<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=""> <head> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>django.middleware.csrf — Django 1.11.20 documentation</title> <link rel="stylesheet" href="../../../_static/default.css" type="text/css" /> <link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" /> <script type="text/javascript" id="documentation_options" data-url_root="../../../" src="../../../_static/documentation_options.js"></script> <script type="text/javascript" src="../../../_static/jquery.js"></script> <script type="text/javascript" src="../../../_static/underscore.js"></script> <script type="text/javascript" src="../../../_static/doctools.js"></script> <script type="text/javascript" src="../../../_static/language_data.js"></script> <link rel="index" title="Index" href="../../../genindex.html" /> <link rel="search" title="Search" href="../../../search.html" /> <script type="text/javascript" src="../../../templatebuiltins.js"></script> <script type="text/javascript"> (function($) { if (!django_template_builtins) { // templatebuiltins.js missing, do nothing. return; } $(document).ready(function() { // Hyperlink Django template tags and filters var base = "../../../ref/templates/builtins.html"; if (base == "#") { // Special case for builtins.html itself base = ""; } // Tags are keywords, class '.k' $("div.highlight\\-html\\+django span.k").each(function(i, elem) { var tagname = $(elem).text(); if ($.inArray(tagname, django_template_builtins.ttags) != -1) { var fragment = tagname.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>"); } }); // Filters are functions, class '.nf' $("div.highlight\\-html\\+django span.nf").each(function(i, elem) { var filtername = $(elem).text(); if ($.inArray(filtername, django_template_builtins.tfilters) != -1) { var fragment = filtername.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>"); } }); }); })(jQuery); </script> </head><body> <div class="document"> <div id="custom-doc" class="yui-t6"> <div id="hd"> <h1><a href="../../../index.html">Django 1.11.20 documentation</a></h1> <div id="global-nav"> <a title="Home page" href="../../../index.html">Home</a> | <a title="Table of contents" href="../../../contents.html">Table of contents</a> | <a title="Global index" href="../../../genindex.html">Index</a> | <a title="Module index" href="../../../py-modindex.html">Modules</a> </div> <div class="nav"> <a href="../../index.html" title="Module code" accesskey="U">up</a></div> </div> <div id="bd"> <div id="yui-main"> <div class="yui-b"> <div class="yui-g" id="_modules-django-middleware-csrf"> <h1>Source code for django.middleware.csrf</h1><div class="highlight"><pre> <span></span><span class="sd">"""</span> <span class="sd">Cross Site Request Forgery Middleware.</span> <span class="sd">This module provides a middleware that implements protection</span> <span class="sd">against request forgeries from other sites.</span> <span class="sd">"""</span> <span class="kn">from</span> <span class="nn">__future__</span> <span class="k">import</span> <span class="n">unicode_literals</span> <span class="kn">import</span> <span class="nn">logging</span> <span class="kn">import</span> <span class="nn">re</span> <span class="kn">import</span> <span class="nn">string</span> <span class="kn">from</span> <span class="nn">django.conf</span> <span class="k">import</span> <span class="n">settings</span> <span class="kn">from</span> <span class="nn">django.core.exceptions</span> <span class="k">import</span> <span class="n">ImproperlyConfigured</span> <span class="kn">from</span> <span class="nn">django.urls</span> <span class="k">import</span> <span class="n">get_callable</span> <span class="kn">from</span> <span class="nn">django.utils.cache</span> <span class="k">import</span> <span class="n">patch_vary_headers</span> <span class="kn">from</span> <span class="nn">django.utils.crypto</span> <span class="k">import</span> <span class="n">constant_time_compare</span><span class="p">,</span> <span class="n">get_random_string</span> <span class="kn">from</span> <span class="nn">django.utils.deprecation</span> <span class="k">import</span> <span class="n">MiddlewareMixin</span> <span class="kn">from</span> <span class="nn">django.utils.encoding</span> <span class="k">import</span> <span class="n">force_text</span> <span class="kn">from</span> <span class="nn">django.utils.http</span> <span class="k">import</span> <span class="n">is_same_domain</span> <span class="kn">from</span> <span class="nn">django.utils.six.moves</span> <span class="k">import</span> <span class="nb">zip</span> <span class="kn">from</span> <span class="nn">django.utils.six.moves.urllib.parse</span> <span class="k">import</span> <span class="n">urlparse</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="o">.