Mercurial > libervia-web
comparison libervia/server/pages.py @ 1283:436ef2ad92af
pages: moved CSRF checking code to a separate method:
`checkCSRF` can now be used to check CSRF, and the token can be put in `X-Csrf-Token`
header.
author | Goffi <goffi@goffi.org> |
---|---|
date | Fri, 19 Jun 2020 16:47:51 +0200 |
parents | 0e4e413eb8db |
children | 65c43eec15ad |
comparison
equal
deleted
inserted
replaced
1282:0e4e413eb8db | 1283:436ef2ad92af |
---|---|
519 if new_page: | 519 if new_page: |
520 log.info(_("{page} created").format(page=resource)) | 520 log.info(_("{page} created").format(page=resource)) |
521 else: | 521 else: |
522 log.info(_("{page} reloaded").format(page=resource)) | 522 log.info(_("{page} reloaded").format(page=resource)) |
523 | 523 |
524 def checkCSRF(self, request): | |
525 csrf_token = self.host.getSessionData( | |
526 request, session_iface.ISATSession | |
527 ).csrf_token | |
528 given_csrf = request.getHeader("X-Csrf-Token") | |
529 if given_csrf is None: | |
530 try: | |
531 given_csrf = self.getPostedData(request, "csrf_token") | |
532 except KeyError: | |
533 pass | |
534 if given_csrf is None or given_csrf != csrf_token: | |
535 log.warning( | |
536 _("invalid CSRF token, hack attempt? URL: {url}, IP: {ip}").format( | |
537 url=request.uri, ip=request.getClientIP() | |
538 ) | |
539 ) | |
540 self.pageError(request, C.HTTP_FORBIDDEN) | |
541 | |
524 def registerURI(self, uri_tuple, get_uri_cb): | 542 def registerURI(self, uri_tuple, get_uri_cb): |
525 """Register a URI handler | 543 """Register a URI handler |
526 | 544 |
527 @param uri_tuple(tuple[unicode, unicode]): type or URIs handler | 545 @param uri_tuple(tuple[unicode, unicode]): type or URIs handler |
528 type/subtype as returned by tools/common/parseXMPPUri | 546 type/subtype as returned by tools/common/parseXMPPUri |
1408 request.setHeader(b"location", redirect_uri) | 1426 request.setHeader(b"location", redirect_uri) |
1409 request.finish() | 1427 request.finish() |
1410 raise failure.Failure(exceptions.CancelError("Post/Redirect/Get is used")) | 1428 raise failure.Failure(exceptions.CancelError("Post/Redirect/Get is used")) |
1411 | 1429 |
1412 async def _on_data_post(self, request): | 1430 async def _on_data_post(self, request): |
1413 csrf_token = self.host.getSessionData( | 1431 self.checkCSRF(request) |
1414 request, session_iface.ISATSession | |
1415 ).csrf_token | |
1416 try: | |
1417 given_csrf = self.getPostedData(request, "csrf_token") | |
1418 except KeyError: | |
1419 given_csrf = None | |
1420 if given_csrf is None or given_csrf != csrf_token: | |
1421 log.warning( | |
1422 _("invalid CSRF token, hack attempt? URL: {url}, IP: {ip}").format( | |
1423 url=request.uri, ip=request.getClientIP() | |
1424 ) | |
1425 ) | |
1426 self.pageError(request, C.HTTP_FORBIDDEN) | |
1427 try: | 1432 try: |
1428 ret = await asDeferred(self.on_data_post, self, request) | 1433 ret = await asDeferred(self.on_data_post, self, request) |
1429 except exceptions.DataError as e: | 1434 except exceptions.DataError as e: |
1430 # something is wrong with the posted data, we re-display the page with a | 1435 # something is wrong with the posted data, we re-display the page with a |
1431 # warning notification | 1436 # warning notification |