3 (h0@s.dZddlmZddlZddlZddlZddlmZddlm Z ddl m Z ddl m Z mZddlmZdd lmZdd lmZdd lmZdd lmZejd ZdZdZdZdZdZdZ dZ!de!Z"ej#ej$Z%ddZ&ddZ'ddZ(ddZ)ddZ*d d!Z+d"d#Z,d$d%Z-d&d'Z.Gd(d)d)eZ/dS)*z Cross Site Request Forgery Middleware. This module provides a middleware that implements protection against request forgeries from other sites. )unicode_literalsN)settings) get_callable)patch_vary_headers)constant_time_compareget_random_string)MiddlewareMixin) force_text)is_same_domain)zip)urlparsezdjango.requestz%Referer checking failed - no Referer.z@Referer checking failed - %s does not match any trusted origins.zCSRF cookie not set.z CSRF token missing or incorrect.z/Referer checking failed - Referer is malformed.zCReferer checking failed - Referer is insecure while host is secure. cCs ttjS)z9 Returns the view to be used for CSRF rejections )rrZCSRF_FAILURE_VIEWrr:/tmp/pip-install-q3hcpn_q/Django/django/middleware/csrf.py_get_failure_view%srcCs tttdS)N) allowed_chars)rCSRF_SECRET_LENGTHCSRF_ALLOWED_CHARSrrrr_get_new_csrf_string,srcsPt}ttfdd|Dfdd|D}djfdd|D}||S)z Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a token by adding a salt and using it to encrypt the secret. c3s|]}j|VqdS)N)index).0x)charsrr 7sz&_salt_cipher_secret..c3s&|]\}}||tVqdS)N)len)rry)rrrr8s)rrr join)secretsaltpairscipherr)rr_salt_cipher_secret0s &r#cs^|dt}|td}ttfdd|Dfdd|D}djfdd|D}|S)z Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length CSRF_TOKEN_LENGTH, and that its first half is a salt), use it to decrypt the second half to produce the original secret. Nc3s|]}j|VqdS)N)r)rr)rrrrEsz'_unsalt_cipher_token..rc3s|]\}}||VqdS)Nr)rrr)rrrrFs)rrr r)tokenr r!rr)rr_unsalt_cipher_token<s   &r%cCs ttS)N)r#rrrrr_get_new_csrf_tokenJsr&cCs@d|jkr t}t||jd<nt|jd}d|jd<t|S)a Returns the CSRF token required for a POST form. The token is an alphanumeric value. A new token is created if one is not already set. A side effect of calling this function is to make the csrf_protect decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie' header to the outgoing response. For this reason, you may need to use this function lazily, as is done by the csrf context processor. CSRF_COOKIETCSRF_COOKIE_USED)METArr#r%)requestZ csrf_secretrrr get_tokenNs  r+cCs|jjdtdd|_dS)zj Changes the CSRF token in use for a request - should be done on login for security purposes. T)r(r'N)r)updater&csrf_cookie_needs_reset)r*rrr rotate_tokenas r.cCs@tjdt|rtSt|tkr&|St|tkr:t|StS)Nz [^a-zA-Z0-9])researchr r&rCSRF_TOKEN_LENGTHrr#)r$rrr_sanitize_tokenms  r2cCstt|t|S)N)rr%)request_csrf_token csrf_tokenrrr_compare_salted_tokens~sr5c@s0eZdZdZddZddZddZdd Zd S) CsrfViewMiddlewarez Middleware that requires a present and correct csrfmiddlewaretoken for POST requests that have a CSRF cookie, and sets an outgoing CSRF cookie. This middleware should be used in conjunction with the csrf_token template tag. cCs d|_dS)NT)csrf_processing_done)selfr*rrr_acceptszCsrfViewMiddleware._acceptcCs(tjd||jd|ddt||dS)NzForbidden (%s): %si) status_coder*)extra)reason)loggerwarningpathr)r8r*r<rrr_rejects  zCsrfViewMiddleware._rejectc st|ddrdSy|jtj}Wntk r8d}Yn"Xt|}||krPd|_||jd<t|ddrjdS|jdkrt|d dr|j |S|j rzt |jj d dd d dkr|j |tStdjjfkr|j |tSjdkr|j |tStjdkr|j}n$tj}|j}|dkr6d||f}ttj} | j|tfdd| Dsztj} |j || S|dkr|j |tSd} |jdkry|jj dd} Wntk rYnX| dkr|jj tj d} t| } t!| |s|j |t"S|j |S)Nr7FTr'Z csrf_exemptGETHEADOPTIONSTRACEZ_dont_enforce_csrf_checksZ HTTP_REFERERreplace)Z strings_onlyerrorsrhttps44380z%s:%sc3s|]}tj|VqdS)N)r netloc)rhost)refererrrrsz2CsrfViewMiddleware.process_view..POSTZcsrfmiddlewaretoken)rArBrCrD)rHrI)#getattrZCOOKIESrCSRF_COOKIE_NAMEKeyErrorr2r-r)methodr9Z is_securer getr@REASON_NO_REFERERr schemerJREASON_MALFORMED_REFERERREASON_INSECURE_REFERERCSRF_COOKIE_DOMAINget_hostZget_portlistZCSRF_TRUSTED_ORIGINSappendanyREASON_BAD_REFERERgeturlREASON_NO_CSRF_COOKIErMIOErrorZCSRF_HEADER_NAMEr5REASON_BAD_TOKEN) r8r*callback callback_argscallback_kwargsZ cookie_tokenr4Z good_refererZ server_portZ good_hostsr<r3r)rLr process_viewsh                           zCsrfViewMiddleware.process_viewc Cslt|ddst|ddr|S|jjdds.|S|jtj|jdtjtjtjtj tj dt |d d|_ |S) Nr-Fcsrf_cookie_setr(r')Zmax_agedomainr?securehttponlyCookieT)ri) rNr)rR set_cookierrOZCSRF_COOKIE_AGErWZCSRF_COOKIE_PATHZCSRF_COOKIE_SECUREZCSRF_COOKIE_HTTPONLYrre)r8r*responserrrprocess_responses    z#CsrfViewMiddleware.process_responseN)__name__ __module__ __qualname____doc__r9r@rdrlrrrrr6s  ur6)0rp __future__rloggingr/stringZ django.confrZ django.urlsrZdjango.utils.cacherZdjango.utils.cryptorrZdjango.utils.deprecationrZdjango.utils.encodingr Zdjango.utils.httpr Zdjango.utils.six.movesr Z#django.utils.six.moves.urllib.parser getLoggerr=rSr\r^r`rUrVrr1 ascii_lettersdigitsrrrr#r%r&r+r.r2r5r6rrrrsB