</span><span class="n">getLogger</span><span class="p">(</span><span class="s1">'django.security.csrf'</span><span class="p">)</span> <span class="n">REASON_NO_REFERER</span> <span class="o">=</span> <span class="s2">"Referer checking failed - no Referer."</span> <span class="n">REASON_BAD_REFERER</span> <span class="o">=</span> <span class="s2">"Referer checking failed - </span><span class="si">%s</span><span class="s2"> does not match any trusted origins."</span> <span class="n">REASON_NO_CSRF_COOKIE</span> <span class="o">=</span> <span class="s2">"CSRF cookie not set."</span> <span class="n">REASON_BAD_TOKEN</span> <span class="o">=</span> <span class="s2">"CSRF token missing or incorrect."</span> <span class="n">REASON_MALFORMED_REFERER</span> <span class="o">=</span> <span class="s2">"Referer checking failed - Referer is malformed."</span> <span class="n">REASON_INSECURE_REFERER</span> <span class="o">=</span> <span class="s2">"Referer checking failed - Referer is insecure while host is secure."</span> <span class="n">CSRF_SECRET_LENGTH</span> <span class="o">=</span> <span class="mi">32</span> <span class="n">CSRF_TOKEN_LENGTH</span> <span class="o">=</span> <span class="mi">2</span> <span class="o">*</span> <span class="n">CSRF_SECRET_LENGTH</span> <span class="n">CSRF_ALLOWED_CHARS</span> <span class="o">=</span> <span class="n">string</span><span class="o">.</span><span class="n">ascii_letters</span> <span class="o">+</span> <span class="n">string</span><span class="o">.</span><span class="n">digits</span> <span class="n">CSRF_SESSION_KEY</span> <span class="o">=</span> <span class="s1">'_csrftoken'</span> <span class="k">def</span> <span class="nf">_get_failure_view</span><span class="p">():</span> <span class="sd">"""</span> <span class="sd"> Returns the view to be used for CSRF rejections</span> <span class="sd"> """</span> <span class="k">return</span> <span class="n">get_callable</span><span class="p">(</span><span class="n">settings</span><span class="o">.</span><span class="n">CSRF_FAILURE_VIEW</span><span class="p">)</span> <span class="k">def</span> <span class="nf">_get_new_csrf_string</span><span class="p">():</span> <span class="k">return</span> <span class="n">get_random_string</span><span class="p">(</span><span class="n">CSRF_SECRET_LENGTH</span><span class="p">,</span> <span class="n">allowed_chars</span><span class="o">=</span><span class="n">CSRF_ALLOWED_CHARS</span><span class="p">)</span> <span class="k">def</span> <span class="nf">_salt_cipher_secret</span><span class="p">(</span><span class="n">secret</span><span class="p">):</span> <span class="sd">"""</span> <span class="sd"> Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a</span> <span class="sd"> token by adding a salt and using it to encrypt the secret.</span> <span class="sd"> """</span> <span class="n">salt</span> <span class="o">=</span> <span class="n">_get_new_csrf_string</span><span class="p">()</span> <span class="n">chars</span> <span class="o">=</span> <span class="n">CSRF_ALLOWED_CHARS</span> <span class="n">pairs</span> <span class="o">=</span> <span class="nb">zip</span><span class="p">((</span><span class="n">chars</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">secret</span><span class="p">),</span> <span class="p">(</span><span class="n">chars</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">salt</span><span class="p">))</span> <span class="n">cipher</span> <span class="o">=</span> <span class="s1">''</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">chars</span><span class="p">[(</span><span class="n">x</span> <span class="o">+</span> <span class="n">y</span><span class="p">)</span> <span class="o">%</span> <span class="nb">len</span><span class="p">(</span><span class="n">chars</span><span class="p">)]</span> <span class="k">for</span> <span class="n">x</span><span class="p">,</span> <span class="n">y</span> <span class="ow">in</span> <span class="n">pairs</span><span class="p">)</span> <span class="k">return</span> <span class="n">salt</span> <span class="o">+</span> <span class="n">cipher</span> <span class="k">def</span> <span class="nf">_unsalt_cipher_token</span><span class="p">(</span><span class="n">token</span><span class="p">):</span> <span class="sd">"""</span> <span class="sd"> Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length</span> <span class="sd"> CSRF_TOKEN_LENGTH, and that its first half is a salt), use it to decrypt</span> <span class="sd"> the second half to produce the original secret.