Mercurial > libervia-web
comparison libervia/server/pages.py @ 1283:436ef2ad92af
pages: moved CSRF checking code to a separate method:
`checkCSRF` can now be used to check CSRF, and the token can be put in `X-Csrf-Token`
header.
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Fri, 19 Jun 2020 16:47:51 +0200 |
| parents | 0e4e413eb8db |
| children | 65c43eec15ad |
comparison
equal
deleted
inserted
replaced
| 1282:0e4e413eb8db | 1283:436ef2ad92af |
|---|---|
| 519 if new_page: | 519 if new_page: |
| 520 log.info(_("{page} created").format(page=resource)) | 520 log.info(_("{page} created").format(page=resource)) |
| 521 else: | 521 else: |
| 522 log.info(_("{page} reloaded").format(page=resource)) | 522 log.info(_("{page} reloaded").format(page=resource)) |
| 523 | 523 |
| 524 def checkCSRF(self, request): | |
| 525 csrf_token = self.host.getSessionData( | |
| 526 request, session_iface.ISATSession | |
| 527 ).csrf_token | |
| 528 given_csrf = request.getHeader("X-Csrf-Token") | |
| 529 if given_csrf is None: | |
| 530 try: | |
| 531 given_csrf = self.getPostedData(request, "csrf_token") | |
| 532 except KeyError: | |
| 533 pass | |
| 534 if given_csrf is None or given_csrf != csrf_token: | |
| 535 log.warning( | |
| 536 _("invalid CSRF token, hack attempt? URL: {url}, IP: {ip}").format( | |
| 537 url=request.uri, ip=request.getClientIP() | |
| 538 ) | |
| 539 ) | |
| 540 self.pageError(request, C.HTTP_FORBIDDEN) | |
| 541 | |
| 524 def registerURI(self, uri_tuple, get_uri_cb): | 542 def registerURI(self, uri_tuple, get_uri_cb): |
| 525 """Register a URI handler | 543 """Register a URI handler |
| 526 | 544 |
| 527 @param uri_tuple(tuple[unicode, unicode]): type or URIs handler | 545 @param uri_tuple(tuple[unicode, unicode]): type or URIs handler |
| 528 type/subtype as returned by tools/common/parseXMPPUri | 546 type/subtype as returned by tools/common/parseXMPPUri |
| 1408 request.setHeader(b"location", redirect_uri) | 1426 request.setHeader(b"location", redirect_uri) |
| 1409 request.finish() | 1427 request.finish() |
| 1410 raise failure.Failure(exceptions.CancelError("Post/Redirect/Get is used")) | 1428 raise failure.Failure(exceptions.CancelError("Post/Redirect/Get is used")) |
| 1411 | 1429 |
| 1412 async def _on_data_post(self, request): | 1430 async def _on_data_post(self, request): |
| 1413 csrf_token = self.host.getSessionData( | 1431 self.checkCSRF(request) |
| 1414 request, session_iface.ISATSession | |
| 1415 ).csrf_token | |
| 1416 try: | |
| 1417 given_csrf = self.getPostedData(request, "csrf_token") | |
| 1418 except KeyError: | |
| 1419 given_csrf = None | |
| 1420 if given_csrf is None or given_csrf != csrf_token: | |
| 1421 log.warning( | |
| 1422 _("invalid CSRF token, hack attempt? URL: {url}, IP: {ip}").format( | |
| 1423 url=request.uri, ip=request.getClientIP() | |
| 1424 ) | |
| 1425 ) | |
| 1426 self.pageError(request, C.HTTP_FORBIDDEN) | |
| 1427 try: | 1432 try: |
| 1428 ret = await asDeferred(self.on_data_post, self, request) | 1433 ret = await asDeferred(self.on_data_post, self, request) |
| 1429 except exceptions.DataError as e: | 1434 except exceptions.DataError as e: |
| 1430 # something is wrong with the posted data, we re-display the page with a | 1435 # something is wrong with the posted data, we re-display the page with a |
| 1431 # warning notification | 1436 # warning notification |