/usr/lib/python2.7/dist-packages/flask_wtf/csrf.py is in python-flaskext.wtf 0.12-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 | # coding: utf-8
"""
flask_wtf.csrf
~~~~~~~~~~~~~~
CSRF protection for Flask.
:copyright: (c) 2013 by Hsiaoming Yang.
"""
import os
import hmac
import hashlib
import time
from flask import Blueprint
from flask import current_app, session, request, abort
from werkzeug.security import safe_str_cmp
from ._compat import to_bytes, string_types
try:
from urlparse import urlparse
except ImportError:
# python 3
from urllib.parse import urlparse
__all__ = ('generate_csrf', 'validate_csrf', 'CsrfProtect')
def generate_csrf(secret_key=None, time_limit=None):
"""Generate csrf token code.
:param secret_key: A secret key for mixing in the token,
default is Flask.secret_key.
:param time_limit: Token valid in the time limit,
default is 3600s.
"""
if not secret_key:
secret_key = current_app.config.get(
'WTF_CSRF_SECRET_KEY', current_app.secret_key
)
if not secret_key:
raise Exception('Must provide secret_key to use csrf.')
if time_limit is None:
time_limit = current_app.config.get('WTF_CSRF_TIME_LIMIT', 3600)
if 'csrf_token' not in session:
session['csrf_token'] = hashlib.sha1(os.urandom(64)).hexdigest()
if time_limit:
expires = int(time.time() + time_limit)
csrf_build = '%s%s' % (session['csrf_token'], expires)
else:
expires = ''
csrf_build = session['csrf_token']
hmac_csrf = hmac.new(
to_bytes(secret_key),
to_bytes(csrf_build),
digestmod=hashlib.sha1
).hexdigest()
return '%s##%s' % (expires, hmac_csrf)
def validate_csrf(data, secret_key=None, time_limit=None):
"""Check if the given data is a valid csrf token.
:param data: The csrf token value to be checked.
:param secret_key: A secret key for mixing in the token,
default is Flask.secret_key.
:param time_limit: Check if the csrf token is expired.
default is True.
"""
if not data or '##' not in data:
return False
try:
expires, hmac_csrf = data.split('##', 1)
except ValueError:
return False # unpack error
if time_limit is None:
time_limit = current_app.config.get('WTF_CSRF_TIME_LIMIT', 3600)
if time_limit:
try:
expires = int(expires)
except ValueError:
return False
now = int(time.time())
if now > expires:
return False
if not secret_key:
secret_key = current_app.config.get(
'WTF_CSRF_SECRET_KEY', current_app.secret_key
)
if 'csrf_token' not in session:
return False
csrf_build = '%s%s' % (session['csrf_token'], expires)
hmac_compare = hmac.new(
to_bytes(secret_key),
to_bytes(csrf_build),
digestmod=hashlib.sha1
).hexdigest()
return safe_str_cmp(hmac_compare, hmac_csrf)
class CsrfProtect(object):
"""Enable csrf protect for Flask.
Register it with::
app = Flask(__name__)
CsrfProtect(app)
And in the templates, add the token input::
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
If you need to send the token via AJAX, and there is no form::
<meta name="csrf_token" content="{{ csrf_token() }}" />
You can grab the csrf token with JavaScript, and send the token together.
"""
def __init__(self, app=None):
self._exempt_views = set()
self._exempt_blueprints = set()
if app:
self.init_app(app)
def init_app(self, app):
self._app = app
app.jinja_env.globals['csrf_token'] = generate_csrf
app.config.setdefault(
'WTF_CSRF_HEADERS', ['X-CSRFToken', 'X-CSRF-Token']
)
app.config.setdefault('WTF_CSRF_SSL_STRICT', True)
app.config.setdefault('WTF_CSRF_ENABLED', True)
app.config.setdefault('WTF_CSRF_CHECK_DEFAULT', True)
app.config.setdefault('WTF_CSRF_METHODS', ['POST', 'PUT', 'PATCH'])
# expose csrf_token as a helper in all templates
@app.context_processor
def csrf_token():
return dict(csrf_token=generate_csrf)
if not app.config['WTF_CSRF_ENABLED']:
return
if not app.config['WTF_CSRF_CHECK_DEFAULT']:
return
@app.before_request
def _csrf_protect():
# many things come from django.middleware.csrf
if request.method not in app.config['WTF_CSRF_METHODS']:
return
if self._exempt_views or self._exempt_blueprints:
if not request.endpoint:
return
view = app.view_functions.get(request.endpoint)
if not view:
return
dest = '%s.%s' % (view.__module__, view.__name__)
if dest in self._exempt_views:
return
if request.blueprint in self._exempt_blueprints:
return
self.protect()
def _get_csrf_token(self):
# find the ``csrf_token`` field in the subitted form
# if the form had a prefix, the name will be
# ``{prefix}-csrf_token``
for key in request.form:
if key.endswith('csrf_token'):
csrf_token = request.form[key]
if csrf_token:
return csrf_token
for header_name in self._app.config['WTF_CSRF_HEADERS']:
csrf_token = request.headers.get(header_name)
if csrf_token:
return csrf_token
return None
def protect(self):
if request.method not in self._app.config['WTF_CSRF_METHODS']:
return
if not validate_csrf(self._get_csrf_token()):
reason = 'CSRF token missing or incorrect.'
return self._error_response(reason)
if request.is_secure and self._app.config['WTF_CSRF_SSL_STRICT']:
if not request.referrer:
reason = 'Referrer checking failed - no Referrer.'
return self._error_response(reason)
good_referrer = 'https://%s/' % request.host
if not same_origin(request.referrer, good_referrer):
reason = 'Referrer checking failed - origin does not match.'
return self._error_response(reason)
request.csrf_valid = True # mark this request is csrf valid
def exempt(self, view):
"""A decorator that can exclude a view from csrf protection.
Remember to put the decorator above the `route`::
csrf = CsrfProtect(app)
@csrf.exempt
@app.route('/some-view', methods=['POST'])
def some_view():
return
"""
if isinstance(view, Blueprint):
self._exempt_blueprints.add(view.name)
return view
if isinstance(view, string_types):
view_location = view
else:
view_location = '%s.%s' % (view.__module__, view.__name__)
self._exempt_views.add(view_location)
return view
def _error_response(self, reason):
return abort(400, reason)
def error_handler(self, view):
"""A decorator that set the error response handler.
It accepts one parameter `reason`::
@csrf.error_handler
def csrf_error(reason):
return render_template('error.html', reason=reason)
By default, it will return a 400 response.
"""
self._error_response = view
return view
def same_origin(current_uri, compare_uri):
parsed_uri = urlparse(current_uri)
parsed_compare = urlparse(compare_uri)
if parsed_uri.scheme != parsed_compare.scheme:
return False
if parsed_uri.hostname != parsed_compare.hostname:
return False
if parsed_uri.port != parsed_compare.port:
return False
return True
|