</span> <span class="sd"> """</span> <span class="n">salt</span> <span class="o">=</span> <span class="n">token</span><span class="p">[:</span><span class="n">CSRF_SECRET_LENGTH</span><span class="p">]</span> <span class="n">token</span> <span class="o">=</span> <span class="n">token</span><span class="p">[</span><span class="n">CSRF_SECRET_LENGTH</span><span class="p">:]</span> <span class="n">chars</span> <span class="o">=</span> <span class="n">CSRF_ALLOWED_CHARS</span> <span class="n">pairs</span> <span class="o">=</span> <span class="nb">zip</span><span class="p">((</span><span class="n">chars</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">token</span><span class="p">),</span> <span class="p">(</span><span class="n">chars</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">salt</span><span class="p">))</span> <span class="n">secret</span> <span class="o">=</span> <span class="s1">''</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">chars</span><span class="p">[</span><span class="n">x</span> <span class="o">-</span> <span class="n">y</span><span class="p">]</span> <span class="k">for</span> <span class="n">x</span><span class="p">,</span> <span class="n">y</span> <span class="ow">in</span> <span class="n">pairs</span><span class="p">)</span> <span class="c1"># Note negative values are ok</span> <span class="k">return</span> <span class="n">secret</span> <span class="k">def</span> <span class="nf">_get_new_csrf_token</span><span class="p">():</span> <span class="k">return</span> <span class="n">_salt_cipher_secret</span><span class="p">(</span><span class="n">_get_new_csrf_string</span><span class="p">())</span> <span class="k">def</span> <span class="nf">get_token</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="sd">"""</span> <span class="sd"> Returns the CSRF token required for a POST form. The token is an</span> <span class="sd"> alphanumeric value. A new token is created if one is not already set.</span> <span class="sd"> A side effect of calling this function is to make the csrf_protect</span> <span class="sd"> decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie'</span> <span class="sd"> header to the outgoing response. For this reason, you may need to use this</span> <span class="sd"> function lazily, as is done by the csrf context processor.</span> <span class="sd"> """</span> <span class="k">if</span> <span class="s2">"CSRF_COOKIE"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="p">:</span> <span class="n">csrf_secret</span> <span class="o">=</span> <span class="n">_get_new_csrf_string</span><span class="p">()</span> <span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="p">[</span><span class="s2">"CSRF_COOKIE"</span><span class="p">]</span> <span class="o">=</span> <span class="n">_salt_cipher_secret</span><span class="p">(</span><span class="n">csrf_secret</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">csrf_secret</span> <span class="o">=</span> <span class="n">_unsalt_cipher_token</span><span class="p">(</span><span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="p">[</span><span class="s2">"CSRF_COOKIE"</span><span class="p">])</span> <span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="p">[</span><span class="s2">"CSRF_COOKIE_USED"</span><span class="p">]</span> <span class="o">=</span> <span class="kc">True</span> <span class="k">return</span> <span class="n">_salt_cipher_secret</span><span class="p">(</span><span class="n">csrf_secret</span><span class="p">)</span> <span class="k">def</span> <span class="nf">rotate_token</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="sd">"""</span> <span class="sd"> Changes the CSRF token in use for a request - should be done on login</span> <span class="sd"> for security purposes.</span> <span class="sd"> """</span> <span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="o">.</span><span class="n">update</span><span class="p">({</span> <span class="s2">"CSRF_COOKIE_USED"</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span> <span class="s2">"CSRF_COOKIE"</span><span class="p">:</span> <span class="n">_get_new_csrf_token</span><span class="p">(),</span> <span class="p">})</span> <span class="n">request</span><span class="o">.