B `2@sddlmZddlZddlmZddlmZddlmZm Z ddl m Z ddl m Z ddlmZmZmZmZmZee Gd d d Zee Gd d d Zee Gd ddZddZddZdddZddddddZdS))urlparseN) CookieProfile) implementer) BadCSRFOrigin BadCSRFToken)ICSRFStoragePolicy)aslist)SimpleSerializerbytes_is_same_domainstrings_differtext_c@s(eZdZdZddZddZddZdS) LegacySessionCSRFStoragePolicyaA CSRF storage policy that defers control of CSRF storage to the session. This policy maintains compatibility with legacy ISession implementations that know how to manage CSRF tokens themselves via ``ISession.new_csrf_token`` and ``ISession.get_csrf_token``. Note that using this CSRF implementation requires that a :term:`session factory` is configured. .. versionadded:: 1.9 cCs |jS)z8 Sets a new CSRF token into the session and returns it. )sessionnew_csrf_token)selfrequestrT/home/kop/projects/devel/pgwui/test_venv/lib/python3.7/site-packages/pyramid/csrf.pyr"sz-LegacySessionCSRFStoragePolicy.new_csrf_tokencCs |jS)zaReturns the currently active CSRF token from the session, generating a new one if needed.)rget_csrf_token)rrrrrr&sz-LegacySessionCSRFStoragePolicy.get_csrf_tokencCs||}tt|t| S)z5 Returns ``True`` if the ``supplied_token`` is valid.)rr r )rrsupplied_tokenexpected_tokenrrrcheck_csrf_token+s z/LegacySessionCSRFStoragePolicy.check_csrf_tokenN)__name__ __module__ __qualname____doc__rrrrrrrrsrc@s>eZdZdZeddZdddZddZd d Zd d Z d S)SessionCSRFStoragePolicya3A CSRF storage policy that persists the CSRF token in the session. Note that using this CSRF implementation requires that a :term:`session factory` is configured. ``key`` The session key where the CSRF token will be stored. Default: `_csrft_`. .. versionadded:: 1.9 cCsttjS)N)r uuiduuid4hexrrrrCz!SessionCSRFStoragePolicy._csrft_cCs ||_dS)N)key)rr$rrr__init__Esz!SessionCSRFStoragePolicy.__init__cCs|}||j|j<|S)z8 Sets a new CSRF token into the session and returns it. )_token_factoryrr$)rrtokenrrrrHs z'SessionCSRFStoragePolicy.new_csrf_tokencCs"|j|jd}|s||}|S)zaReturns the currently active CSRF token from the session, generating a new one if needed.N)rgetr$r)rrr'rrrrNs z'SessionCSRFStoragePolicy.get_csrf_tokencCs||}tt|t| S)z5 Returns ``True`` if the ``supplied_token`` is valid.)rr r )rrrrrrrrVs z)SessionCSRFStoragePolicy.check_csrf_tokenN)r#) rrrr staticmethodr&r%rrrrrrrr3s   rc@s>eZdZdZeddZdd d Zd d Zd dZddZ dS)CookieCSRFStoragePolicyaAAn alternative CSRF implementation that stores its information in unauthenticated cookies, known as the 'Double Submit Cookie' method in the `OWASP CSRF guidelines `_. This gives some additional flexibility with regards to scaling as the tokens can be generated and verified by a front-end server. .. versionadded:: 1.9 .. versionchanged: 1.10 Added the ``samesite`` option and made the default ``'Lax'``. cCsttjS)N)r rrr rrrrr!pr"z CookieCSRFStoragePolicy. csrf_tokenFN/Laxc Cs(t||||||gt|d|_||_dS)N) cookie_namesecuremax_agehttponlypathdomains serializersamesite)rr cookie_profiler.)rr.r/r1domainr0r2r5rrrr%rs  z CookieCSRFStoragePolicy.__init__cs0|jj<fdd}||S)z8 Sets a new CSRF token into the request and returns it. csj|dS)N)r6Z set_cookies)rresponse)rr'rr set_cookiesz:CookieCSRFStoragePolicy.new_csrf_token..set_cookie)r&cookiesr.Zadd_response_callback)rrr9r)rr'rrs   z&CookieCSRFStoragePolicy.new_csrf_tokencCs&|j|}|}|s"||}|S)zfReturns the currently active CSRF token by checking the cookies sent with the current request.)r6bind get_valuer)rrZ bound_cookiesr'rrrrs   z&CookieCSRFStoragePolicy.get_csrf_tokencCs||}tt|t| S)z5 Returns ``True`` if the ``supplied_token`` is valid.)rr r )rrrrrrrrs z(CookieCSRFStoragePolicy.check_csrf_token)r+FFNNr,r-) rrrrr)r&r%rrrrrrrr*^s    r*cCs|j}|t}||S)aGet the currently active CSRF token for the request passed, generating a new one using ``new_csrf_token(request)`` if one does not exist. This calls the equivalent method in the chosen CSRF protection implementation. .. versionadded :: 1.9 )registry