From 4149abcb363defe8e2b66517431c56106d4b74f0 Mon Sep 17 00:00:00 2001
From: Antonio de la Rosa <webmaster@web-t-sys.com>
Date: Mon, 4 Apr 2016 01:59:26 +0200
Subject: [PATCH] Added support by default for reject csrf attacks to POST
 statements

---
 paramecio/citoplasma/httputils.py               | 17 +++++++++++++++++
 paramecio/citoplasma/mtemplates.py              |  9 +++++++--
 .../citoplasma/templates/forms/modelform.phtml  |  1 +
 paramecio/cromosoma/formsutils.py               | 17 +++++++++++++++++
 paramecio/modules/admin/index.py                |  2 ++
 .../modules/admin/templates/admin/login.phtml   |  2 +-
 6 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/paramecio/citoplasma/httputils.py b/paramecio/citoplasma/httputils.py
index d61c469..13844e8 100644
--- a/paramecio/citoplasma/httputils.py
+++ b/paramecio/citoplasma/httputils.py
@@ -1,6 +1,8 @@
 #!/usr/bin/python3
 
 from bottle import request
+from paramecio.citoplasma.sessions import get_session
+from paramecio.citoplasma.keyutils import create_key_encrypt
 
 class GetPostFiles:
 
@@ -28,6 +30,21 @@ class GetPostFiles:
         for post in required_post:
             
             GetPostFiles.post[post]=GetPostFiles.post.get(post, '')
+
+        s=get_session()
+        
+        if 'csrf_token' in s:
+            
+            GetPostFiles.post['csrf_token']=GetPostFiles.post.get('csrf_token', '')
+            
+            if GetPostFiles.post['csrf_token']!=s['csrf_token']:
+                
+                raise NameError('Error: you need a valid csrf_token')
+
+        else:
+            raise NameError('Error: you don\'t send any valid csrf_token')
+
+        #Check post_token
     
     @staticmethod
     def obtain_files():
diff --git a/paramecio/citoplasma/mtemplates.py b/paramecio/citoplasma/mtemplates.py
index 6f0d552..a863dfb 100644
--- a/paramecio/citoplasma/mtemplates.py
+++ b/paramecio/citoplasma/mtemplates.py
@@ -6,6 +6,7 @@ from mako.lookup import TemplateLookup
 from paramecio.citoplasma.urls import make_url, make_media_url, make_media_url_module, add_get_parameters
 from paramecio.citoplasma.i18n import I18n
 from paramecio.citoplasma.sessions import get_session
+from paramecio.cromosoma.formsutils import csrf_token
 from settings import config
 from os import path
 
@@ -68,6 +69,8 @@ class ptemplate:
         
         self.add_filter(add_get_parameters)
         
+        self.add_filter(csrf_token)
+        
         I18n_lang=I18n.lang
         
         self.add_filter(I18n.lang)
@@ -261,10 +264,10 @@ def set_flash_message(message):
     
     s=get_session()
     
-    s['flash']=s.get('flash', "")
-    
     s['flash']=message
     
+    s.save()
+    
 def show_flash_message():
     
     message=""
@@ -278,6 +281,8 @@ def show_flash_message():
     
     s['flash']=''
     
+    s.save()
+    
     return message
     
 standard_t=ptemplate(__file__)
diff --git a/paramecio/citoplasma/templates/forms/modelform.phtml b/paramecio/citoplasma/templates/forms/modelform.phtml
index ce4f195..ce9c092 100644
--- a/paramecio/citoplasma/templates/forms/modelform.phtml
+++ b/paramecio/citoplasma/templates/forms/modelform.phtml
@@ -11,4 +11,5 @@
             ${form.form()|n}
         % endif
     % endfor
+    ${csrf_token()|n}
 </div>
diff --git a/paramecio/cromosoma/formsutils.py b/paramecio/cromosoma/formsutils.py
index 7bd822c..31900e3 100644
--- a/paramecio/cromosoma/formsutils.py
+++ b/paramecio/cromosoma/formsutils.py
@@ -3,6 +3,8 @@
 from paramecio.cromosoma import corefields
 from paramecio.cromosoma.coreforms import PasswordForm
 from paramecio.citoplasma.i18n import I18n
+from paramecio.citoplasma.sessions import get_session
+from paramecio.citoplasma.keyutils import create_key_encrypt
 from bottle import request
 
 # Need unittest
@@ -36,6 +38,14 @@ def pass_values_to_form(post, arr_form, yes_error=True):
 
 def show_form(post, arr_form, t, yes_error=True, modelform_tpl='forms/modelform.phtml'):
         
+        # Create csrf_token in session
+        
+        s=get_session()
+        
+        s['csrf_token']=create_key_encrypt()
+        
+        s.save()
+        
         pass_values_to_form(post, arr_form, yes_error)
         
         return t.load_template(modelform_tpl, forms=arr_form)
@@ -60,4 +70,11 @@ def set_extra_forms_user(user_admin):
 def ini_fields(fields):
     pass
 
+def csrf_token():
     
+    s=get_session()
+    s['csrf_token']=create_key_encrypt()
+    s.save()
+    
+    return '<input type="hidden" name="csrf_token" id="csrf_token" value="'+s['csrf_token']+'" />'
+
diff --git a/paramecio/modules/admin/index.py b/paramecio/modules/admin/index.py
index e024e25..ba49020 100644
--- a/paramecio/modules/admin/index.py
+++ b/paramecio/modules/admin/index.py
@@ -298,6 +298,8 @@ def logout():
     
         del s['login']
         del s['privileges']
+        
+        s.save()
     
     if request.get_cookie("remember_login", secret=key_encrypt):
            
diff --git a/paramecio/modules/admin/templates/admin/login.phtml b/paramecio/modules/admin/templates/admin/login.phtml
index f96e949..d0b1b18 100644
--- a/paramecio/modules/admin/templates/admin/login.phtml
+++ b/paramecio/modules/admin/templates/admin/login.phtml
@@ -21,7 +21,7 @@
                 url: "${make_url('admin/login')}",
                 method: "POST",
                 dataType: "json",
-                data: {'username': $('#username_form').val(), 'password': $('#password_form').val(), 'remember_login': $('#remember_login').val()}
+                data: {'username': $('#username_form').val(), 'password': $('#password_form').val(), 'remember_login': $('#remember_login').val(), 'csrf_token': $('#csrf_token').val()}
                 }).done(function(data) {
                 
                     if(data.error==0)