</span><span class="n">csrf_cookie_needs_reset</span> <span class="o">=</span> <span class="kc">True</span> <span class="k">def</span> <span class="nf">_sanitize_token</span><span class="p">(</span><span class="n">token</span><span class="p">):</span> <span class="c1"># Allow only ASCII alphanumerics</span> <span class="k">if</span> <span class="n">re</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="s1">'[^a-zA-Z0-9]'</span><span class="p">,</span> <span class="n">force_text</span><span class="p">(</span><span class="n">token</span><span class="p">)):</span> <span class="k">return</span> <span class="n">_get_new_csrf_token</span><span class="p">()</span> <span class="k">elif</span> <span class="nb">len</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="o">==</span> <span class="n">CSRF_TOKEN_LENGTH</span><span class="p">:</span> <span class="k">return</span> <span class="n">token</span> <span class="k">elif</span> <span class="nb">len</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="o">==</span> <span class="n">CSRF_SECRET_LENGTH</span><span class="p">:</span> <span class="c1"># Older Django versions set cookies to values of CSRF_SECRET_LENGTH</span> <span class="c1"># alphanumeric characters. For backwards compatibility, accept</span> <span class="c1"># such values as unsalted secrets.</span> <span class="c1"># It's easier to salt here and be consistent later, rather than add</span> <span class="c1"># different code paths in the checks, although that might be a tad more</span> <span class="c1"># efficient.</span> <span class="k">return</span> <span class="n">_salt_cipher_secret</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="k">return</span> <span class="n">_get_new_csrf_token</span><span class="p">()</span> <span class="k">def</span> <span class="nf">_compare_salted_tokens</span><span class="p">(</span><span class="n">request_csrf_token</span><span class="p">,</span> <span class="n">csrf_token</span><span class="p">):</span> <span class="c1"># Assume both arguments are sanitized -- that is, strings of</span> <span class="c1"># length CSRF_TOKEN_LENGTH, all CSRF_ALLOWED_CHARS.</span> <span class="k">return</span> <span class="n">constant_time_compare</span><span class="p">(</span> <span class="n">_unsalt_cipher_token</span><span class="p">(</span><span class="n">request_csrf_token</span><span class="p">),</span> <span class="n">_unsalt_cipher_token</span><span class="p">(</span><span class="n">csrf_token</span><span class="p">),</span> <span class="p">)</span> <div class="viewcode-block" id="CsrfViewMiddleware"><a class="viewcode-back" href="../../../ref/middleware.html#django.middleware.csrf.CsrfViewMiddleware">[docs]</a><span class="k">class</span> <span class="nc">CsrfViewMiddleware</span><span class="p">(</span><span class="n">MiddlewareMixin</span><span class="p">):</span> <span class="sd">"""</span> <span class="sd"> Middleware that requires a present and correct csrfmiddlewaretoken</span> <span class="sd"> for POST requests that have a CSRF cookie, and sets an outgoing</span> <span class="sd"> CSRF cookie.</span> <span class="sd"> This middleware should be used in conjunction with the csrf_token template</span> <span class="sd"> tag.</span> <span class="sd"> """</span> <span class="c1"># The _accept and _reject methods currently only exist for the sake of the</span> <span class="c1"># requires_csrf_token decorator.</span> <span class="k">def</span> <span class="nf">_accept</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">request</span><span class="p">):</span> <span class="c1"># Avoid checking the request twice by adding a custom attribute to</span> <span class="c1"># request. This will be relevant when both decorator and middleware</span> <span class="c1"># are used.</span> <span class="n">request</span><span class="o">.</span><span class="n">csrf_processing_done</span> <span class="o">=</span> <span class="kc">True</span> <span class="k">return</span> <span class="kc">None</span> <span class="k">def</span> <span class="nf">_reject</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">reason</span><span class="p">):</span> <span class="n">logger</span><span class="o">.</span><span class="n">warning</span><span class="p">(</span> <span class="s1">'Forbidden (</span><span class="si">%s</span><span class="s1">): </span><span class="si">%s</span><span class="s1">'</span><span class="p">,</span> <span class="n">reason</span><span class="p">,</span> <span class="n">request</span><span class="o">.</span><span class="n">path</span><span class="p">,</span> <span class="n">extra</span><span class="o">=</span><span class="p">{</span> <span class="s1">'status_code'</span><span class="p">:</span> <span class="mi">403</span><span class="p">,</span> <span class="s1">'request'</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span> <span class="p">}</span> <span class="p">)</span> <span class="k">return</span> <span class="n">_get_failure_view</span><span class="p">()(</span><span class="n">request</span><span class="p">,</span> <span class="n">reason</span><span class="o">=</span><span class="n">reason</span><span class="p">)</span> <span class="k">def</span> <span class="nf">_get_token</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">request</span><span class="p">):</span> <span class="k">if</span> <span class="n">settings</span><span class="o">.