def process_request(self, request):
        """
        Add a CSRF token to the session for logged-in users.

        The token is available at request.csrf_token.
        """
        if hasattr(request, 'csrf_token'):
            return
        if request.user.is_authenticated() and request.staff.is_authenticated():
            if 'csrf_token' not in request.session:
                token = django_csrf._get_new_csrf_key()
                request.csrf_token = request.session['csrf_token'] = token
            else:
                request.csrf_token = request.session['csrf_token']
        else:
            key = None
            token = ''
            if ANON_COOKIE in request.COOKIES:
                key = request.COOKIES[ANON_COOKIE]
                token = cache.get(PREFIX + key, '')
            if ANON_ALWAYS:
                if not key:
                    key = django_csrf._get_new_csrf_key()
                if not token:
                    token = django_csrf._get_new_csrf_key()
                request._anon_csrf_key = key
                cache.set(PREFIX + key, token, ANON_TIMEOUT)
            request.csrf_token = token
示例#2
0
    def process_request(self, request):
        """
        Add a CSRF token to the session for logged-in users.

        The token is available at request.csrf_token.
        """
        if hasattr(request, 'csrf_token'):
            return
        if request.user.is_authenticated():
            if self._has_valid_csrf(request):
                request.csrf_token = request.session['csrf_token']
            else:
                token = Token.objects.create(owner=request.user).value
                request.csrf_token = request.session['csrf_token'] = token
        else:
            key = None
            token = ''
            if conf.ANON_COOKIE in request.COOKIES:
                key = request.COOKIES[conf.ANON_COOKIE]
                token = cache.get(prep_key(key), '')
            if conf.ANON_ALWAYS:
                if not key:
                    key = django_csrf._get_new_csrf_key()
                if not token:
                    token = django_csrf._get_new_csrf_key()
                request._anon_csrf_key = key
                cache.set(prep_key(key), token, conf.ANON_TIMEOUT)
            request.csrf_token = token
示例#3
0
    def process_request(self, request):
        """
        Add a CSRF token to the session for logged-in users.

        The token is available at request.csrf_token.
        """
        if hasattr(request, 'csrf_token'):
            return
        if request.user.is_authenticated():
            if self._has_valid_csrf(request):
                request.csrf_token = request.session['csrf_token']
            else:
                token = Token.objects.create(owner=request.user).value
                request.csrf_token = request.session['csrf_token'] = token
        else:
            key = None
            token = ''
            if conf.ANON_COOKIE in request.COOKIES:
                key = request.COOKIES[conf.ANON_COOKIE]
                token = cache.get(prep_key(key), '')
            if conf.ANON_ALWAYS:
                if not key:
                    key = django_csrf._get_new_csrf_key()
                if not token:
                    token = django_csrf._get_new_csrf_key()
                request._anon_csrf_key = key
                cache.set(prep_key(key), token, conf.ANON_TIMEOUT)
            request.csrf_token = token
示例#4
0
    def process_request(self, request):
        """
        Add a CSRF token to the session for logged-in users.

        The token is available at request.csrf_token.
        """
        if hasattr(request, 'csrf_token'):
            return
        if request.user.is_authenticated():
            if 'csrf_token' not in request.session:
                token = django_csrf._get_new_csrf_key()
                request.csrf_token = request.session['csrf_token'] = token
            else:
                request.csrf_token = request.session['csrf_token']
        else:
            key = None
            token = ''
            if ANON_COOKIE in request.COOKIES:
                key = request.COOKIES[ANON_COOKIE]
                token = cache.get(PREFIX + key, '')
            if ANON_ALWAYS:
                if not key:
                    key = django_csrf._get_new_csrf_key()
                if not token:
                    token = django_csrf._get_new_csrf_key()
                request._anon_csrf_key = key
                cache.set(PREFIX + key, token, ANON_TIMEOUT)
            request.csrf_token = token
示例#5
0
    def post(self, request, _backend):  # pylint: disable=arguments-differ
        """
        Handle POST requests to get a first-party access token.
        """
        data = request.POST.copy()
        # log.info('=== AccessTokenExchangeBase ===')
        # log.info(data)
        log.error("=== AccessTokenExchangeBase ===")
        if data.get('is_linkedin_mobile', False):
            data['csrfmiddlewaretoken'] = _get_new_csrf_key()
        log.error(data)
        form = AccessTokenExchangeForm(request=request,
                                       oauth2_adapter=self.oauth2_adapter,
                                       data=data)  # pylint: disable=no-member
        if not form.is_valid():
            # log.info("=== form is not valid ===")
            log.error("form is not valid")
            log.error(form.errors)
            return self.error_response(form.errors)  # pylint: disable=no-member

        user = form.cleaned_data["user"]
        scope = form.cleaned_data["scope"]
        client = form.cleaned_data["client"]

        return self.exchange_access_token(request, user, scope, client)
示例#6
0
 def test_disable_csrf(self):
     form = TestForm()
     helper = FormHelper()
     helper.disable_csrf = True
     html = render_crispy_form(form, helper,
                               {'csrf_token': _get_new_csrf_key()})
     self.assertFalse('csrf' in html)
示例#7
0
    def render(self, request):
        """Function that renders the form"""

        campaign_slug = self.options.get("campaign")
        if campaign_slug:

            from samklang_payment.models import DonationCampaign
            campaign = DonationCampaign.objects.get(slug=campaign_slug, payment_site=request.site.paymentsite)
            if campaign:
                suggestions = "-".join([str(s.amount) for s in campaign.donationsuggestion_set.all()])
                default_amount = campaign.default_amount
            else:
                suggestions = ""
                default_amount = ""

            from django.middleware.csrf import _get_new_csrf_key
            from samklang_payment.forms import DonationForm
            form = DonationForm(initial={'amount': default_amount, 'suggestions': suggestions})

            if not request.COOKIES:
                return _('<div class="error-message">You or your browser blocks our cookies. We need to use cookies to prevent cross site scripting attacks. The form will appear when cookies are allowed for this domain (%(site_domain)s). You will also need to allow cookies for the payment site (%(payment_site_domain)s).</div>') % {'site_domain': request.site.domain, 'payment_site_domain': NETS_PRODUCTION_HOST}

            if not request.COOKIES.get('csrftoken', None):
                request.META["CSRF_COOKIE"] = _get_new_csrf_key()

