Added support by default for reject csrf attacks to POST statements

2016-04-04 01:59:26 +02:00 · 2016-04-04 01:59:26 +02:00 · 4149abcb36
commit 4149abcb36
parent 79485fc599
6 changed files with 45 additions and 3 deletions
--- a/paramecio/citoplasma/httputils.py
+++ b/paramecio/citoplasma/httputils.py
@ -1,6 +1,8 @@
 #!/usr/bin/python3

 from bottle import request
+from paramecio.citoplasma.sessions import get_session
+from paramecio.citoplasma.keyutils import create_key_encrypt

 class GetPostFiles:

@ -28,6 +30,21 @@ class GetPostFiles:
        for post in required_post:
            
            GetPostFiles.post[post]=GetPostFiles.post.get(post, '')
+
+        s=get_session()
+        
+        if 'csrf_token' in s:
+            
+            GetPostFiles.post['csrf_token']=GetPostFiles.post.get('csrf_token', '')
+            
+            if GetPostFiles.post['csrf_token']!=s['csrf_token']:
+                
+                raise NameError('Error: you need a valid csrf_token')
+
+        else:
+            raise NameError('Error: you don\'t send any valid csrf_token')
+
+        #Check post_token
    
    @staticmethod
    def obtain_files():