</span><span class="n">CSRF_USE_SESSIONS</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="k">return</span> <span class="n">request</span><span class="o">.</span><span class="n">session</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">CSRF_SESSION_KEY</span><span class="p">)</span> <span class="k">except</span> <span class="ne">AttributeError</span><span class="p">:</span> <span class="k">raise</span> <span class="n">ImproperlyConfigured</span><span class="p">(</span> <span class="s1">'CSRF_USE_SESSIONS is enabled, but request.session is not '</span> <span class="s1">'set. SessionMiddleware must appear before CsrfViewMiddleware '</span> <span class="s1">'in MIDDLEWARE</span><span class="si">%s</span><span class="s1">.'</span> <span class="o">%</span> <span class="p">(</span><span class="s1">'_CLASSES'</span> <span class="k">if</span> <span class="n">settings</span><span class="o">.</span><span class="n">MIDDLEWARE</span> <span class="ow">is</span> <span class="kc">None</span> <span class="k">else</span> <span class="s1">''</span><span class="p">)</span> <span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">cookie_token</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">COOKIES</span><span class="p">[</span><span class="n">settings</span><span class="o">.</span><span class="n">CSRF_COOKIE_NAME</span><span class="p">]</span> <span class="k">except</span> <span class="ne">KeyError</span><span class="p">:</span> <span class="k">return</span> <span class="kc">None</span> <span class="n">csrf_token</span> <span class="o">=</span> <span class="n">_sanitize_token</span><span class="p">(</span><span class="n">cookie_token</span><span class="p">)</span> <span class="k">if</span> <span class="n">csrf_token</span> <span class="o">!=</span> <span class="n">cookie_token</span><span class="p">:</span> <span class="c1"># Cookie token needed to be replaced;</span> <span class="c1"># the cookie needs to be reset.</span> <span class="n">request</span><span class="o">.</span><span class="n">csrf_cookie_needs_reset</span> <span class="o">=</span> <span class="kc">True</span> <span class="k">return</span> <span class="n">csrf_token</span> <span class="k">def</span> <span class="nf">_set_token</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">response</span><span class="p">):</span> <span class="k">if</span> <span class="n">settings</span><span class="o">.</span><span class="n">CSRF_USE_SESSIONS</span><span class="p">:</span> <span class="n">request</span><span class="o">.</span><span class="n">session</span><span class="p">[</span><span class="n">CSRF_SESSION_KEY</span><span class="p">]</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="p">[</span><span class="s1">'CSRF_COOKIE'</span><span class="p">]</span> <span class="k">else</span><span class="p">:</span> <span class="n">response</span><span class="o">.</span><span class="n">set_cookie</span><span class="p">(</span> <span class="n">settings</span><span class="o">.</span><span class="n">CSRF_COOKIE_NAME</span><span class="p">,</span> <span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="p">[</span><span class="s1">'CSRF_COOKIE'</span><span class="p">],</span> <span class="n">max_age</span><span class="o">=</span><span class="n">settings</span><span class="o">.</span><span class="n">CSRF_COOKIE_AGE</span><span class="p">,</span> <span class="n">domain</span><span class="o">=</span><span class="n">settings</span><span class="o">.</span><span class="n">CSRF_COOKIE_DOMAIN</span><span class="p">,</span> <span class="n">path</span><span class="o">=</span><span class="n">settings</span><span class="o">.</span><span class="n">CSRF_COOKIE_PATH</span><span class="p">,</span> <span class="n">secure</span><span class="o">=</span><span class="n">settings</span><span class="o">.</span><span class="n">CSRF_COOKIE_SECURE</span><span class="p">,</span> <span class="n">httponly</span><span class="o">=</span><span class="n">settings</span><span class="o">.</span><span class="n">CSRF_COOKIE_HTTPONLY</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Set the Vary header since content varies with the CSRF cookie.</span> <span class="n">patch_vary_headers</span><span class="p">(</span><span class="n">response</span><span class="p">,</span> <span class="p">(</span><span class="s1">'Cookie'</span><span class="p">,))</span> <span class="k">def</span> <span class="nf">process_request</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">request</span><span class="p">):</span> <span class="n">csrf_token</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">_get_token</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="k">if</span> <span class="n">csrf_token</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span><span class="p">:</span> <span class="c1"># Use same token next time.