paramecio/parameciofm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Added support by default for reject csrf attacks to POST statements

Browse source
This commit is contained in:
Antonio de la Rosa 2016-04-04 01:59:26 +02:00
parent 79485fc599
commit 4149abcb36
6 changed files with 45 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

17
paramecio/citoplasma/httputils.py
View file

@ -1,6 +1,8 @@
#!/usr/bin/python3
from bottle import request
from paramecio.citoplasma.sessions import get_session
from paramecio.citoplasma.keyutils import create_key_encrypt
class GetPostFiles:
@ -29,6 +31,21 @@ class GetPostFiles:
GetPostFiles.post[post]=GetPostFiles.post.get(post, '')
s=get_session()
if 'csrf_token' in s:
GetPostFiles.post['csrf_token']=GetPostFiles.post.get('csrf_token', '')
if GetPostFiles.post['csrf_token']!=s['csrf_token']:
raise NameError('Error: you need a valid csrf_token')
else:
raise NameError('Error: you don\'t send any valid csrf_token')
#Check post_token
@staticmethod
def obtain_files():

9
paramecio/citoplasma/mtemplates.py
View file

@ -6,6 +6,7 @@ from mako.lookup import TemplateLookup
from paramecio.citoplasma.urls import make_url, make_media_url, make_media_url_module, add_get_parameters
from paramecio.citoplasma.i18n import I18n
from paramecio.citoplasma.sessions import get_session
from paramecio.cromosoma.formsutils import csrf_token
from settings import config
from os import path
@ -68,6 +69,8 @@ class ptemplate:
self.add_filter(add_get_parameters)
self.add_filter(csrf_token)
I18n_lang=I18n.lang
self.add_filter(I18n.lang)
@ -261,10 +264,10 @@ def set_flash_message(message):
s=get_session()
s['flash']=s.get('flash', "")
s['flash']=message
s.save()
def show_flash_message():
message=""
@ -278,6 +281,8 @@ def show_flash_message():
s['flash']=''
s.save()
return message
standard_t=ptemplate(__file__)

1
paramecio/citoplasma/templates/forms/modelform.phtml
View file

@ -11,4 +11,5 @@
${form.form()|n}
% endif
% endfor
${csrf_token()|n}
</div>

17
paramecio/cromosoma/formsutils.py
View file

@ -3,6 +3,8 @@
from paramecio.cromosoma import corefields
from paramecio.cromosoma.coreforms import PasswordForm
from paramecio.citoplasma.i18n import I18n
from paramecio.citoplasma.sessions import get_session
from paramecio.citoplasma.keyutils import create_key_encrypt
from bottle import request
# Need unittest
@ -36,6 +38,14 @@ def pass_values_to_form(post, arr_form, yes_error=True):
def show_form(post, arr_form, t, yes_error=True, modelform_tpl='forms/modelform.phtml'):
# Create csrf_token in session
s=get_session()
s['csrf_token']=create_key_encrypt()
s.save()
pass_values_to_form(post, arr_form, yes_error)
return t.load_template(modelform_tpl, forms=arr_form)
@ -60,4 +70,11 @@ def set_extra_forms_user(user_admin):
def ini_fields(fields):
pass
def csrf_token():
s=get_session()
s['csrf_token']=create_key_encrypt()
s.save()
return '<input type="hidden" name="csrf_token" id="csrf_token" value="'+s['csrf_token']+'" />'

2
paramecio/modules/admin/index.py
View file

@ -299,6 +299,8 @@ def logout():
del s['login']
del s['privileges']
s.save()
if request.get_cookie("remember_login", secret=key_encrypt):
# delete cookie

2
paramecio/modules/admin/templates/admin/login.phtml
View file

@ -21,7 +21,7 @@
url: "${make_url('admin/login')}",
method: "POST",
dataType: "json",
data: {'username': $('#username_form').val(), 'password': $('#password_form').val(), 'remember_login': $('#remember_login').val()}
data: {'username': $('#username_form').val(), 'password': $('#password_form').val(), 'remember_login': $('#remember_login').val(), 'csrf_token': $('#csrf_token').val()}
}).done(function(data) {
if(data.error==0)