/usr/lib/python2.7/dist-packages/pylons/decorators/secure.py is in python-pylons 1.0.1-3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 | """Security related decorators"""
import logging
import urlparse
from decorator import decorator
try:
import webhelpers.html.secure_form as secure_form
except ImportError:
import webhelpers.pylonslib.secure_form as secure_form
from pylons.controllers.util import abort, redirect
from pylons.decorators.util import get_pylons
__all__ = ['authenticate_form', 'https']
log = logging.getLogger(__name__)
csrf_detected_message = (
"Cross-site request forgery detected, request denied. See "
"http://en.wikipedia.org/wiki/Cross-site_request_forgery for more "
"information.")
def authenticated_form(params):
submitted_token = params.get(secure_form.token_key)
return submitted_token is not None and \
submitted_token == secure_form.authentication_token()
@decorator
def authenticate_form(func, *args, **kwargs):
"""Decorator for authenticating a form
This decorator uses an authorization token stored in the client's
session for prevention of certain Cross-site request forgery (CSRF)
attacks (See
http://en.wikipedia.org/wiki/Cross-site_request_forgery for more
information).
For use with the ``webhelpers.html.secure_form`` helper functions.
"""
request = get_pylons(args).request
if authenticated_form(request.params):
try:
del request.POST[secure_form.token_key]
except KeyError:
del request.GET[secure_form.token_key]
return func(*args, **kwargs)
else:
log.warn('Cross-site request forgery detected, request denied: %r '
'REMOTE_ADDR: %s' % (request, request.remote_addr))
abort(403, detail=csrf_detected_message)
def https(url_or_callable=None):
"""Decorator to redirect to the SSL version of a page if not
currently using HTTPS. Apply this decorator to controller methods
(actions).
Takes a url argument: either a string url, or a callable returning a
string url. The callable will be called with no arguments when the
decorated method is called. The url's scheme will be rewritten to
https if necessary.
Non-HTTPS POST requests are aborted (405 response code) by this
decorator.
Example:
.. code-block:: python
# redirect to HTTPS /pylons
@https('/pylons')
def index(self):
do_secure()
# redirect to HTTPS /auth/login, delaying the url() call until
# later (as the url object may not be functional when the
# decorator/method are defined)
@https(lambda: url(controller='auth', action='login'))
def login(self):
do_secure()
# redirect to HTTPS version of myself
@https()
def get(self):
do_secure()
"""
def wrapper(func, *args, **kwargs):
"""Decorator Wrapper function"""
request = get_pylons(args).request
if request.scheme.lower() == 'https':
return func(*args, **kwargs)
if request.method.upper() == 'POST':
# don't allow POSTs (raises an exception)
abort(405, headers=[('Allow', 'GET')])
if url_or_callable is None:
url = request.url
elif callable(url_or_callable):
url = url_or_callable()
else:
url = url_or_callable
# Ensure an https scheme, which also needs a host
parts = urlparse.urlparse(url)
url = urlparse.urlunparse(('https', parts[1] or request.host) +
parts[2:])
log.debug('Redirecting non-https request: %s to: %s',
request.path_info, url)
redirect(url)
return decorator(wrapper)
|