedirect(self.failure_url)
def authenticate_client(self, msg): # type: (Dict[str, Any]) -> None if self.authenticated: self.session.send_message({'req_id': msg['req_id'], 'type': 'response', 'response': {'result': 'error', 'msg': 'Already authenticated'}}) return user_profile = get_user_profile(self.browser_session_id) if user_profile is None: raise SocketAuthError('Unknown or missing session') self.session.user_profile = user_profile if not _compare_salted_tokens(msg['request']['csrf_token'], self.csrf_token): raise SocketAuthError('CSRF token does not match that in cookie') if 'queue_id' not in msg['request']: raise SocketAuthError("Missing 'queue_id' argument") queue_id = msg['request']['queue_id'] client = get_client_descriptor(queue_id) if client is None: raise SocketAuthError('Bad event queue id: %s' % (queue_id,)) if user_profile.id != client.user_profile_id: raise SocketAuthError("You are not the owner of the queue with id '%s'" % (queue_id,)) self.authenticated = True register_connection(queue_id, self) response = {'req_id': msg['req_id'], 'type': 'response', 'response': {'result': 'success', 'msg': ''}} status_inquiries = msg['request'].get('status_inquiries') if status_inquiries is not None: results = {} for inquiry in status_inquiries: status = redis_client.hgetall(req_redis_key(inquiry)) if len(status) == 0: status['status'] = 'not_received' if 'response' in status: status['response'] = ujson.loads(status['response']) results[str(inquiry)] = status response['response']['status_inquiries'] = results self.session.send_message(response) ioloop = tornado.ioloop.IOLoop.instance() ioloop.remove_timeout(self.timeout_handle)
def process_view(self, request, callback, callback_args, callback_kwargs): if getattr(request, 'csrf_processing_done', False): return None # Wait until request.META["CSRF_COOKIE"] has been manipulated before # bailing out, so that get_token still works if getattr(callback, 'csrf_exempt', False): return None # Assume that anything not defined as 'safe' by RFC7231 needs protection if request.method not in ('GET', 'HEAD', 'OPTIONS', 'TRACE'): if getattr(request, '_dont_enforce_csrf_checks', False): # Mechanism to turn off CSRF checks for test suite. # It comes after the creation of CSRF cookies, so that # everything else continues to work exactly the same # (e.g. cookies are sent, etc.), but before any # branches that call reject(). return self._accept(request) if request.is_secure(): # Suppose user visits http://example.com/ # An active network attacker (man-in-the-middle, MITM) sends a # POST form that targets https://example.com/detonate-bomb/ and # submits it via JavaScript. # # The attacker will need to provide a CSRF cookie and token, but # that's no problem for a MITM and the session-independent # secret we're using. So the MITM can circumvent the CSRF # protection. This is true for any HTTP connection, but anyone # using HTTPS expects better! For this reason, for # https://example.com/ we need additional protection that treats # http://example.com/ as completely untrusted. Under HTTPS, # Barth et al. found that the Referer header is missing for # same-domain requests in only about 0.2% of cases or less, so # we can use strict Referer checking. referer = request.META.get('HTTP_REFERER') # -- Change from original here -- # # Only checks referer if it is present. # It's not a failure condition if the referer is not present. # Our site is HTTPS-only which does not need to rely on # referer checking. Above example does not apply. if referer is not None: referer = urlparse(referer) # Make sure we have a valid URL for Referer. if '' in (referer.scheme, referer.netloc): return self._reject(request, REASON_MALFORMED_REFERER) # Ensure that our Referer is also secure. if referer.scheme != 'https': return self._reject(request, REASON_INSECURE_REFERER) # If there isn't a CSRF_COOKIE_DOMAIN, require an exact match # match on host:port. If not, obey the cookie rules (or those # for the session cookie, if CSRF_USE_SESSIONS). good_referer = ( settings.SESSION_COOKIE_DOMAIN if settings.CSRF_USE_SESSIONS else settings.CSRF_COOKIE_DOMAIN ) if good_referer is not None: server_port = request.get_port() if server_port not in ('443', '80'): good_referer = '%s:%s' % (good_referer, server_port) else: try: # request.get_host() includes the port. good_referer = request.get_host() except DisallowedHost: pass # Create a list of all acceptable HTTP referers, including the # current host if it's permitted by ALLOWED_HOSTS. good_hosts = list(settings.CSRF_TRUSTED_ORIGINS) if good_referer is not None: good_hosts.append(good_referer) if not any(is_same_domain(referer.netloc, host) for host in good_hosts): reason = REASON_BAD_REFERER % referer.geturl() return self._reject(request, reason) csrf_token = request.META.get('CSRF_COOKIE') if csrf_token is None: # No CSRF cookie. For POST requests, we insist on a CSRF cookie, # and in this way we can avoid all CSRF attacks, including login # CSRF. return self._reject(request, REASON_NO_CSRF_COOKIE) # Check non-cookie token for match. request_csrf_token = "" if request.method == "POST": try: request_csrf_token = request.POST.get('csrfmiddlewaretoken', '') except IOError: # Handle a broken connection before we've completed reading # the POST data. process_view shouldn't raise any # exceptions, so we'll ignore and serve the user a 403 # (assuming they're still listening, which they probably # aren't because of the error). pass if request_csrf_token == "": # Fall back to X-CSRFToken, to make things easier for AJAX, # and possible for PUT/DELETE. request_csrf_token = request.META.get(settings.CSRF_HEADER_NAME, '') request_csrf_token = _sanitize_token(request_csrf_token) if not _compare_salted_tokens(request_csrf_token, csrf_token): return self._reject(request, REASON_BAD_TOKEN) return self._accept(request)
def process_view(self, request, callback, callback_args, callback_kwargs): if getattr(request, 'csrf_processing_done', False): return None try: cookie_token = request.COOKIES[settings.CSRF_COOKIE_NAME] except KeyError: csrf_token = None else: csrf_token = _sanitize_token(cookie_token) if csrf_token != cookie_token: # Cookie token needed to be replaced; # the cookie needs to be reset. request.csrf_cookie_needs_reset = True # Use same token next time. request.META['CSRF_COOKIE'] = csrf_token # Wait until request.META["CSRF_COOKIE"] has been manipulated before # bailing out, so that get_token still works if getattr(callback, 'csrf_exempt', False): return None # Assume that anything not defined as 'safe' by RFC7231 needs protection if request.method not in ('GET', 'HEAD', 'OPTIONS', 'TRACE'): if getattr(request, '_dont_enforce_csrf_checks', False): # Mechanism to turn off CSRF checks for test suite. # It comes after the creation of CSRF cookies, so that # everything else continues to work exactly the same # (e.g. cookies are sent, etc.), but before any # branches that call reject(). return self._accept(request) if request.is_secure(): # Suppose user visits http://example.com/ # An active network attacker (man-in-the-middle, MITM) sends a # POST form that targets https://example.com/detonate-bomb/ and # submits it via JavaScript. # # The attacker will need to provide a CSRF cookie and token, but # that's no problem for a MITM and the session-independent # secret we're using. So the MITM can circumvent the CSRF # protection. This is true for any HTTP connection, but anyone # using HTTPS expects better! For this reason, for # https://example.com/ we need additional protection that treats # http://example.com/ as completely untrusted. Under HTTPS, # Barth et al. found that the Referer header is missing for # same-domain requests in only about 0.2% of cases or less, so # we can use strict Referer checking. referer = force_text(request.META.get('HTTP_REFERER'), strings_only=True, errors='replace') if referer is not None: referer = urlparse(referer) # Make sure we have a valid URL for Referer. if '' in (referer.scheme, referer.netloc): return self._reject(request, REASON_MALFORMED_REFERER) # Ensure that our Referer is also secure. if referer.scheme != 'https': return self._reject(request, REASON_INSECURE_REFERER) # If there isn't a CSRF_COOKIE_DOMAIN, assume we need an exact # match on host:port. If not, obey the cookie rules. if settings.CSRF_COOKIE_DOMAIN is None: # request.get_host() includes the port. good_referer = request.get_host() else: good_referer = settings.CSRF_COOKIE_DOMAIN server_port = request.get_port() if server_port not in ('443', '80'): good_referer = '%s:%s' % (good_referer, server_port) # Here we generate a list of all acceptable HTTP referers, # including the current host since that has been validated # upstream. good_hosts = list(settings.CSRF_TRUSTED_ORIGINS) good_hosts.append(good_referer) if not any( is_same_domain(referer.netloc, host) for host in good_hosts): reason = REASON_BAD_REFERER % referer.geturl() return self._reject(request, reason) if csrf_token is None: # No CSRF cookie. For POST requests, we insist on a CSRF cookie, # and in this way we can avoid all CSRF attacks, including login # CSRF. return self._reject(request, REASON_NO_CSRF_COOKIE) # Check non-cookie token for match. request_csrf_token = "" if request.method == "POST": try: request_csrf_token = request.POST.get( 'csrfmiddlewaretoken', '') except IOError: # Handle a broken connection before we've completed reading # the POST data. process_view shouldn't raise any # exceptions, so we'll ignore and serve the user a 403 # (assuming they're still listening, which they probably # aren't because of the error). pass if request_csrf_token == "": # Fall back to X-CSRFToken, to make things easier for AJAX, # and possible for PUT/DELETE. request_csrf_token = request.META.get( settings.CSRF_HEADER_NAME, '') request_csrf_token = _sanitize_token(request_csrf_token) if not _compare_salted_tokens(request_csrf_token, csrf_token): return self._reject(request, REASON_BAD_TOKEN) return self._accept(request)
