paramecio/parameciofm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Little fix in csrf for use a simple token in all session

Browse source
This commit is contained in:
Antonio de la Rosa 2017-03-16 04:42:34 +01:00
parent aa0ac1d9e7
commit 6e05f7a8db
2 changed files with 17 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

13
paramecio/citoplasma/httputils.py
View file

@ -5,19 +5,24 @@ from bottle import request, response
from paramecio.citoplasma.sessions import get_session from paramecio.citoplasma.sessions import get_session
from paramecio.citoplasma.keyutils import create_key_encrypt from paramecio.citoplasma.keyutils import create_key_encrypt
no_csrf=False
change_csrf=False
try: try:
from settings import config from settings import config
no_csrf=False
if hasattr(config, 'no_csrf'): if hasattr(config, 'no_csrf'):
no_csrf=config.no_csrf no_csrf=config.no_csrf
if hasattr(config, 'change_csrf'):
change_csrf=config.change_csrf
except: except:
class config: class config:
no_csrf=False no_csrf=False
change_csrf=True
def filter_ajax(data, filter_tags=True): def filter_ajax(data, filter_tags=True):
@ -91,12 +96,14 @@ class GetPostFiles:
self.post['csrf_token']=self.post.get('csrf_token', '') self.post['csrf_token']=self.post.get('csrf_token', '')
if self.post['csrf_token']!=s['csrf_token'] and self.post['csrf_token'].strip()!="": if self.post['csrf_token']!=s['csrf_token'] or self.post['csrf_token'].strip()=="":
raise NameError('Error: you need a valid csrf_token') raise NameError('Error: you need a valid csrf_token')
else: else:
#Clean csrf_token #Clean csrf_token
if change_csrf:
del s['csrf_token'] del s['csrf_token']
s.save() s.save()

2
paramecio/cromosoma/formsutils.py
View file

@ -103,6 +103,8 @@ def csrf_token(token_id='csrf_token'):
def generate_csrf(): def generate_csrf():
s=get_session() s=get_session()
if not 'csrf_token' in s:
s['csrf_token']=create_key_encrypt() s['csrf_token']=create_key_encrypt()
s.save() s.save()