            return render_to_string('samklang_payment/donation_form_only.html', {
                'form': form,
                'form_action': reverse('payment-donation-create', args=[campaign_slug]),
                }, context_instance=RequestContext(request))
        else:
            return ""
示例#8
0
def invite(request, secret):
    invite = get_object_or_404(Invite, secret=secret)
    if request.method == 'POST':
        registration_form = UserCreationForm(request.POST)
        if invite.used_by == None and registration_form.is_valid():
            user = registration_form.save()
            user.backend = 'django.contrib.auth.backends.ModelBackend'  #TODO figure out what is the right thing to do here
            auth.login(request, user)
            invite.used_by = user
            invite.save()
            response = HttpResponseRedirect(
                reverse('banana.views.user',
                        kwargs={'username': user.username}))
            # This is nasty but necessary because otherwise the session has no csrf cookie and thus cannot POST, which makes for a really bad user experience.
            if not "CSRF_COOKIE" in request.META:
                request.META["CSRF_COOKIE"] = _get_new_csrf_key()
                print 'Set new csrf cookie', request.META['CSRF_COOKIE']
                response.set_cookie(settings.CSRF_COOKIE_NAME,
                                    request.META["CSRF_COOKIE"],
                                    max_age=60 * 60 * 24 * 7 * 52,
                                    domain=settings.CSRF_COOKIE_DOMAIN,
                                    path=settings.CSRF_COOKIE_PATH,
                                    secure=settings.CSRF_COOKIE_SECURE)
            return response
    else:
        registration_form = UserCreationForm()
    return render_to_response('person/invite.html', {
        'registration_form': registration_form,
        'invite': invite
    },
                              context_instance=RequestContext(request))
示例#9
0
def test_disable_csrf():
    form = SampleForm()
    helper = FormHelper()
    helper.disable_csrf = True
    html = render_crispy_form(form, helper,
                              {'csrf_token': _get_new_csrf_key()})
    assert 'csrf' not in html
示例#10
0
def get_or_create_csrf_token(request):
    token = request.META.get('CSRF_COOKIE', None)
    if token is None:
        token = csrf._get_new_csrf_key()
        request.META['CSRF_COOKIE'] = token
    request.META['CSRF_COOKIE_USED'] = True
    return token
示例#11
0
def invite(request, secret):
    invite = get_object_or_404(Invite, secret=secret)
    if request.method == "POST":
        registration_form = UserCreationForm(request.POST)
        if invite.used_by == None and registration_form.is_valid():
            user = registration_form.save()
            user.backend = (
                "django.contrib.auth.backends.ModelBackend"
            )  # TODO figure out what is the right thing to do here
            auth.login(request, user)
            invite.used_by = user
            invite.save()
            response = HttpResponseRedirect(reverse("banana.views.user", kwargs={"username": user.username}))
            # This is nasty but necessary because otherwise the session has no csrf cookie and thus cannot POST, which makes for a really bad user experience.
            if not "CSRF_COOKIE" in request.META:
                request.META["CSRF_COOKIE"] = _get_new_csrf_key()
                print "Set new csrf cookie", request.META["CSRF_COOKIE"]
                response.set_cookie(
                    settings.CSRF_COOKIE_NAME,
                    request.META["CSRF_COOKIE"],
                    max_age=60 * 60 * 24 * 7 * 52,
                    domain=settings.CSRF_COOKIE_DOMAIN,
                    path=settings.CSRF_COOKIE_PATH,
                    secure=settings.CSRF_COOKIE_SECURE,
                )
            return response
    else:
        registration_form = UserCreationForm()
    return render_to_response(
        "person/invite.html",
        {"registration_form": registration_form, "invite": invite},
        context_instance=RequestContext(request),
    )
示例#12
0
def get_or_create_csrf_token(request):
	token = request.META.get('CSRF_COOKIE', None)
	if token is None:
		token = csrf._get_new_csrf_key()
		request.META['CSRF_COOKIE'] = token
	request.META['CSRF_COOKIE_USED'] = True
	return token
示例#13
0
    def test_enforce_csrf_works_with_token_in_cookie(self):
        '''
        I can't figure out how to set up a request with a proper CSRF token.
        I think I need the same token in the posted data AND in either a request
        header or in the cookies.

        In this test I am trying to set it in the cookie for the authorized session.
        I do see it in client.cookies - but I am NOT seeing authenication info
        in the cookie, which makes me doubt the validity of the code. And it doesn't work.
        '''
        # first set up some model instances we need
        user = User.objects.create_user(username='******', password='******')
        for name in ['blue', 'green', 'yellow', 'orange', 'red']:
            self.create_color(name)

        client = Client(enforce_csrf_checks=True)
        print('before login')
        print(self.client.cookies)
        client.login(username=user.username, password='******')

        print('after login')
        print(self.client.cookies)

        token = csrf._get_new_csrf_key()
        self.client.cookies['csrftoken'] = token
        print('after setting token')
        print(self.client.cookies)

        response = client.post('/', {'username': user.username, 'choice': 2, 'csrfmiddlewaretoken': token})
        self.assertEqual(response.status_code, 200)
示例#14
0
    def test_uni_form_formset_with_helper_without_layout(self):
        template = get_template_from_string(u"""
            {% load uni_form_tags %}
            {% uni_form testFormSet formset_helper %}
        """)

        form_helper = FormHelper()
        form_helper.form_id = 'thisFormsetRocks'
        form_helper.form_class = 'formsets-that-rock'
        form_helper.form_method = 'POST'
        form_helper.form_action = 'simpleAction'

        TestFormSet = formset_factory(TestForm, extra=3)
        testFormSet = TestFormSet()

        c = Context({
            'testFormSet': testFormSet,
            'formset_helper': form_helper,
            'csrf_token': _get_new_csrf_key()
        })
        html = template.render(c)

        self.assertEqual(html.count('<form'), 1)
        self.assertEqual(
            html.count("<input type='hidden' name='csrfmiddlewaretoken'"), 1)

        # Check formset management form
        self.assertTrue('form-TOTAL_FORMS' in html)
        self.assertTrue('form-INITIAL_FORMS' in html)
        self.assertTrue('form-MAX_NUM_FORMS' in html)

        self.assertTrue('class="uniForm formsets-that-rock"' in html)
        self.assertTrue('method="post"' in html)
        self.assertTrue('id="thisFormsetRocks">' in html)
        self.assertTrue('action="%s"' % reverse('simpleAction') in html)
示例#15
0
def test_formset_layout(settings):
    SampleFormSet = formset_factory(SampleForm, extra=3)
    formset = SampleFormSet()
    helper = FormHelper()
    helper.form_id = 'thisFormsetRocks'
    helper.form_class = 'formsets-that-rock'
    helper.form_method = 'POST'
    helper.form_action = 'simpleAction'
    helper.layout = Layout(
        Fieldset(
            "Item {{ forloop.counter }}",
            'is_company',
            'email',
        ), HTML("{% if forloop.first %}Note for first form only{% endif %}"),
        Row('password1', 'password2'), Fieldset("", 'first_name', 'last_name'))

    html = render_crispy_form(form=formset,
                              helper=helper,
                              context={'csrf_token': _get_new_csrf_key()})

    # Check formset fields
    assert contains_partial(
        html,
        '<input id="id_form-TOTAL_FORMS" name="form-TOTAL_FORMS" type="hidden" value="3"/>'
    )
    assert contains_partial(
        html,
        '<input id="id_form-INITIAL_FORMS" name="form-INITIAL_FORMS" type="hidden" value="0"/>'
    )
    assert contains_partial(
        html,
        '<input id="id_form-MAX_NUM_FORMS" name="form-MAX_NUM_FORMS" type="hidden" value="1000"/>'
    )
    assert contains_partial(
        html,
        '<input id="id_form-MIN_NUM_FORMS" name="form-MIN_NUM_FORMS" type="hidden" value="0"/>'
    )
    assert html.count("hidden") == 5

