Added support by default for reject csrf attacks to POST statements
This commit is contained in:
Antonio de la Rosa
parent
79485fc599
commit
4149abcb36
6 changed files with 45 additions and 3 deletions
|
|
@ -1,6 +1,8 @@
|
||||||
#!/usr/bin/python3
|
#!/usr/bin/python3
|
||||||
|
|
||||||
from bottle import request
|
from bottle import request
|
||||||
|
from paramecio.citoplasma.sessions import get_session
|
||||||
|
from paramecio.citoplasma.keyutils import create_key_encrypt
|
||||||
|
|
||||||
class GetPostFiles:
|
class GetPostFiles:
|
||||||
|
|
||||||
|
|
@ -28,6 +30,21 @@ class GetPostFiles:
|
||||||
for post in required_post:
|
for post in required_post:
|
||||||
|
|
||||||
GetPostFiles.post[post]=GetPostFiles.post.get(post, '')
|
GetPostFiles.post[post]=GetPostFiles.post.get(post, '')
|
||||||
|
|
||||||
|
s=get_session()
|
||||||
|
|
||||||
|
if 'csrf_token' in s:
|
||||||
|
|
||||||
|
GetPostFiles.post['csrf_token']=GetPostFiles.post.get('csrf_token', '')
|
||||||
|
|
||||||
|
if GetPostFiles.post['csrf_token']!=s['csrf_token']:
|
||||||
|
|
||||||
|
raise NameError('Error: you need a valid csrf_token')
|
||||||
|
|
||||||
|
else:
|
||||||
|
raise NameError('Error: you don\'t send any valid csrf_token')
|
||||||
|
|
||||||
|
#Check post_token
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def obtain_files():
|
def obtain_files():
|
||||||
|
|
|
||||||
|
|
@ -6,6 +6,7 @@ from mako.lookup import TemplateLookup
|
||||||
from paramecio.citoplasma.urls import make_url, make_media_url, make_media_url_module, add_get_parameters
|
from paramecio.citoplasma.urls import make_url, make_media_url, make_media_url_module, add_get_parameters
|
||||||
from paramecio.citoplasma.i18n import I18n
|
from paramecio.citoplasma.i18n import I18n
|
||||||
from paramecio.citoplasma.sessions import get_session
|
from paramecio.citoplasma.sessions import get_session
|
||||||
|
from paramecio.cromosoma.formsutils import csrf_token
|
||||||
from settings import config
|
from settings import config
|
||||||
from os import path
|
from os import path
|
||||||
|
|
||||||
|
|
@ -68,6 +69,8 @@ class ptemplate:
|
||||||
|
|
||||||
self.add_filter(add_get_parameters)
|
self.add_filter(add_get_parameters)
|
||||||
|
|
||||||
|
self.add_filter(csrf_token)
|
||||||
|
|
||||||
I18n_lang=I18n.lang
|
I18n_lang=I18n.lang
|
||||||
|
|
||||||
self.add_filter(I18n.lang)
|
self.add_filter(I18n.lang)
|
||||||
|
|
@ -261,10 +264,10 @@ def set_flash_message(message):
|
||||||
|
|
||||||
s=get_session()
|
s=get_session()
|
||||||
|
|
||||||
s['flash']=s.get('flash', "")
|
|
||||||
|
|
||||||
s['flash']=message
|
s['flash']=message
|
||||||
|
|
||||||
|
s.save()
|
||||||
|
|
||||||
def show_flash_message():
|
def show_flash_message():
|
||||||
|
|
||||||
message=""
|
message=""
|
||||||
|
|
@ -278,6 +281,8 @@ def show_flash_message():
|
||||||
|
|
||||||
s['flash']=''
|
s['flash']=''
|
||||||
|
|
||||||
|
s.save()
|
||||||
|
|
||||||
return message
|
return message
|
||||||
|
|
||||||
standard_t=ptemplate(__file__)
|
standard_t=ptemplate(__file__)
|
||||||
|
|
|
||||||
|
|
@ -11,4 +11,5 @@
|
||||||
${form.form()|n}
|
${form.form()|n}
|
||||||
% endif
|
% endif
|
||||||
% endfor
|
% endfor
|
||||||
|
${csrf_token()|n}
|
||||||
</div>
|
</div>
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,8 @@
|
||||||
from paramecio.cromosoma import corefields
|
from paramecio.cromosoma import corefields
|
||||||
from paramecio.cromosoma.coreforms import PasswordForm
|
from paramecio.cromosoma.coreforms import PasswordForm
|
||||||
from paramecio.citoplasma.i18n import I18n
|
from paramecio.citoplasma.i18n import I18n
|
||||||
|
from paramecio.citoplasma.sessions import get_session
|
||||||
|
from paramecio.citoplasma.keyutils import create_key_encrypt
|
||||||
from bottle import request
|
from bottle import request
|
||||||
|
|
||||||
# Need unittest
|
# Need unittest
|
||||||
|
|
@ -36,6 +38,14 @@ def pass_values_to_form(post, arr_form, yes_error=True):
|
||||||
|
|
||||||
def show_form(post, arr_form, t, yes_error=True, modelform_tpl='forms/modelform.phtml'):
|
def show_form(post, arr_form, t, yes_error=True, modelform_tpl='forms/modelform.phtml'):
|
||||||
|
|
||||||
|
# Create csrf_token in session
|
||||||
|
|
||||||
|
s=get_session()
|
||||||
|
|
||||||
|
s['csrf_token']=create_key_encrypt()
|
||||||
|
|
||||||
|
s.save()
|
||||||
|
|
||||||
pass_values_to_form(post, arr_form, yes_error)
|
pass_values_to_form(post, arr_form, yes_error)
|
||||||
|
|
||||||
return t.load_template(modelform_tpl, forms=arr_form)
|
return t.load_template(modelform_tpl, forms=arr_form)
|
||||||
|
|
@ -60,4 +70,11 @@ def set_extra_forms_user(user_admin):
|
||||||
def ini_fields(fields):
|
def ini_fields(fields):
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
def csrf_token():
|
||||||
|
|
||||||
|
s=get_session()
|
||||||
|
s['csrf_token']=create_key_encrypt()
|
||||||
|
s.save()
|
||||||
|
|
||||||
|
return '<input type="hidden" name="csrf_token" id="csrf_token" value="'+s['csrf_token']+'" />'
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -298,6 +298,8 @@ def logout():
|
||||||
|
|
||||||
del s['login']
|
del s['login']
|
||||||
del s['privileges']
|
del s['privileges']
|
||||||
|
|
||||||
|
s.save()
|
||||||
|
|
||||||
if request.get_cookie("remember_login", secret=key_encrypt):
|
if request.get_cookie("remember_login", secret=key_encrypt):
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -21,7 +21,7 @@
|
||||||
url: "${make_url('admin/login')}",
|
url: "${make_url('admin/login')}",
|
||||||
method: "POST",
|
method: "POST",
|
||||||
dataType: "json",
|
dataType: "json",
|
||||||
data: {'username': $('#username_form').val(), 'password': $('#password_form').val(), 'remember_login': $('#remember_login').val()}
|
data: {'username': $('#username_form').val(), 'password': $('#password_form').val(), 'remember_login': $('#remember_login').val(), 'csrf_token': $('#csrf_token').val()}
|
||||||
}).done(function(data) {
|
}).done(function(data) {
|
||||||
|
|
||||||
if(data.error==0)
|
if(data.error==0)
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue