Mercurial > libervia-web
comparison src/server/constants.py @ 956:dabecab10faa
server (pages): impleted CSRF protection:
A basic CSRF protection has been implemented using CSRF token. The token is created on session creation, and checked on data post.
The process should be fully automatic, and a hidden field is added in forms in sat_templates when csrf_token is present in template data (require to import input/form.html with context).
If token is wrong on absent, an unauthorized error page is returned (and client ip is logged).
Also don't use anymore inlineCallbacks in _on_data_post, as StopIteration exception are catched by inlineCallbacks, resulting in bad behaviour. As a further security, getPostedDate raise a KeyError instead of StopIteration is a specific key is looked for and missing.
Added HTTP_SEE_OTHER status code in constants.
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Mon, 10 Jul 2017 19:10:31 +0200 (2017-07-10) |
| parents | a21fee7e30ee |
| children | 67bf14c91d5c |
comparison
equal
deleted
inserted
replaced
| 955:4f7cb6335a33 | 956:dabecab10faa |
|---|---|
| 61 ## HTTP methods ## | 61 ## HTTP methods ## |
| 62 HTTP_METHOD_GET = u'GET' | 62 HTTP_METHOD_GET = u'GET' |
| 63 HTTP_METHOD_POST = u'POST' | 63 HTTP_METHOD_POST = u'POST' |
| 64 | 64 |
| 65 ## HTTP codes ## | 65 ## HTTP codes ## |
| 66 HTTP_SEE_OTHER = 303 | |
| 66 HTTP_BAD_REQUEST = 400 | 67 HTTP_BAD_REQUEST = 400 |
| 67 HTTP_UNAUTHORIZED = 401 | 68 HTTP_UNAUTHORIZED = 401 |
| 68 HTTP_NOT_FOUND = 404 | 69 HTTP_NOT_FOUND = 404 |
| 69 HTTP_INTERNAL_ERROR = 500 | 70 HTTP_INTERNAL_ERROR = 500 |
| 70 HTTP_SERVICE_UNAVAILABLE = 503 | 71 HTTP_SERVICE_UNAVAILABLE = 503 |