From 6e05f7a8db0b1ce2620d0620ad44c2e4ab1f8bdf Mon Sep 17 00:00:00 2001 From: Antonio de la Rosa Date: Thu, 16 Mar 2017 04:42:34 +0100 Subject: [PATCH] Little fix in csrf for use a simple token in all session --- paramecio/citoplasma/httputils.py | 19 +++++++++++++------ paramecio/cromosoma/formsutils.py | 6 ++++-- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/paramecio/citoplasma/httputils.py b/paramecio/citoplasma/httputils.py index 3990186..ad960c5 100644 --- a/paramecio/citoplasma/httputils.py +++ b/paramecio/citoplasma/httputils.py @@ -5,19 +5,24 @@ from bottle import request, response from paramecio.citoplasma.sessions import get_session from paramecio.citoplasma.keyutils import create_key_encrypt +no_csrf=False +change_csrf=False + try: from settings import config - no_csrf=False - if hasattr(config, 'no_csrf'): no_csrf=config.no_csrf + if hasattr(config, 'change_csrf'): + change_csrf=config.change_csrf + except: class config: no_csrf=False + change_csrf=True def filter_ajax(data, filter_tags=True): @@ -90,16 +95,18 @@ class GetPostFiles: if 'csrf_token' in s: self.post['csrf_token']=self.post.get('csrf_token', '') - - if self.post['csrf_token']!=s['csrf_token'] and self.post['csrf_token'].strip()!="": + + if self.post['csrf_token']!=s['csrf_token'] or self.post['csrf_token'].strip()=="": raise NameError('Error: you need a valid csrf_token') else: #Clean csrf_token - del s['csrf_token'] + if change_csrf: - s.save() + del s['csrf_token'] + + s.save() else: diff --git a/paramecio/cromosoma/formsutils.py b/paramecio/cromosoma/formsutils.py index e796840..43d0a62 100644 --- a/paramecio/cromosoma/formsutils.py +++ b/paramecio/cromosoma/formsutils.py @@ -103,8 +103,10 @@ def csrf_token(token_id='csrf_token'): def generate_csrf(): s=get_session() - s['csrf_token']=create_key_encrypt() - s.save() + + if not 'csrf_token' in s: + s['csrf_token']=create_key_encrypt() + s.save() return s['csrf_token']