    # Check form structure
    assert html.count('<form') == 1
    assert html.count('csrfmiddlewaretoken') == 1
    assert 'formsets-that-rock' in html
    assert 'method="post"' in html
    assert 'id="thisFormsetRocks"' in html
    assert 'action="%s"' % reverse('simpleAction') in html

    # Check form layout
    assert 'Item 1' in html
    assert 'Item 2' in html
    assert 'Item 3' in html
    assert html.count('Note for first form only') == 1
    if settings.CRISPY_TEMPLATE_PACK == 'uni_form':
        assert html.count('formRow') == 3
    elif settings.CRISPY_TEMPLATE_PACK in ('bootstrap3', 'bootstrap4'):
        assert html.count('row') == 3

    if settings.CRISPY_TEMPLATE_PACK == 'bootstrap4':
        assert html.count('form-group') == 18
示例#16
0
def _get_or_create_csrf_token(request):
    token = request.META.get('CSRF_COOKIE', None)
    if token is None:
        token = csrf._get_new_csrf_key()
        request.META['CSRF_COOKIE'] = token
    request.META['CSRF_COOKIE_USED'] = True
    token = "<input type='hidden' name='csrf_token' value='%s'" % (token)
    return token
示例#17
0
 def wrapper(request, *args, **kw):
     anon = not request.user.is_authenticated()
     if anon:
         if ANON_COOKIE in request.COOKIES:
             key = request.COOKIES[ANON_COOKIE]
             token = cache.get(key)
         else:
             key = django_csrf._get_new_csrf_key()
             token = django_csrf._get_new_csrf_key()
         cache.set(key, token, ANON_TIMEOUT)
         request.csrf_token = token
     response = f(request, *args, **kw)
     if anon:
         # Set or reset the cache and cookie timeouts.
         response.set_cookie(ANON_COOKIE, key, max_age=ANON_TIMEOUT, httponly=True, secure=request.is_secure())
         patch_vary_headers(response, ["Cookie"])
     return response
示例#18
0
文件: views.py 项目: ampg99/cloudly
def _get_or_create_csrf_token(request):
    token = request.META.get('CSRF_COOKIE', None)
    if token is None:
        token = csrf._get_new_csrf_key()
        request.META['CSRF_COOKIE'] = token
    request.META['CSRF_COOKIE_USED'] = True
    token = "<input type='hidden' name='csrf_token' value='%s'" % (token)
    return token
示例#19
0
 def wrapper(request, *args, **kw):
     use_anon_cookie = not (request.user.is_authenticated() or conf.ANON_ALWAYS)
     if use_anon_cookie:
         if conf.ANON_COOKIE in request.COOKIES:
             key = request.COOKIES[conf.ANON_COOKIE]
             token = cache.get(prep_key(key)) or django_csrf._get_new_csrf_key()
         else:
             key = django_csrf._get_new_csrf_key()
             token = django_csrf._get_new_csrf_key()
         cache.set(prep_key(key), token, conf.ANON_TIMEOUT)
         request.csrf_token = token
     response = f(request, *args, **kw)
     if use_anon_cookie:
         # Set or reset the cache and cookie timeouts.
         response.set_cookie(conf.ANON_COOKIE, key, max_age=conf.ANON_TIMEOUT,
                             httponly=True, secure=request.is_secure())
         patch_vary_headers(response, ['Cookie'])
     return response
示例#20
0
 def process_request(self, request):
     """
     If we are getting a POST that results in a decoded signed_request
     we shouldn't do CSRF protection. This is really so that we do not
     need to do @csrf_exempt on all views that interacts with Facebook.
     """
     if request.FACEBOOK:
         request.META["CSRF_COOKIE"] = _get_new_csrf_key()
         request.csrf_processing_done = True
示例#21
0
 def post(self, request, *args, **kwargs):
     serializer = self.serializer_class(data=request.data)
     serializer.is_valid(raise_exception=True)
     user = serializer.validated_data['user']
     token, created = Token.objects.get_or_create(user=user)
     auth_login(request, user)
     response = Response({'token': token.key})
     csrf_token = _get_new_csrf_key()
     response.set_cookie('csrftoken', csrf_token)
     return response
示例#22
0
    def test_formset_layout(self):
        template = get_template_from_string(u"""
            {% load crispy_forms_tags %}
            {% crispy testFormSet formset_helper %}
        """)

        form_helper = FormHelper()
        form_helper.form_id = 'thisFormsetRocks'
        form_helper.form_class = 'formsets-that-rock'
        form_helper.form_method = 'POST'
        form_helper.form_action = 'simpleAction'
        form_helper.add_layout(
            Layout(
                Fieldset("Item {{ forloop.counter }}",
                    'is_company',
                    'email',
                ),
                HTML("{% if forloop.first %}Note for first form only{% endif %}"),
                Row('password1', 'password2'),
                Fieldset("",
                    'first_name',
                    'last_name'
                )
            )
        )

        TestFormSet = formset_factory(TestForm, extra = 3)
        testFormSet = TestFormSet()

        c = Context({
            'testFormSet': testFormSet,
            'formset_helper': form_helper,
            'csrf_token': _get_new_csrf_key()
        })
        html = template.render(c)

        # Check form parameters
        self.assertEqual(html.count('<form'), 1)
        self.assertEqual(html.count("<input type='hidden' name='csrfmiddlewaretoken'"), 1)

        self.assertTrue('formsets-that-rock' in html)
        self.assertTrue('method="post"' in html)
        self.assertTrue('id="thisFormsetRocks"' in html)
        self.assertTrue('action="%s"' % reverse('simpleAction') in html)

        # Check form layout
        self.assertTrue('Item 1' in html)
        self.assertTrue('Item 2' in html)
        self.assertTrue('Item 3' in html)
        self.assertEqual(html.count('Note for first form only'), 1)

        if settings.CRISPY_TEMPLATE_PACK == 'uni_form':
            self.assertEqual(html.count('formRow'), 3)
        else:
            self.assertEqual(html.count('row'), 3)
示例#23
0
    def test_formset_layout(self):
        template = get_template_from_string(u"""
            {% load crispy_forms_tags %}
            {% crispy testFormSet formset_helper %}
        """)

        form_helper = FormHelper()
        form_helper.form_id = 'thisFormsetRocks'
        form_helper.form_class = 'formsets-that-rock'
        form_helper.form_method = 'POST'
        form_helper.form_action = 'simpleAction'
        form_helper.add_layout(
            Layout(
                Fieldset("Item {{ forloop.counter }}",
                    'is_company',
                    'email',
                ),
                HTML("{% if forloop.first %}Note for first form only{% endif %}"),
                Row('password1', 'password2'),
                Fieldset("",
                    'first_name',
                    'last_name'
                )
            )
        )

        TestFormSet = formset_factory(TestForm, extra = 3)
        testFormSet = TestFormSet()

        c = Context({
            'testFormSet': testFormSet,
            'formset_helper': form_helper,
            'csrf_token': _get_new_csrf_key()
        })
        html = template.render(c)