</span> <span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="p">[</span><span class="s1">'CSRF_COOKIE'</span><span class="p">]</span> <span class="o">=</span> <span class="n">csrf_token</span> <span class="k">def</span> <span class="nf">process_view</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">callback</span><span class="p">,</span> <span class="n">callback_args</span><span class="p">,</span> <span class="n">callback_kwargs</span><span class="p">):</span> <span class="k">if</span> <span class="nb">getattr</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="s1">'csrf_processing_done'</span><span class="p">,</span> <span class="kc">False</span><span class="p">):</span> <span class="k">return</span> <span class="kc">None</span> <span class="c1"># Wait until request.META["CSRF_COOKIE"] has been manipulated before</span> <span class="c1"># bailing out, so that get_token still works</span> <span class="k">if</span> <span class="nb">getattr</span><span class="p">(</span><span class="n">callback</span><span class="p">,</span> <span class="s1">'csrf_exempt'</span><span class="p">,</span> <span class="kc">False</span><span class="p">):</span> <span class="k">return</span> <span class="kc">None</span> <span class="c1"># Assume that anything not defined as 'safe' by RFC7231 needs protection</span> <span class="k">if</span> <span class="n">request</span><span class="o">.</span><span class="n">method</span> <span class="ow">not</span> <span class="ow">in</span> <span class="p">(</span><span class="s1">'GET'</span><span class="p">,</span> <span class="s1">'HEAD'</span><span class="p">,</span> <span class="s1">'OPTIONS'</span><span class="p">,</span> <span class="s1">'TRACE'</span><span class="p">):</span> <span class="k">if</span> <span class="nb">getattr</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="s1">'_dont_enforce_csrf_checks'</span><span class="p">,</span> <span class="kc">False</span><span class="p">):</span> <span class="c1"># Mechanism to turn off CSRF checks for test suite.</span> <span class="c1"># It comes after the creation of CSRF cookies, so that</span> <span class="c1"># everything else continues to work exactly the same</span> <span class="c1"># (e.g. cookies are sent, etc.), but before any</span> <span class="c1"># branches that call reject().</span> <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">_accept</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="k">if</span> <span class="n">request</span><span class="o">.</span><span class="n">is_secure</span><span class="p">():</span> <span class="c1"># Suppose user visits http://example.com/</span> <span class="c1"># An active network attacker (man-in-the-middle, MITM) sends a</span> <span class="c1"># POST form that targets https://example.com/detonate-bomb/ and</span> <span class="c1"># submits it via JavaScript.</span> <span class="c1">#</span> <span class="c1"># The attacker will need to provide a CSRF cookie and token, but</span> <span class="c1"># that's no problem for a MITM and the session-independent</span> <span class="c1"># secret we're using. So the MITM can circumvent the CSRF</span> <span class="c1"># protection. This is true for any HTTP connection, but anyone</span> <span class="c1"># using HTTPS expects better! For this reason, for</span> <span class="c1"># https://example.com/ we need additional protection that treats</span> <span class="c1"># http://example.com/ as completely untrusted. Under HTTPS,</span> <span class="c1"># Barth et al. found that the Referer header is missing for</span> <span class="c1"># same-domain requests in only about 0.2% of cases or less, so</span> <span class="c1"># we can use strict Referer checking.</span> <span class="n">referer</span> <span class="o">=</span> <span class="n">force_text</span><span class="p">(</span> <span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s1">'HTTP_REFERER'</span><span class="p">),</span> <span class="n">strings_only</span><span class="o">=</span><span class="kc">True</span><span class="p">,</span> <span class="n">errors</span><span class="o">=</span><span class="s1">'replace'</span> <span class="p">)</span> <span class="k">if</span> <span class="n">referer</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span> <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">_reject</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">REASON_NO_REFERER</span><span class="p">)</span> <span class="n">referer</span> <span class="o">=</span> <span class="n">urlparse</span><span class="p">(</span><span class="n">referer</span><span class="p">)</span> <span class="c1"># Make sure we have a valid URL for Referer.