getUtilityrr)rr=csrfrrrrs rcCs|j}|t}||S)zGenerate a new CSRF token for the request passed and persist it in an implementation defined manner. This calls the equivalent method in the chosen CSRF protection implementation. .. versionadded :: 1.9 )r=r>rr)rr=r?rrrrs rr+ X-CSRF-TokenTcCshd}|dk r|j|d}|dkr8|dk r8|j|d}|jt}||t|sd|r`tddSdS)aCheck the CSRF token returned by the :class:`pyramid.interfaces.ICSRFStoragePolicy` implementation against the value in ``request.POST.get(token)`` (if a POST request) or ``request.headers.get(header)``. If a ``token`` keyword is not supplied to this function, the string ``csrf_token`` will be used to look up the token in ``request.POST``. If a ``header`` keyword is not supplied to this function, the string ``X-CSRF-Token`` will be used to look up the token in ``request.headers``. If the value supplied by post or by header cannot be verified by the :class:`pyramid.interfaces.ICSRFStoragePolicy`, and ``raises`` is ``True``, this function will raise an :exc:`pyramid.exceptions.BadCSRFToken` exception. If the values differ and ``raises`` is ``False``, this function will return ``False``. If the CSRF check is successful, this function will return ``True`` unconditionally. See :ref:`auto_csrf_checking` for information about how to secure your application automatically against CSRF attacks. .. versionadded:: 1.4a2 .. versionchanged:: 1.7a1 A CSRF token passed in the query string of the request is no longer considered valid. It must be passed in either the request body or a header. .. versionchanged:: 1.9 Moved from :mod:`pyramid.session` to :mod:`pyramid.csrf` and updated to use the configured :class:`pyramid.interfaces.ICSRFStoragePolicy` to verify the CSRF token. Nz!check_csrf_token(): Invalid tokenFT) headersr(POSTr=r>rrr r)rr'headerraisesrpolicyrrrrs$ rF)trusted_originsallow_no_originrEcsfdd}|jdkrdS|jd}d}|dkr>|j}d}n|dd }|s`|rXdS|d S|dkr|t|jjd g}|jd kr| d |n | |j |s|dkr||krdS|dSt |jdkr|dSt fdd|Ds|d |SdS)a9 Check the ``Origin`` of the request to see if it is a cross site request or not. If the value supplied by the ``Origin`` or ``Referer`` header isn't one of the trusted origins and ``raises`` is ``True``, this function will raise a :exc:`pyramid.exceptions.BadCSRFOrigin` exception, but if ``raises`` is ``False``, this function will return ``False`` instead. If the CSRF origin checks are successful this function will return ``True`` unconditionally. Additional trusted origins may be added by passing a list of domain (and ports if non-standard like ``['example.com', 'dev.example.com:8080']``) in with the ``trusted_origins`` parameter. If ``trusted_origins`` is ``None`` (the default) this list of additional domains will be pulled from the ``pyramid.csrf_trusted_origins`` setting. ``allow_no_origin`` determines whether to return ``True`` when the origin cannot be determined via either the ``Referer`` or ``Origin`` header. The default is ``False`` which will reject the check. Note that this function will do nothing if ``request.scheme`` is not ``https``. .. versionadded:: 1.7 .. versionchanged:: 1.9 Moved from :mod:`pyramid.session` to :mod:`pyramid.csrf` .. versionchanged:: 2.0 Added the ``allow_no_origin`` option. csrtd|ndSdS)NzOrigin checking failed - F)r)reason)rErr_failsz check_csrf_origin.._failhttpsTZOriginFN zmissing Origin or Referer.zpyramid.csrf_trusted_origins>44380z{0.domain}:{0.host_port}nullz(null does not match any trusted origins.z(Origin is insecure while host is secure.c3s|]}tj|VqdS)N)r netloc).0host)originprr isz$check_csrf_origin..z&{} does not match any trusted origins.)schemerBr(Zreferrersplitrr=settings host_portappendformatr7rany)rrGrHrErJoriginZorigin_is_referrerr)rTrErcheck_csrf_origins<$       r^)r+r@T) urllib.parserrZ webob.cookiesrZzope.interfacerZpyramid.exceptionsrrZpyramid.interfacesrZpyramid.settingsrZ pyramid.utilr r r r r rrr*rrrr^rrrrs      !+F  :