        # Check form parameters
        self.assertEqual(html.count('<form'), 1)
        self.assertEqual(html.count("<input type='hidden' name='csrfmiddlewaretoken'"), 1)

        self.assertTrue('formsets-that-rock' in html)
        self.assertTrue('method="post"' in html)
        self.assertTrue('id="thisFormsetRocks"' in html)
        self.assertTrue('action="%s"' % reverse('simpleAction') in html)

        # Check form layout
        self.assertTrue('Item 1' in html)
        self.assertTrue('Item 2' in html)
        self.assertTrue('Item 3' in html)
        self.assertEqual(html.count('Note for first form only'), 1)

        if settings.CRISPY_TEMPLATE_PACK == 'uni_form':
            self.assertEqual(html.count('formRow'), 3)
        else:
            self.assertEqual(html.count('row'), 3)
示例#24
0
def test_formset_layout(settings):
    TestFormSet = formset_factory(TestForm, extra=3)
    formset = TestFormSet()
    helper = FormHelper()
    helper.form_id = 'thisFormsetRocks'
    helper.form_class = 'formsets-that-rock'
    helper.form_method = 'POST'
    helper.form_action = 'simpleAction'
    helper.layout = Layout(
        Fieldset(
            "Item {{ forloop.counter }}",
            'is_company',
            'email',
        ), HTML("{% if forloop.first %}Note for first form only{% endif %}"),
        Row('password1', 'password2'), Fieldset("", 'first_name', 'last_name'))

    html = render_crispy_form(form=formset,
                              helper=helper,
                              context={'csrf_token': _get_new_csrf_key()})

    # Check formset fields
    hidden_count = 4  # before Django 1.7 added MIN_NUM_FORM_COUNT
    assert html.count(
        'id="id_form-TOTAL_FORMS" name="form-TOTAL_FORMS" type="hidden" value="3"'
    ) == 1
    assert html.count(
        'id="id_form-INITIAL_FORMS" name="form-INITIAL_FORMS" type="hidden" value="0"'
    ) == 1
    assert html.count(
        'id="id_form-MAX_NUM_FORMS" name="form-MAX_NUM_FORMS" type="hidden" value="1000"'
    ) == 1
    if hasattr(forms.formsets, 'MIN_NUM_FORM_COUNT'):
        assert html.count(
            'id="id_form-MIN_NUM_FORMS" name="form-MIN_NUM_FORMS" type="hidden" value="0"'
        ) == 1
        hidden_count += 1
    assert html.count("hidden") == hidden_count

    # Check form structure
    assert html.count('<form') == 1
    assert html.count("<input type='hidden' name='csrfmiddlewaretoken'") == 1
    assert 'formsets-that-rock' in html
    assert 'method="post"' in html
    assert 'id="thisFormsetRocks"' in html
    assert 'action="%s"' % reverse('simpleAction') in html

    # Check form layout
    assert 'Item 1' in html
    assert 'Item 2' in html
    assert 'Item 3' in html
    assert html.count('Note for first form only') == 1
    if settings.CRISPY_TEMPLATE_PACK == 'uni_form':
        assert html.count('formRow') == 3
    else:
        assert html.count('row') == 3
示例#25
0
    def wrapper(*args, **kwargs):
        request = args[0]
        expires = datetime.now() + timedelta(days=7)
        if request.COOKIES.get('user', None):
            _tk = request.COOKIES.get('user', None)
        else:
            _tk = _get_new_csrf_key()

        response = fn(*args, **kwargs)
        response.set_cookie('user', _tk, expires=expires)
        return response
示例#26
0
 def wrapper(request, *args, **kw):
     anon = not request.user.is_authenticated()
     if anon:
         if ANON_COOKIE in request.COOKIES:
             key = request.COOKIES[ANON_COOKIE]
             token = cache.get(key)
         else:
             key = django_csrf._get_new_csrf_key()
             token = django_csrf._get_new_csrf_key()
         cache.set(key, token, ANON_TIMEOUT)
         request.csrf_token = token
     response = f(request, *args, **kw)
     if anon:
         # Set or reset the cache and cookie timeouts.
         response.set_cookie(ANON_COOKIE,
                             key,
                             max_age=ANON_TIMEOUT,
                             httponly=True,
                             secure=request.is_secure())
         patch_vary_headers(response, ['Cookie'])
     return response
示例#27
0
def get_or_create_csrf_token(request):
    try:
        csrf_token = _sanitize_token(
            request.COOKIES[django_settings.CSRF_COOKIE_NAME])
        # Use same token next time
    except KeyError:
        csrf_token = _get_new_csrf_key()
        # Generate token and store it in the request, so it's
        # available to the view.
    request.META['CSRF_COOKIE'] = csrf_token
    request.META['CSRF_COOKIE_USED'] = True
    return csrf_token
def test_CSRF_token_GET_form():
    form_helper = FormHelper()
    form_helper.form_method = 'GET'
    template = Template("""
        {% load crispy_forms_tags %}
        {% crispy form form_helper %}
    """)

    c = Context({'form': SampleForm(), 'form_helper': form_helper, 'csrf_token': _get_new_csrf_key()})
    html = template.render(c)

    assert 'csrfmiddlewaretoken' not in html
示例#29
0
def get_or_create_csrf_token(request):
    try:
        csrf_token = _sanitize_token(
            request.COOKIES[django_settings.CSRF_COOKIE_NAME])
        # Use same token next time
    except KeyError:
        csrf_token = _get_new_csrf_key()
        # Generate token and store it in the request, so it's
        # available to the view.
    request.META['CSRF_COOKIE'] = csrf_token
    request.META['CSRF_COOKIE_USED'] = True
    return csrf_token
示例#30
0
def test_CSRF_token_GET_form():
    form_helper = FormHelper()
    form_helper.form_method = 'GET'
    template = get_template_from_string("""
        {% load crispy_forms_tags %}
        {% crispy form form_helper %}
    """)

    c = Context({'form': TestForm(), 'form_helper': form_helper, 'csrf_token': _get_new_csrf_key()})
    html = template.render(c)

    assert "<input type='hidden' name='csrfmiddlewaretoken'" not in html
示例#31
0
    def test_csrf_token_GET_form(self):
        form_helper = FormHelper()    
        form_helper.form_method = 'GET'
        template = get_template_from_string(u"""
            {% load uni_form_tags %}
            {% uni_form form form_helper %}
        """)        

        c = Context({'form': TestForm(), 'form_helper': form_helper, 'csrf_token': _get_new_csrf_key()})
        html = template.render(c)
        
        self.assertFalse("<input type='hidden' name='csrfmiddlewaretoken'" in html)                
示例#32
0
def test_CSRF_token_GET_form():
    form_helper = FormHelper()
    form_helper.form_method = 'GET'
    template = Template("""
        {% load crispy_forms_tags %}
        {% crispy form form_helper %}
    """)

    c = Context({'form': SampleForm(), 'form_helper': form_helper, 'csrf_token': _get_new_csrf_key()})
    html = template.render(c)

    assert 'csrfmiddlewaretoken' not in html
示例#33
0
    def wrapper(request, *args, **kwargs):
        if request.method == "GET":
            csrf_token = _get_new_csrf_key()
            request.csrf_processing_done = False
            request.META['CSRF_COOKIE'] = csrf_token
            request.META['CSRF_COOKIE_USED'] = True
            kwargs["csrf_token"] = csrf_token

            ret = func(request, *args, **kwargs)

            return ret
        else:
            raise CsrfWrapperException("csrf 只能装饰在GET方法上")
示例#34
0
    def wrapper(request, *args, **kwargs):
        if request.method == "GET":
            csrf_token = _get_new_csrf_key()
            request.csrf_processing_done = False
            request.META['CSRF_COOKIE'] = csrf_token
            request.META['CSRF_COOKIE_USED'] = True
            kwargs["csrf_token"] = csrf_token

            ret = func(request, *args, **kwargs)

            return ret
        else:
            raise CsrfWrapperException("csrf 只能装饰在GET方法上")
示例#35
0
    def test_CSRF_token_GET_form(self):
        form_helper = FormHelper()
        form_helper.form_method = "GET"
        template = get_template_from_string(
            u"""
            {% load crispy_forms_tags %}
            {% crispy form form_helper %}
        """
        )

        c = Context({"form": TestForm(), "form_helper": form_helper, "csrf_token": _get_new_csrf_key()})
        html = template.render(c)

        self.assertFalse("<input type='hidden' name='csrfmiddlewaretoken'" in html)
示例#36
0
def test_CSRF_token_POST_form():
    form_helper = FormHelper()
    template = get_template_from_string("""
        {% load crispy_forms_tags %}
        {% crispy form form_helper %}
    """)

    # The middleware only initializes the CSRF token when processing a real request
    # So using RequestContext or csrf(request) here does not work.
    # Instead I set the key `csrf_token` to a CSRF token manually, which `csrf_token` tag uses
    c = Context({'form': TestForm(), 'form_helper': form_helper, 'csrf_token': _get_new_csrf_key()})
    html = template.render(c)

    assert "<input type='hidden' name='csrfmiddlewaretoken'" in html
示例#37
0
 def wrapper(request, *args, **kw):
     use_anon_cookie = not (request.user.is_authenticated()
                            or conf.ANON_ALWAYS)
     if use_anon_cookie:
         if conf.ANON_COOKIE in request.COOKIES:
             key = request.COOKIES[conf.ANON_COOKIE]
             token = cache.get(
                 prep_key(key)) or django_csrf._get_new_csrf_key()
         else:
             key = django_csrf._get_new_csrf_key()
             token = django_csrf._get_new_csrf_key()
         cache.set(prep_key(key), token, conf.ANON_TIMEOUT)
         request.csrf_token = token
     response = f(request, *args, **kw)
     if use_anon_cookie:
         # Set or reset the cache and cookie timeouts.
         response.set_cookie(conf.ANON_COOKIE,
                             key,
                             max_age=conf.ANON_TIMEOUT,
                             httponly=True,
                             secure=request.is_secure())
         patch_vary_headers(response, ['Cookie'])
     return response
示例#38
0
 def set_csrf_cookie(self):
     """
     Sets a unique CSRF cookie for subsequent requests to use. Returns
     the new cookie's value.
     
     """
     self.cookies[settings.CSRF_COOKIE_NAME] = csrf._get_new_csrf_key()
     self.cookies[settings.CSRF_COOKIE_NAME].update({
         "max_age": 60 * 60 * 24 * 7 * 52,
         "domain": settings.CSRF_COOKIE_DOMAIN,
         "path": settings.CSRF_COOKIE_PATH,
         "secure": settings.CSRF_COOKIE_SECURE,
         "httponly": settings.CSRF_COOKIE_HTTPONLY})
     return self.cookies.get(settings.CSRF_COOKIE_NAME).value
示例#39
0
文件: tests.py 项目: Bauke900/dnevnik
    def test_CSRF_token_POST_form(self):
        form_helper = FormHelper()
        template = get_template_from_string(
            u"""
            {% load uni_form_tags %}
            {% uni_form form form_helper %}
        """
        )

        # The middleware only initializes the CSRF token when processing a real request
        # So using RequestContext or csrf(request) here does not work.
        # Instead I set the key `csrf_token` to a CSRF token manually, which `csrf_token` tag uses
        c = Context({"form": TestForm(), "form_helper": form_helper, "csrf_token": _get_new_csrf_key()})
        html = template.render(c)

        self.assertTrue("<input type='hidden' name='csrfmiddlewaretoken'" in html)
示例#40
0
def get_fb_user_canvas(request):
    """ Attempt to find a user using a signed_request (canvas). """
    data = get_signed_request_data(request)
    if data:
        if request.method == 'POST':
            # If this is requset method is POST then prevent rising err 403
            # from Django CSRF middleware
            request.META["CSRF_COOKIE"] = _get_new_csrf_key()
            request.csrf_processing_done = True

        if data.get('user_id'):
            fb_user = data['user']
            fb_user['method'] = 'canvas'
            fb_user['uid'] = data['user_id']
            fb_user['access_token'] = data['oauth_token']
            return fb_user
示例#41
0
def get_fb_user_canvas(request):
    """ Attempt to find a user using a signed_request (canvas). """
    data = get_signed_request_data(request)
    if data:
        if request.method == "POST":
            # If this is requset method is POST then prevent rising err 403
            # from Django CSRF middleware
            request.META["CSRF_COOKIE"] = _get_new_csrf_key()
            request.csrf_processing_done = True

        if data.get("user_id"):
            fb_user = data["user"]
            fb_user["method"] = "canvas"
            fb_user["uid"] = data["user_id"]
            fb_user["access_token"] = data["oauth_token"]
            return fb_user
示例#42
0
def artificial_login(**credentials):
    from django.contrib.auth import authenticate, login

    cookies = SimpleCookie()

    user = authenticate(**credentials)
    engine = import_module(settings.SESSION_ENGINE)

    # Create a fake request that goes through request middleware
    request = WSGIRequest({
        'HTTP_COOKIE': cookies.output(header='', sep=';'),
        'PATH_INFO': str('/'),
        'REMOTE_ADDR': str('127.0.0.1'),
        'REQUEST_METHOD': str('GET'),
        'SCRIPT_NAME': str(''),
        'SERVER_NAME': str('testserver'),
        'SERVER_PORT': str('80'),
        'SERVER_PROTOCOL': str('HTTP/1.1'),
        'wsgi.version': (1, 0),
        'wsgi.url_scheme': str('http'),
        'wsgi.input': BytesIO(),
        'wsgi.errors': BytesIO(),
        'wsgi.multiprocess': True,
        'wsgi.multithread': False,
        'wsgi.run_once': False,
    })
    request.session = engine.SessionStore()
    login(request, user)

    # Save the session values.
    request.session.save()

    # Set the cookie to represent the session.
    session_cookie = settings.SESSION_COOKIE_NAME
    cookies[session_cookie] = request.session.session_key
    cookie_data = {
        'max-age': None,
        'path': '/',
        'domain': settings.SESSION_COOKIE_DOMAIN,
        'secure': settings.SESSION_COOKIE_SECURE or None,
        'expires': None,
    }
    cookies[session_cookie].update(cookie_data)
    return {
        session_cookie: cookies[session_cookie].value,
        settings.CSRF_COOKIE_NAME: csrf._get_new_csrf_key(),
    }
示例#43
0
def artificial_login(**credentials):
    from django.contrib.auth import authenticate, login

    cookies = SimpleCookie()

    user = authenticate(**credentials)
    engine = import_module(settings.SESSION_ENGINE)