</span> <span class="k">if</span> <span class="s1">''</span> <span class="ow">in</span> <span class="p">(</span><span class="n">referer</span><span class="o">.</span><span class="n">scheme</span><span class="p">,</span> <span class="n">referer</span><span class="o">.</span><span class="n">netloc</span><span class="p">):</span> <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">_reject</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">REASON_MALFORMED_REFERER</span><span class="p">)</span> <span class="c1"># Ensure that our Referer is also secure.</span> <span class="k">if</span> <span class="n">referer</span><span class="o">.</span><span class="n">scheme</span> <span class="o">!=</span> <span class="s1">'https'</span><span class="p">:</span> <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">_reject</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">REASON_INSECURE_REFERER</span><span class="p">)</span> <span class="c1"># If there isn't a CSRF_COOKIE_DOMAIN, require an exact match</span> <span class="c1"># match on host:port. If not, obey the cookie rules (or those</span> <span class="c1"># for the session cookie, if CSRF_USE_SESSIONS).</span> <span class="n">good_referer</span> <span class="o">=</span> <span class="p">(</span> <span class="n">settings</span><span class="o">.</span><span class="n">SESSION_COOKIE_DOMAIN</span> <span class="k">if</span> <span class="n">settings</span><span class="o">.</span><span class="n">CSRF_USE_SESSIONS</span> <span class="k">else</span> <span class="n">settings</span><span class="o">.</span><span class="n">CSRF_COOKIE_DOMAIN</span> <span class="p">)</span> <span class="k">if</span> <span class="n">good_referer</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span><span class="p">:</span> <span class="n">server_port</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">get_port</span><span class="p">()</span> <span class="k">if</span> <span class="n">server_port</span> <span class="ow">not</span> <span class="ow">in</span> <span class="p">(</span><span class="s1">'443'</span><span class="p">,</span> <span class="s1">'80'</span><span class="p">):</span> <span class="n">good_referer</span> <span class="o">=</span> <span class="s1">'</span><span class="si">%s</span><span class="s1">:</span><span class="si">%s</span><span class="s1">'</span> <span class="o">%</span> <span class="p">(</span><span class="n">good_referer</span><span class="p">,</span> <span class="n">server_port</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="c1"># request.get_host() includes the port.</span> <span class="n">good_referer</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">get_host</span><span class="p">()</span> <span class="c1"># Here we generate a list of all acceptable HTTP referers,</span> <span class="c1"># including the current host since that has been validated</span> <span class="c1"># upstream.</span> <span class="n">good_hosts</span> <span class="o">=</span> <span class="nb">list</span><span class="p">(</span><span class="n">settings</span><span class="o">.</span><span class="n">CSRF_TRUSTED_ORIGINS</span><span class="p">)</span> <span class="n">good_hosts</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">good_referer</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="nb">any</span><span class="p">(</span><span class="n">is_same_domain</span><span class="p">(</span><span class="n">referer</span><span class="o">.</span><span class="n">netloc</span><span class="p">,</span> <span class="n">host</span><span class="p">)</span> <span class="k">for</span> <span class="n">host</span> <span class="ow">in</span> <span class="n">good_hosts</span><span class="p">):</span> <span class="n">reason</span> <span class="o">=</span> <span class="n">REASON_BAD_REFERER</span> <span class="o">%</span> <span class="n">referer</span><span class="o">.</span><span class="n">geturl</span><span class="p">()</span> <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">_reject</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">reason</span><span class="p">)</span> <span class="n">csrf_token</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s1">'CSRF_COOKIE'</span><span class="p">)</span> <span class="k">if</span> <span class="n">csrf_token</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span> <span class="c1"># No CSRF cookie. For POST requests, we insist on a CSRF cookie,</span> <span class="c1"># and in this way we can avoid all CSRF attacks, including login</span> <span class="c1"># CSRF.