paramecio/paramecio2fm
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Added csrf token to login

Browse source
This commit is contained in:
absurdo 2023-07-21 17:57:18 +02:00
parent 24b3d40fb6
commit f2948c74ff
3 changed files with 24 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

10
paramecio2/libraries/formsutils.py
View file

@ -3,7 +3,7 @@
from paramecio2.libraries.db import corefields from paramecio2.libraries.db import corefields
from paramecio2.libraries.db.coreforms import PasswordForm from paramecio2.libraries.db.coreforms import PasswordForm
from paramecio2.libraries.i18n import I18n from paramecio2.libraries.i18n import I18n
from flask import session from flask import session, request, abort
from paramecio2.libraries.keyutils import create_key_encrypt from paramecio2.libraries.keyutils import create_key_encrypt
# Need unittest # Need unittest
@ -210,3 +210,11 @@ def generate_csrf():
return session['csrf_token'] return session['csrf_token']
def check_csrf(name_csrf_token='csrf_token'):
csrf_token=session.get('csrf_token', '')
if csrf_token=='' or csrf_token!=request.form.get(name_csrf_token):
abort(404)

13
paramecio2/modules/admin/app.py
View file

@ -13,6 +13,7 @@ import copy
from os import path from os import path
from paramecio2.modules.admin import admin_app, t from paramecio2.modules.admin import admin_app, t
from paramecio2.libraries.sendmail import SendMail from paramecio2.libraries.sendmail import SendMail
from paramecio2.libraries.formsutils import check_csrf
yes_recovery_login=False yes_recovery_login=False
email_address='localhost' email_address='localhost'
@ -66,6 +67,12 @@ def admin_prepare():
return redirect(url_redirect) return redirect(url_redirect)
"""
if request.method=='POST':
check_csrf()
"""
@admin_app.after_request @admin_app.after_request
def admin_finished(response): def admin_finished(response):
@ -187,6 +194,8 @@ def login():
if request.method=='POST': if request.method=='POST':
check_csrf()
username=request.form['username'] username=request.form['username']
password=request.form['password'] password=request.form['password']
@ -279,6 +288,8 @@ def signup():
if request.method=='POST': if request.method=='POST':
check_csrf()
user_admin.conditions=['WHERE privileges=%s', [2]] user_admin.conditions=['WHERE privileges=%s', [2]]
forms=dict(request.form) forms=dict(request.form)
@ -337,6 +348,8 @@ def auth_check():
error=1 error=1
check_csrf()
if 'login_admin' in session: if 'login_admin' in session:
code=request.form.get('code', '') code=request.form.get('code', '')

1
paramecio2/modules/admin/templates/need_auth.phtml
View file

@ -8,6 +8,7 @@
<div class="form"> <div class="form">
<p align="center">${lang('admin', 'check_your_email', 'Check your email for get instructions for complete login with double auth or')} <a href="${url_for('.logout')}">logout</a> and login again with other user</p> <p align="center">${lang('admin', 'check_your_email', 'Check your email for get instructions for complete login with double auth or')} <a href="${url_for('.logout')}">logout</a> and login again with other user</p>
<p><label>${lang('admin', 'code', 'Code')} *</label><input type="text" class="" name="code" id="code_form" value="" /> <span class="error" id="code_error"></span></p> <p><label>${lang('admin', 'code', 'Code')} *</label><input type="text" class="" name="code" id="code_form" value="" /> <span class="error" id="code_error"></span></p>
${csrf_token()|n}
</div> </div>
<div id="submit_block"> <div id="submit_block">
<input type="submit" value="${lang('common', 'send_code', 'Send code')}" class="submit" id="code_submit"/> <input type="submit" value="${lang('common', 'send_code', 'Send code')}" class="submit" id="code_submit"/>