    # Create a fake request that goes through request middleware
    request = WSGIRequest({
        "HTTP_COOKIE": cookies.output(header="", sep=";"),
        "PATH_INFO": "/",
        "REMOTE_ADDR": "127.0.0.1",
        "REQUEST_METHOD": "GET",
        "SCRIPT_NAME": "",
        "SERVER_NAME": "testserver",
        "SERVER_PORT": "80",
        "SERVER_PROTOCOL": "HTTP/1.1",
        "wsgi.version": (1, 0),
        "wsgi.url_scheme": "http",
        "wsgi.input": BytesIO(),
        "wsgi.errors": BytesIO(),
        "wsgi.multiprocess": True,
        "wsgi.multithread": False,
        "wsgi.run_once": False,
    })
    request.session = engine.SessionStore()
    login(request, user)

    # Save the session values.
    request.session.save()

    # Set the cookie to represent the session.
    session_cookie = settings.SESSION_COOKIE_NAME
    cookies[session_cookie] = request.session.session_key
    cookie_data = {
        "max-age": None,
        "path": "/",
        "domain": settings.SESSION_COOKIE_DOMAIN,
        "secure": settings.SESSION_COOKIE_SECURE or None,
        "expires": None,
    }
    cookies[session_cookie].update(cookie_data)
    return {
        session_cookie: cookies[session_cookie].value,
        settings.CSRF_COOKIE_NAME: csrf._get_new_csrf_key(),
    }
示例#44
0
    def test_csrf_token_POST_form(self):
        form_helper = FormHelper()    
        template = get_template_from_string(u"""
            {% load uni_form_tags %}
            {% uni_form form form_helper %}
        """)        

        # The middleware only initializes the CSRF token when processing a real request
        # So using RequestContext or csrf(request) here does not work.
        # Instead I set the key `csrf_token` to a CSRF token manually, which `csrf_token` tag
        # reads to put a hidden input in > django.template.defaulttags.CsrfTokenNode
        # This way we don't need to use Django's client, have a test_app and urls
        # I like self-contained tests :) CSRF could be any number, we don't care
        c = Context({'form': TestForm(), 'form_helper': form_helper, 'csrf_token': _get_new_csrf_key()})
        html = template.render(c)

        self.assertTrue("<input type='hidden' name='csrfmiddlewaretoken'" in html)                
示例#45
0
    def test_CSRF_token_GET_form(self):
        form_helper = FormHelper()
        form_helper.form_method = 'GET'
        template = get_template_from_string(u"""
            {% load uni_form_tags %}
            {% uni_form form form_helper %}
        """)

        c = Context({
            'form': TestForm(),
            'form_helper': form_helper,
            'csrf_token': _get_new_csrf_key()
        })
        html = template.render(c)

        self.assertFalse(
            "<input type='hidden' name='csrfmiddlewaretoken'" in html)
示例#46
0
def get_or_create_csrf_token(request):
    from django.middleware import csrf
    token = None
    try:
        token = request.META.get('CSRF_COOKIE', None)
    except Exception as e:
        print(e)
        pass
    if token is None:
        token = csrf._get_new_csrf_key()
        try:
            request.META['CSRF_COOKIE'] = token
            request.META['CSRF_COOKIE_USED'] = True
        except Exception as e:
            print(e)
            pass
    print(token)
    return token
示例#47
0
    def process_request(self, request):
        """
        Add a CSRF token to the session for logged-in users.

        The token is available at request.csrf_token.
        """
        if hasattr(request, "csrf_token"):
            return
        if request.user.is_authenticated():
            if "csrf_token" not in request.session:
                token = django_csrf._get_new_csrf_key()
                request.csrf_token = request.session["csrf_token"] = token
            else:
                request.csrf_token = request.session["csrf_token"]
        elif ANON_COOKIE in request.COOKIES:
            key = request.COOKIES[ANON_COOKIE]
            request.csrf_token = cache.get(key, "")
        else:
            request.csrf_token = ""
示例#48
0
    def process_request(self, request):
        """
        Add a CSRF token to the session for logged-in users.

        The token is available at request.csrf_token.
        """
        if hasattr(request, 'csrf_token'):
            return
        if request.user.is_authenticated():
            if 'csrf_token' not in request.session:
                token = django_csrf._get_new_csrf_key()
                request.csrf_token = request.session['csrf_token'] = token
            else:
                request.csrf_token = request.session['csrf_token']
        elif ANON_COOKIE in request.COOKIES:
            key = request.COOKIES[ANON_COOKIE]
            request.csrf_token = cache.get(key, '')
        else:
            request.csrf_token = ''
示例#49
0
def get_fb_user_canvas(request):
    """ Attempt to find a user using a signed_request (canvas). """
    signed_request = request.REQUEST.get('signed_request')
    if signed_request:
        data = facebook.parse_signed_request(signed_request,
                                             settings.SECRET_KEY)
        if data:
            if request.method == 'POST':
                # If this is requset method is POST then prevent rising err 403
                # from Django CSRF middleware
                request.META["CSRF_COOKIE"] = _get_new_csrf_key()
                request.csrf_processing_done = True

            if data.get('user_id'):
                fb_user = data['user']
                fb_user['method'] = 'canvas'
                fb_user['uid'] = data['user_id']
                fb_user['access_token'] = data['oauth_token']
                return fb_user
示例#50
0
    def test_enforce_csrf_works_with_token_in_header(self):
        '''
        I can't figure out how to set up a request with a proper CSRF token.
        I think I need the same token in the posted data AND in either a request
        header or in the cookies.

        In this test I am trying to set it in the request headers per the docs:
        https://docs.djangoproject.com/en/1.8/ref/csrf/#ajax
        '''
        # first set up some model instances we need
        user = User.objects.create_user(username='******', password='******')
        for name in ['blue', 'green', 'yellow', 'orange', 'red']:
            self.create_color(name)

        token = csrf._get_new_csrf_key()
        # client = Client(enforce_csrf_checks=True, HTTP_X_CSRFTOKEN=token, HTTP_REFERER='http://test.example.com/')
        client = Client(enforce_csrf_checks=True, HTTP_X_CSRFTOKEN=token)
        # pprint(client.__dict__)
        response = client.post('/', {'username': user.username, 'choice': 2, 'csrfmiddlewaretoken': token})
        # pprint(response.__dict__)
        self.assertEqual(response.status_code, 200)
示例#51
0
def restore_csrf_token(request, storage=None):
    """
    Given the request and a the context used during the second render phase,
    this wil check if there is a CSRF cookie and restores if needed, to
    counteract the way the CSRF framework invalidates the CSRF token after
    each request/response cycle.
    """
    if storage is None:
        storage = {}
    try:
        if not request.META.get("CSRF_COOKIE", False):
            request.META["CSRF_COOKIE"] = request.COOKIES[django_settings.CSRF_COOKIE_NAME]
    except KeyError:
        csrf_token = storage.get('csrf_token', None)
        if csrf_token:
            # if the context has a cached csrf token generate a new token
            # otherwise all users will get the same csrf token assigned
            csrf_token = _get_new_csrf_key()
            request.META["CSRF_COOKIE"] = csrf_token
            storage['csrf_token'] = csrf_token
    return storage
示例#52
0
文件: utils.py 项目: amaudy/feedhq
def manual_csrf_check(request):
    """
    Performs a CSRF check for a specific request.

