vÅÏ^k5ã@s¥dZddlZddlZddlZddlmZddlmZddlm Z m Z ddl m Z ddl mZddlmZmZdd lmZdd lmZdd lmZejd ƒZd ZdZdZdZdZdZdZ de Z!ej"ej#Z$dZ%dd„Z&dd„Z'dd„Z(dd„Z)dd„Z*d d!„Z+d"d#„Z,d$d%„Z-d&d'„Z.Gd(d)„d)eƒZ/dS)*z’ Cross Site Request Forgery Middleware. This module provides a middleware that implements protection against request forgeries from other sites. éN)Úurlparse)Úsettings)ÚDisallowedHostÚImproperlyConfigured)Ú get_callable)Úpatch_vary_headers)Úconstant_time_compareÚget_random_string)ÚMiddlewareMixin)Úis_same_domain)Ú log_responsezdjango.security.csrfz%Referer checking failed - no Referer.z@Referer checking failed - %s does not match any trusted origins.zCSRF cookie not set.z CSRF token missing or incorrect.z/Referer checking failed - Referer is malformed.zCReferer checking failed - Referer is insecure while host is secure.é éZ _csrftokencCs ttjƒS)z/Return the view to be used for CSRF rejections.)rrZCSRF_FAILURE_VIEW©rrú8/tmp/pip-build-8lau8j11/django/django/middleware/csrf.pyÚ_get_failure_view$srcCsttdtƒS)NÚ allowed_chars)r ÚCSRF_SECRET_LENGTHÚCSRF_ALLOWED_CHARSrrrrÚ_get_new_csrf_string)srcsntƒ}t‰t‡fdd†|Dƒ‡fdd†|Dƒƒ}dj‡fdd†|Dƒƒ}||S)z’ Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a token by adding a salt and using it to encrypt the secret. c3s|]}ˆj|ƒVqdS)N)Úindex)Ú.0Úx)Úcharsrrú 4sz&_salt_cipher_secret..Úc3s-|]#\}}ˆ||tˆƒVqdS)N)Úlen)rrÚy)rrrr5s)rrÚzipÚjoin)ZsecretÚsaltÚpairsÚcipherr)rrÚ_salt_cipher_secret-s  5"r#cs{|dt…}|td…}t‰t‡fdd†|Dƒ‡fdd†|Dƒƒ}dj‡fdd†|DƒƒS)zÑ Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length CSRF_TOKEN_LENGTH, and that its first half is a salt), use it to decrypt the second half to produce the original secret. Nc3s|]}ˆj|ƒVqdS)N)r)rr)rrrrBsz'_unsalt_cipher_token..rc3s#|]\}}ˆ||VqdS)Nr)rrr)rrrrCs)rrrr)Útokenr r!r)rrÚ_unsalt_cipher_token9s 5r%cCs ttƒƒS)N)r#rrrrrÚ_get_new_csrf_tokenFsr&cCsXd|jkr.tƒ}t|ƒ|jdtƒ|d|ƒ}td||jd|d|dtƒ|S)NÚreasonzForbidden (%s): %sÚresponser*Úlogger)rr Úpathr<)r8r*r:r;rrrÚ_reject”szCsrfViewMiddleware._rejectc Cs°tjrZy|jjtƒSWq¬tk rVtdtjdkrHdndƒ‚Yq¬XnRy|jtj }Wnt k r†dSYnXt |ƒ}||kr¨d|_ |SdS)Nz†CSRF_USE_SESSIONS is enabled, but request.session is not set. SessionMiddleware must appear before CsrfViewMiddleware in MIDDLEWARE%s.Z_CLASSESrT) rÚCSRF_USE_SESSIONSÚsessionÚgetÚCSRF_SESSION_KEYÚAttributeErrorrZ MIDDLEWAREZCOOKIESÚCSRF_COOKIE_NAMEÚKeyErrorr2r-)r8r*Z cookie_tokenr4rrrÚ _get_tokenžs  '     zCsrfViewMiddleware._get_tokencCs tjr?|jjtƒ|jdkrœ|jd|jt.r'ÚPOSTZcsrfmiddlewaretoken)zGETzHEADzOPTIONSzTRACE)rTz80)!ÚgetattrÚmethodr9Z is_securer)rAr>ÚREASON_NO_REFERERrÚschemerVÚREASON_MALFORMED_REFERERÚREASON_INSECURE_REFERERrr?ZSESSION_COOKIE_DOMAINrLZget_portÚget_hostrÚlistZCSRF_TRUSTED_ORIGINSÚappendÚanyÚREASON_BAD_REFERERÚgeturlÚREASON_NO_CSRF_COOKIErYÚOSErrorZCSRF_HEADER_NAMEr2r5ÚREASON_BAD_TOKEN) r8r*ÚcallbackÚ callback_argsÚcallback_kwargsZ good_refererZ server_portZ good_hostsr:r4r3r)rXrÚ process_viewÍs^               zCsrfViewMiddleware.process_viewcCs^t|ddƒs(t|ddƒr(|S|jjddƒsA|S|j||ƒd|_|S)Nr-FÚcsrf_cookie_setr(T)rZr)rArMrm)r8r*r;rrrÚprocess_response:s z#CsrfViewMiddleware.process_responseN) Ú__name__Ú __module__Ú __qualname__Ú__doc__r9r>rFrMrNrlrnrrrrr6ƒs      mr6)0rrÚloggingr/ÚstringÚ urllib.parserZ django.confrZdjango.core.exceptionsrrZ django.urlsrZdjango.utils.cacherZdjango.utils.cryptorr Zdjango.utils.deprecationr Zdjango.utils.httpr Zdjango.utils.logr Ú getLoggerr<r\rdrfrhr^r_rr1Ú ascii_lettersÚdigitsrrBrrr#r%r&r+r.r2r5r6rrrrÚsB