Added support by default for reject csrf attacks to POST statements

2016-04-04 01:59:26 +02:00 · 2016-04-04 01:59:26 +02:00 · 4149abcb36
commit 4149abcb36
parent 79485fc599
6 changed files with 45 additions and 3 deletions
--- a/paramecio/citoplasma/httputils.py
+++ b/paramecio/citoplasma/httputils.py
@ -1,6 +1,8 @@
 #!/usr/bin/python3

 from bottle import request
+from paramecio.citoplasma.sessions import get_session
+from paramecio.citoplasma.keyutils import create_key_encrypt

 class GetPostFiles:

@ -28,6 +30,21 @@ class GetPostFiles:
        for post in required_post:
            
            GetPostFiles.post[post]=GetPostFiles.post.get(post, '')
+
+        s=get_session()
+        
+        if 'csrf_token' in s:
+            
+            GetPostFiles.post['csrf_token']=GetPostFiles.post.get('csrf_token', '')
+            
+            if GetPostFiles.post['csrf_token']!=s['csrf_token']:
+                
+                raise NameError('Error: you need a valid csrf_token')
+
+        else:
+            raise NameError('Error: you don\'t send any valid csrf_token')
+
+        #Check post_token
    
    @staticmethod
    def obtain_files():
--- a/paramecio/citoplasma/mtemplates.py
+++ b/paramecio/citoplasma/mtemplates.py
@ -6,6 +6,7 @@ from mako.lookup import TemplateLookup
 from paramecio.citoplasma.urls import make_url, make_media_url, make_media_url_module, add_get_parameters
 from paramecio.citoplasma.i18n import I18n
 from paramecio.citoplasma.sessions import get_session
+from paramecio.cromosoma.formsutils import csrf_token
 from settings import config
 from os import path

@ -68,6 +69,8 @@ class ptemplate:
        
        self.add_filter(add_get_parameters)
        
+        self.add_filter(csrf_token)
+        
        I18n_lang=I18n.lang
        
        self.add_filter(I18n.lang)
@ -261,10 +264,10 @@ def set_flash_message(message):
    
    s=get_session()
    
-    s['flash']=s.get('flash', "")
-    
    s['flash']=message
    
+    s.save()
+    
 def show_flash_message():
    
    message=""
@ -278,6 +281,8 @@ def show_flash_message():
    
    s['flash']=''
    
+    s.save()
+    
    return message
    
 standard_t=ptemplate(__file__)
--- a/paramecio/citoplasma/templates/forms/modelform.phtml
+++ b/paramecio/citoplasma/templates/forms/modelform.phtml
@ -11,4 +11,5 @@
            ${form.form()|n}
        % endif
    % endfor
+    ${csrf_token()|n}
 </div>