    Useful for in-view CSRF checks.

    Returns an HTTP response in case of CSRF failure.
    """
    try:
        csrf_token = _sanitize_token(
            request.COOKIES[settings.CSRF_COOKIE_NAME]
        )
        request.META['CSRF_COOKIE'] = csrf_token
    except KeyError:
        csrf_token = None
        request.META["CSRF_COOKIE"] = _get_new_csrf_key()

    if request.method not in ('GET', 'HEAD', 'OPTIONS', 'TRACE'):
        if request.is_secure():
            referer = request.META.get('HTTP_REFERER')
            if referer is None:
                return middleware._reject(request, REASON_NO_REFERER)

            good_referer = 'https://%s/' % request.get_host()
            if not same_origin(referer, good_referer):
                reason = REASON_BAD_REFERER % (referer, good_referer)
                return middleware._reject(request, reason)

        if csrf_token is None:
            return middleware._reject(request, REASON_NO_CSRF_COOKIE)

        request_csrf_token = ""
        if request.method == "POST":
            request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')

        if request_csrf_token == "":
            request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')

        if not constant_time_compare(request_csrf_token, csrf_token):
            return middleware._reject(request, REASON_BAD_TOKEN)
示例#53
0
def test_formset_with_helper_without_layout(settings):
    template = Template("""
        {% load crispy_forms_tags %}
        {% crispy testFormSet formset_helper %}
    """)

    form_helper = FormHelper()
    form_helper.form_id = 'thisFormsetRocks'
    form_helper.form_class = 'formsets-that-rock'
    form_helper.form_method = 'POST'
    form_helper.form_action = 'simpleAction'

    SampleFormSet = formset_factory(SampleForm, extra=3)
    testFormSet = SampleFormSet()

    c = Context({
        'testFormSet': testFormSet,
        'formset_helper': form_helper,
        'csrf_token': _get_new_csrf_key()
    })
    html = template.render(c)

    assert html.count('<form') == 1
    assert html.count("<input type='hidden' name='csrfmiddlewaretoken'") == 1

    # Check formset management form
    assert 'form-TOTAL_FORMS' in html
    assert 'form-INITIAL_FORMS' in html
    assert 'form-MAX_NUM_FORMS' in html

    assert 'formsets-that-rock' in html
    assert 'method="post"' in html
    assert 'id="thisFormsetRocks"' in html
    assert 'action="%s"' % reverse('simpleAction') in html
    if settings.CRISPY_TEMPLATE_PACK == 'uni_form':
        assert 'class="uniForm' in html
示例#54
0
def csrf(request):
    return JsonResponse({"token": _get_new_csrf_key()})
示例#55
0
    def process_view(self, request, callback, callback_args, callback_kwargs):

        if getattr(request, 'csrf_processing_done', False):
            return None

        try:
            csrf_token = django_csrf._sanitize_token(
                request.COOKIES[settings.CSRF_COOKIE_NAME])
            # Use same token next time
            request.META['CSRF_COOKIE'] = csrf_token
        except KeyError:
            csrf_token = None
            # Generate token and store it in the request, so it's
            # available to the view.
            request.META["CSRF_COOKIE"] = django_csrf._get_new_csrf_key()

        # Wait until request.META["CSRF_COOKIE"] has been manipulated before
        # bailing out, so that get_token still works
        if getattr(callback, 'csrf_exempt', False):
            return None

        # Assume that anything not defined as 'safe' by RFC2616 needs protection
        if request.method not in ('GET', 'HEAD', 'OPTIONS', 'TRACE'):
            if getattr(request, '_dont_enforce_csrf_checks', False):
                # Mechanism to turn off CSRF checks for test suite.
                # It comes after the creation of CSRF cookies, so that
                # everything else continues to work exactly the same
                # (e.g. cookies are sent, etc.), but before any
                # branches that call reject().
                return self._accept(request)

            if request.is_secure():
                # Suppose user visits http://example.com/
                # An active network attacker (man-in-the-middle, MITM) sends a
                # POST form that targets https://example.com/detonate-bomb/ and
                # submits it via JavaScript.
                #
                # The attacker will need to provide a CSRF cookie and token, but
                # that's no problem for a MITM and the session-independent
                # nonce we're using. So the MITM can circumvent the CSRF
                # protection. This is true for any HTTP connection, but anyone
                # using HTTPS expects better! For this reason, for
                # https://example.com/ we need additional protection that treats
                # http://example.com/ as completely untrusted. Under HTTPS,
                # Barth et al. found that the Referer header is missing for
                # same-domain requests in only about 0.2% of cases or less, so
                # we can use strict Referer checking.
                referer = force_text(request.META.get('HTTP_REFERER'),
                                     strings_only=True,
                                     errors='replace')
                if referer is None:
                    return self._reject(request, django_csrf.REASON_NO_REFERER)

                # Here we generate a list of all acceptable HTTP referers,
                # including the current host since that has been validated
                # upstream.
                good_hosts = list(settings.CSRF_TRUSTED_ORIGINS)
                # Note that request.get_host() includes the port.
                good_hosts.append(request.get_host())
                good_referers = [
                    'https://{0}/'.format(host) for host in good_hosts
                ]
                if not any(
                        same_origin(referer, host) for host in good_referers):
                    reason = REASON_BAD_REFERER % referer
                    return self._reject(request, reason)

            if csrf_token is None:
                # No CSRF cookie. For POST requests, we insist on a CSRF cookie,
                # and in this way we can avoid all CSRF attacks, including login
                # CSRF.
                return self._reject(request, django_csrf.REASON_NO_CSRF_COOKIE)