</span> <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">_reject</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">REASON_NO_CSRF_COOKIE</span><span class="p">)</span> <span class="c1"># Check non-cookie token for match.</span> <span class="n">request_csrf_token</span> <span class="o">=</span> <span class="s2">""</span> <span class="k">if</span> <span class="n">request</span><span class="o">.</span><span class="n">method</span> <span class="o">==</span> <span class="s2">"POST"</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">request_csrf_token</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">POST</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s1">'csrfmiddlewaretoken'</span><span class="p">,</span> <span class="s1">''</span><span class="p">)</span> <span class="k">except</span> <span class="ne">IOError</span><span class="p">:</span> <span class="c1"># Handle a broken connection before we've completed reading</span> <span class="c1"># the POST data. process_view shouldn't raise any</span> <span class="c1"># exceptions, so we'll ignore and serve the user a 403</span> <span class="c1"># (assuming they're still listening, which they probably</span> <span class="c1"># aren't because of the error).</span> <span class="k">pass</span> <span class="k">if</span> <span class="n">request_csrf_token</span> <span class="o">==</span> <span class="s2">""</span><span class="p">:</span> <span class="c1"># Fall back to X-CSRFToken, to make things easier for AJAX,</span> <span class="c1"># and possible for PUT/DELETE.</span> <span class="n">request_csrf_token</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">settings</span><span class="o">.</span><span class="n">CSRF_HEADER_NAME</span><span class="p">,</span> <span class="s1">''</span><span class="p">)</span> <span class="n">request_csrf_token</span> <span class="o">=</span> <span class="n">_sanitize_token</span><span class="p">(</span><span class="n">request_csrf_token</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">_compare_salted_tokens</span><span class="p">(</span><span class="n">request_csrf_token</span><span class="p">,</span> <span class="n">csrf_token</span><span class="p">):</span> <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">_reject</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">REASON_BAD_TOKEN</span><span class="p">)</span> <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">_accept</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="k">def</span> <span class="nf">process_response</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">response</span><span class="p">):</span> <span class="k">if</span> <span class="ow">not</span> <span class="nb">getattr</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="s1">'csrf_cookie_needs_reset'</span><span class="p">,</span> <span class="kc">False</span><span class="p">):</span> <span class="k">if</span> <span class="nb">getattr</span><span class="p">(</span><span class="n">response</span><span class="p">,</span> <span class="s1">'csrf_cookie_set'</span><span class="p">,</span> <span class="kc">False</span><span class="p">):</span> <span class="k">return</span> <span class="n">response</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">"CSRF_COOKIE_USED"</span><span class="p">,</span> <span class="kc">False</span><span class="p">):</span> <span class="k">return</span> <span class="n">response</span> <span class="c1"># Set the CSRF cookie even if it's already set, so we renew</span> <span class="c1"># the expiry timer.</span> <span class="bp">self</span><span class="o">.</span><span class="n">_set_token</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">response</span><span class="p">)</span> <span class="n">response</span><span class="o">.</span><span class="n">csrf_cookie_set</span> <span class="o">=</span> <span class="kc">True</span> <span class="k">return</span> <span class="n">response</span></div> </pre></div> </div> </div> </div> <div class="yui-b" id="sidebar"> <div class="sphinxsidebar" role="navigation" aria-label="main navigation"> <div class="sphinxsidebarwrapper"> <div id="searchbox" style="display: none" role="search"> <h3>Quick search</h3> <div class="searchformwrapper"> <form class="search" action="../../../search.html" method="get"> <input type="text" name="q" /> <input type="submit" value="Go" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> </div> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <h3>Last update:</h3> <p class="topless">Feb 11, 2019</p> </div> </div> <div id="ft"> <div class="nav"> <a href="../../index.html" title="Module code" accesskey="U">up</a></div> </div> </div> <div class="clearer"></div> </div> </body> </html>