def process_view(self, request, callback, callback_args, callback_kwargs): if getattr(request, "csrf_processing_done", False): return None try: cookie_token = request.COOKIES[settings.CSRF_COOKIE_NAME] except KeyError: csrf_token = None else: csrf_token = _sanitize_token(cookie_token) if csrf_token != cookie_token: # Cookie token needed to be replaced; # the cookie needs to be reset. request.csrf_cookie_needs_reset = True # Use same token next time. request.META["CSRF_COOKIE"] = csrf_token # Wait until request.META["CSRF_COOKIE"] has been manipulated before # bailing out, so that get_token still works if getattr(callback, "csrf_exempt", False): return None # Assume that anything not defined as 'safe' by RFC7231 needs protection if request.method not in ("GET", "HEAD", "OPTIONS", "TRACE"): if getattr(request, "_dont_enforce_csrf_checks", False): # Mechanism to turn off CSRF checks for test suite. # It comes after the creation of CSRF cookies, so that # everything else continues to work exactly the same # (e.g. cookies are sent, etc.), but before any # branches that call reject(). return self._accept(request) if request.is_secure(): # Suppose user visits http://example.com/ # An active network attacker (man-in-the-middle, MITM) sends a # POST form that targets https://example.com/detonate-bomb/ and # submits it via JavaScript. # # The attacker will need to provide a CSRF cookie and token, but # that's no problem for a MITM and the session-independent # secret we're using. So the MITM can circumvent the CSRF # protection. This is true for any HTTP connection, but anyone # using HTTPS expects better! For this reason, for # https://example.com/ we need additional protection that treats # http://example.com/ as completely untrusted. Under HTTPS, # Barth et al. found that the Referer header is missing for # same-domain requests in only about 0.2% of cases or less, so # we can use strict Referer checking. referer = force_text(request.META.get("HTTP_REFERER"), strings_only=True, errors="replace") if referer is not None: referer = urlparse(referer) # Make sure we have a valid URL for Referer. if "" in (referer.scheme, referer.netloc): return self._reject(request, REASON_MALFORMED_REFERER) # Ensure that our Referer is also secure. if referer.scheme != "https": return self._reject(request, REASON_INSECURE_REFERER) # If there isn't a CSRF_COOKIE_DOMAIN, assume we need an exact # match on host:port. If not, obey the cookie rules. if settings.CSRF_COOKIE_DOMAIN is None: # request.get_host() includes the port. good_referer = request.get_host() else: good_referer = settings.CSRF_COOKIE_DOMAIN server_port = request.get_port() if server_port not in ("443", "80"): good_referer = "%s:%s" % (good_referer, server_port) # Here we generate a list of all acceptable HTTP referers, # including the current host since that has been validated # upstream. good_hosts = list(settings.CSRF_TRUSTED_ORIGINS) good_hosts.append(good_referer) if not any(is_same_domain(referer.netloc, host) for host in good_hosts): reason = REASON_BAD_REFERER % referer.geturl() return self._reject(request, reason) if csrf_token is None: # No CSRF cookie. For POST requests, we insist on a CSRF cookie, # and in this way we can avoid all CSRF attacks, including login # CSRF. return self._reject(request, REASON_NO_CSRF_COOKIE) # Check non-cookie token for match. request_csrf_token = "" if request.method == "POST": try: request_csrf_token = request.POST.get("csrfmiddlewaretoken", "") except IOError: # Handle a broken connection before we've completed reading # the POST data. process_view shouldn't raise any # exceptions, so we'll ignore and serve the user a 403 # (assuming they're still listening, which they probably # aren't because of the error). pass if request_csrf_token == "": # Fall back to X-CSRFToken, to make things easier for AJAX, # and possible for PUT/DELETE. request_csrf_token = request.META.get(settings.CSRF_HEADER_NAME, "") request_csrf_token = _sanitize_token(request_csrf_token) if not _compare_salted_tokens(request_csrf_token, csrf_token): return self._reject(request, REASON_BAD_TOKEN) return self._accept(request)