            # Check non-cookie token for match.
            request_csrf_token = ""
            if request.method == "POST":
                try:
                    request_csrf_token = request.POST.get(
                        'csrfmiddlewaretoken', '')
                except IOError:
                    # Handle a broken connection before we've completed reading
                    # the POST data. process_view shouldn't raise any
                    # exceptions, so we'll ignore and serve the user a 403
                    # (assuming they're still listening, which they probably
                    # aren't because of the error).
                    pass

            if request_csrf_token == "":
                # Fall back to X-CSRFToken, to make things easier for AJAX,
                # and possible for PUT/DELETE.
                request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')

            if not constant_time_compare(request_csrf_token, csrf_token):
                return self._reject(request, django_csrf.REASON_BAD_TOKEN)

        return self._accept(request)
示例#56
0
        if k != exclude_key:
            if values:
                values += '&'
            values += k + '=' + v
    return values

def get_or_create_csrf_token(request):
    from django.middleware import csrf
    token = None
    try:
        token = request.META.get('CSRF_COOKIE', None)
    except Exception, e:
        print e
        pass
    if token is None:
        token = csrf._get_new_csrf_key()
        try:
            request.META['CSRF_COOKIE'] = token
            request.META['CSRF_COOKIE_USED'] = True
        except Exception, e:
            print e
            pass
    print token
    return token

def paginator_page_cutter(page_range, current_page):
    page_count = len(page_range)
    if page_count <= 11:
        return page_range
    
    start_page = current_page - 5
示例#57
0
    def process_view(self, request, callback, callback_args, callback_kwargs):
        if getattr(request, 'csrf_processing_done', False):
            return None

        try:
            request.META["CSRF_COOKIE"] = _sanitize_token(
                request.COOKIES[settings.CSRF_COOKIE_NAME])
            cookie_is_new = False
        except KeyError:
            request.META["CSRF_COOKIE"] = _get_new_csrf_key()
            cookie_is_new = True

        if getattr(callback, 'csrf_exempt', False):
            return None

        if request.method == 'POST':
            if getattr(request, '_dont_enforce_csrf_checks', False):
                return self._accept(request)
            # let initial signed requests pass
            if 'signed_request' in request.POST:
                post = request.POST.copy()
                post.pop('signed_request')
                if len(post) == 0:
                    return self._accept(request)

            if request.is_secure() and getattr(settings,
                                               'HTTPS_REFERER_REQUIRED', True):
                referer = request.META.get('HTTP_REFERER')
                if referer is None:
                    logger.warning('Forbidden (%s): %s' %
                                   (REASON_NO_REFERER, request.path),
                                   extra={
                                       'status_code': 403,
                                       'request': request,
                                   })
                    return self._reject(request, REASON_NO_REFERER)

                # Note that request.get_host() includes the port
                good_referer = 'https://%s/' % request.get_host()
                if not same_origin(referer, good_referer):
                    reason = REASON_BAD_REFERER % (referer, good_referer)
                    logger.warning('Forbidden (%s): %s' %
                                   (reason, request.path),
                                   extra={
                                       'status_code': 403,
                                       'request': request,
                                   })
                    return self._reject(request, reason)

            if cookie_is_new:
                try:
                    session_id = request.COOKIES[settings.SESSION_COOKIE_NAME]
                    csrf_token = _make_legacy_session_token(session_id)
                except KeyError:
                    logger.warning('Forbidden (%s): %s' %
                                   (REASON_NO_COOKIE, request.path),
                                   extra={
                                       'status_code': 403,
                                       'request': request,
                                   })
                    return self._reject(request, REASON_NO_COOKIE)
            else:
                csrf_token = request.META["CSRF_COOKIE"]

            # check incoming token
            request_csrf_token = request.POST.get('csrfmiddlewaretoken', None)
            if not request_csrf_token:
                request_csrf_token = request.POST.get('state', '')
            if request_csrf_token == "":
                # Fall back to X-CSRFToken, to make things easier for AJAX
                request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')

            if not constant_time_compare(request_csrf_token, csrf_token):
                if cookie_is_new:
                    # probably a problem setting the CSRF cookie
                    logger.warning('Forbidden (%s): %s' %
                                   (REASON_NO_CSRF_COOKIE, request.path),
                                   extra={
                                       'status_code': 403,
                                       'request': request,
                                   })
                    return self._reject(request, REASON_NO_CSRF_COOKIE)
                else:
                    logger.warning('Forbidden (%s): %s' %
                                   (REASON_BAD_TOKEN, request.path),
                                   extra={
                                       'status_code': 403,
                                       'request': request,
                                   })
                    return self._reject(request, REASON_BAD_TOKEN)

        return self._accept(request)
示例#58
0
    def test_formset_layout(self):
        TestFormSet = formset_factory(TestForm, extra=3)
        formset = TestFormSet()
        helper = FormHelper()
        helper.form_id = 'thisFormsetRocks'
        helper.form_class = 'formsets-that-rock'
        helper.form_method = 'POST'
        helper.form_action = 'simpleAction'
        helper.layout = Layout(
            Fieldset(
                "Item {{ forloop.counter }}",
                'is_company',
                'email',
            ),
            HTML("{% if forloop.first %}Note for first form only{% endif %}"),
            Row('password1', 'password2'),
            Fieldset("", 'first_name', 'last_name'))

        html = render_crispy_form(form=formset,
                                  helper=helper,
                                  context={'csrf_token': _get_new_csrf_key()})

        # Check formset fields
        django_version = django.VERSION[:3]
        hidden_count = 4  # before Django 1.7 added MIN_NUM_FORM_COUNT
        if django_version < (1, 5):
            self.assertEqual(
                html.count(
                    'type="hidden" name="form-TOTAL_FORMS" value="3" id="id_form-TOTAL_FORMS"'
                ), 1)
            self.assertEqual(
                html.count(
                    'type="hidden" name="form-INITIAL_FORMS" value="0" id="id_form-INITIAL_FORMS"'
                ), 1)
            if (django_version >= (1, 4) and django_version <
                (1, 4, 4)) or django_version < (1, 3, 6):
                self.assertEqual(
                    html.count(
                        'type="hidden" name="form-MAX_NUM_FORMS" id="id_form-MAX_NUM_FORMS"'
                    ), 1)
            else:
                self.assertEqual(
                    html.count(
                        'type="hidden" name="form-MAX_NUM_FORMS" value="1000" id="id_form-MAX_NUM_FORMS"'
                    ), 1)
        else:
            self.assertEqual(
                html.count(
                    'id="id_form-TOTAL_FORMS" name="form-TOTAL_FORMS" type="hidden" value="3"'
                ), 1)
            self.assertEqual(
                html.count(
                    'id="id_form-INITIAL_FORMS" name="form-INITIAL_FORMS" type="hidden" value="0"'
                ), 1)
            self.assertEqual(
                html.count(
                    'id="id_form-MAX_NUM_FORMS" name="form-MAX_NUM_FORMS" type="hidden" value="1000"'
                ), 1)
            if hasattr(forms.formsets, 'MIN_NUM_FORM_COUNT'):
                self.assertEqual(
                    html.count(
                        'id="id_form-MIN_NUM_FORMS" name="form-MIN_NUM_FORMS" type="hidden" value="0"'
                    ), 1)
                hidden_count += 1
        self.assertEqual(html.count("hidden"), hidden_count)

        # Check form structure
        self.assertEqual(html.count('<form'), 1)
        self.assertEqual(
            html.count("<input type='hidden' name='csrfmiddlewaretoken'"), 1)
        self.assertTrue('formsets-that-rock' in html)
        self.assertTrue('method="post"' in html)
        self.assertTrue('id="thisFormsetRocks"' in html)
        self.assertTrue('action="%s"' % reverse('simpleAction') in html)

        # Check form layout
        self.assertTrue('Item 1' in html)
        self.assertTrue('Item 2' in html)
        self.assertTrue('Item 3' in html)
        self.assertEqual(html.count('Note for first form only'), 1)
        if self.current_template_pack == 'uni_form':
            self.assertEqual(html.count('formRow'), 3)
        else:
            self.assertEqual(html.count('row'), 3)