3 v^k5@s*dZddlZddlZddlZddlmZddlmZddlm Z m Z ddl m Z ddl mZddlmZmZdd lmZdd lmZdd lmZejd Zd ZdZdZdZdZdZdZ de Z!ej"ej#Z$dZ%ddZ&ddZ'ddZ(ddZ)ddZ*d d!Z+d"d#Z,d$d%Z-d&d'Z.Gd(d)d)eZ/dS)*z Cross Site Request Forgery Middleware. This module provides a middleware that implements protection against request forgeries from other sites. N)urlparse)settings)DisallowedHostImproperlyConfigured) get_callable)patch_vary_headers)constant_time_compareget_random_string)MiddlewareMixin)is_same_domain) log_responsezdjango.security.csrfz%Referer checking failed - no Referer.z@Referer checking failed - %s does not match any trusted origins.zCSRF cookie not set.z CSRF token missing or incorrect.z/Referer checking failed - Referer is malformed.zCReferer checking failed - Referer is insecure while host is secure. Z _csrftokencCs ttjS)z/Return the view to be used for CSRF rejections.)rrCSRF_FAILURE_VIEWrr:/usr/lib/python3.6/site-packages/django/middleware/csrf.py_get_failure_view$srcCs tttdS)N) allowed_chars)r CSRF_SECRET_LENGTHCSRF_ALLOWED_CHARSrrrr_get_new_csrf_string)srcsPt}ttfdd|Dfdd|D}djfdd|D}||S)z Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a token by adding a salt and using it to encrypt the secret. c3s|]}j|VqdS)N)index).0x)charsrr 4sz&_salt_cipher_secret..c3s&|]\}}||tVqdS)N)len)rry)rrrr5s)rrzipjoin)secretsaltpairscipherr)rr_salt_cipher_secret-s &r%csZ|dt}|td}ttfdd|Dfdd|D}djfdd|DS)z Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length CSRF_TOKEN_LENGTH, and that its first half is a salt), use it to decrypt the second half to produce the original secret. Nc3s|]}j|VqdS)N)r)rr)rrrrBsz'_unsalt_cipher_token..rc3s|]\}}||VqdS)Nr)rrr)rrrrCs)rrrr )tokenr"r#r)rr_unsalt_cipher_token9s   &r'cCs ttS)N)r%rrrrr_get_new_csrf_tokenFsr(cCs@d|jkr t}t||jd<nt|jd}d|jd<t|S)a Return the CSRF token required for a POST form. The token is an alphanumeric value. A new token is created if one is not already set. A side effect of calling this function is to make the csrf_protect decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie' header to the outgoing response. For this reason, you may need to use this function lazily, as is done by the csrf context processor. CSRF_COOKIETCSRF_COOKIE_USED)METArr%r')requestZ csrf_secretrrr get_tokenJs  r-cCs|jjdtdd|_dS)zi Change the CSRF token in use for a request - should be done on login for security purposes. T)r*r)N)r+updater(csrf_cookie_needs_reset)r,rrr rotate_token]s r0cCs<tjd|rtSt|tkr"|St|tkr6t|StS)Nz [^a-zA-Z0-9])researchr(rCSRF_TOKEN_LENGTHrr%)r&rrr_sanitize_tokenis   r4cCstt|t|S)N)rr')request_csrf_token csrf_tokenrrr_compare_salted_tokenszsr7c@sHeZdZdZddZddZddZdd Zd d Zd d Z ddZ dS)CsrfViewMiddlewarez Require a present and correct csrfmiddlewaretoken for POST requests that have a CSRF cookie, and set an outgoing CSRF cookie. This middleware should be used in conjunction with the {% csrf_token %} template tag. cCs d|_dS)NT)csrf_processing_done)selfr,rrr_acceptszCsrfViewMiddleware._acceptcCs(t||d}td||j||td|S)N)reasonzForbidden (%s): %s)responser,logger)rr pathr>)r:r,r<r=rrr_rejectszCsrfViewMiddleware._rejectc CstjrDy |jjtStk r@tdtjdkr4dndYqXn@y|jtj }Wnt k rhdSXt |}||krd|_ |SdS)NzCSRF_USE_SESSIONS is enabled, but request.session is not set. SessionMiddleware must appear before CsrfViewMiddleware in MIDDLEWARE%s.Z_CLASSESrT) rCSRF_USE_SESSIONSsessiongetCSRF_SESSION_KEYAttributeErrorr MIDDLEWARECOOKIESCSRF_COOKIE_NAMEKeyErrorr4r/)r:r,Z cookie_tokenr6rrr _get_tokens zCsrfViewMiddleware._get_tokenc Csjtjr.|jjt|jdkrf|jd|jt<n8|jtj|jdtjtj tj tj tj tj dt|ddS)Nr))max_agedomainr?securehttponlysamesiteCookie)rP)rrArBrCrDr+ set_cookierHCSRF_COOKIE_AGECSRF_COOKIE_DOMAINCSRF_COOKIE_PATHCSRF_COOKIE_SECURECSRF_COOKIE_HTTPONLYCSRF_COOKIE_SAMESITEr)r:r,r=rrr _set_tokens zCsrfViewMiddleware._set_tokencCs |j|}|dk r||jd<dS)Nr))rJr+)r:r,r6rrrprocess_requests z"CsrfViewMiddleware.process_requestc st|ddrdSt|ddr dS|jdkrt|ddrB|j|S|jrP|jjd dkrl|j|tStd j j fkr|j|t Sj d kr|j|t St jrt jnt j}|dk r|j}|dkrd||f}n$y |j}Wntk rYnXtt j}|dk r |j|tfdd|DsPtj}|j||S|jjd} | dkrr|j|tSd } |jdkry|jjdd } Wntk rYnX| d kr|jjt jd } t| } t| | s|j|t S|j|S)Nr9FZ csrf_exemptGETHEADOPTIONSTRACEZ_dont_enforce_csrf_checksZ HTTP_REFERERrhttps44380z%s:%sc3s|]}tj|VqdS)N)r netloc)rhost)refererrrrsz2CsrfViewMiddleware.process_view..r)POSTZcsrfmiddlewaretoken)rZr[r\r])r_r`)!getattrmethodr; is_securer+rCr@REASON_NO_REFERERrschemeraREASON_MALFORMED_REFERERREASON_INSECURE_REFERERrrASESSION_COOKIE_DOMAINrSget_portget_hostrlistCSRF_TRUSTED_ORIGINSappendanyREASON_BAD_REFERERgeturlREASON_NO_CSRF_COOKIErdOSErrorCSRF_HEADER_NAMEr4r7REASON_BAD_TOKEN) r:r,callbackZ callback_argsZcallback_kwargsZ good_referer server_portZ good_hostsr<r6r5r)rcr process_views^                         zCsrfViewMiddleware.process_viewcCsDt|ddst|ddr|S|jjdds.|S|j||d|_|S)Nr/Fcsrf_cookie_setr*T)rer+rCrXr|)r:r,r=rrrprocess_response:s   z#CsrfViewMiddleware.process_responseN) __name__ __module__ __qualname____doc__r;r@rJrXrYr{r}rrrrr8s mr8)0rloggingr1string urllib.parser django.confrdjango.core.exceptionsrr django.urlsrZdjango.utils.cacherdjango.utils.cryptorr django.utils.deprecationr django.utils.httpr django.utils.logr getLoggerr>rhrsrurxrjrkrr3 ascii_lettersdigitsrrDrrr%r'r(r-r0r4r7r8rrrrsB