<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>django.middleware.csrf — Django 1.11.20 documentation</title>
<link rel="stylesheet" href="../../../_static/default.css" type="text/css" />
<link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" />
<script type="text/javascript" id="documentation_options" data-url_root="../../../" src="../../../_static/documentation_options.js"></script>
<script type="text/javascript" src="../../../_static/jquery.js"></script>
<script type="text/javascript" src="../../../_static/underscore.js"></script>
<script type="text/javascript" src="../../../_static/doctools.js"></script>
<script type="text/javascript" src="../../../_static/language_data.js"></script>
<link rel="index" title="Index" href="../../../genindex.html" />
<link rel="search" title="Search" href="../../../search.html" />
<script type="text/javascript" src="../../../templatebuiltins.js"></script>
<script type="text/javascript">
(function($) {
if (!django_template_builtins) {
// templatebuiltins.js missing, do nothing.
return;
}
$(document).ready(function() {
// Hyperlink Django template tags and filters
var base = "../../../ref/templates/builtins.html";
if (base == "#") {
// Special case for builtins.html itself
base = "";
}
// Tags are keywords, class '.k'
$("div.highlight\\-html\\+django span.k").each(function(i, elem) {
var tagname = $(elem).text();
if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
var fragment = tagname.replace(/_/, '-');
$(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
}
});
// Filters are functions, class '.nf'
$("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
var filtername = $(elem).text();
if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
var fragment = filtername.replace(/_/, '-');
$(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
}
});
});
})(jQuery);
</script>
</head><body>
<div class="document">
<div id="custom-doc" class="yui-t6">
<div id="hd">
<h1><a href="../../../index.html">Django 1.11.20 documentation</a></h1>
<div id="global-nav">
<a title="Home page" href="../../../index.html">Home</a> |
<a title="Table of contents" href="../../../contents.html">Table of contents</a> |
<a title="Global index" href="../../../genindex.html">Index</a> |
<a title="Module index" href="../../../py-modindex.html">Modules</a>
</div>
<div class="nav">
<a href="../../index.html" title="Module code" accesskey="U">up</a></div>
</div>
<div id="bd">
<div id="yui-main">
<div class="yui-b">
<div class="yui-g" id="_modules-django-middleware-csrf">
<h1>Source code for django.middleware.csrf</h1><div class="highlight"><pre>
<span></span><span class="sd">"""</span>
<span class="sd">Cross Site Request Forgery Middleware.</span>
<span class="sd">This module provides a middleware that implements protection</span>
<span class="sd">against request forgeries from other sites.</span>
<span class="sd">"""</span>
<span class="kn">from</span> <span class="nn">__future__</span> <span class="k">import</span> <span class="n">unicode_literals</span>
<span class="kn">import</span> <span class="nn">logging</span>
<span class="kn">import</span> <span class="nn">re</span>
<span class="kn">import</span> <span class="nn">string</span>
<span class="kn">from</span> <span class="nn">django.conf</span> <span class="k">import</span> <span class="n">settings</span>
<span class="kn">from</span> <span class="nn">django.core.exceptions</span> <span class="k">import</span> <span class="n">ImproperlyConfigured</span>
<span class="kn">from</span> <span class="nn">django.urls</span> <span class="k">import</span> <span class="n">get_callable</span>
<span class="kn">from</span> <span class="nn">django.utils.cache</span> <span class="k">import</span> <span class="n">patch_vary_headers</span>
<span class="kn">from</span> <span class="nn">django.utils.crypto</span> <span class="k">import</span> <span class="n">constant_time_compare</span><span class="p">,</span> <span class="n">get_random_string</span>
<span class="kn">from</span> <span class="nn">django.utils.deprecation</span> <span class="k">import</span> <span class="n">MiddlewareMixin</span>
<span class="kn">from</span> <span class="nn">django.utils.encoding</span> <span class="k">import</span> <span class="n">force_text</span>
<span class="kn">from</span> <span class="nn">django.utils.http</span> <span class="k">import</span> <span class="n">is_same_domain</span>
<span class="kn">from</span> <span class="nn">django.utils.six.moves</span> <span class="k">import</span> <span class="nb">zip</span>
<span class="kn">from</span> <span class="nn">django.utils.six.moves.urllib.parse</span> <span class="k">import</span> <span class="n">urlparse</span>
<span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="o">.</span><span class="n">getLogger</span><span class="p">(</span><span class="s1">'django.security.csrf'</span><span class="p">)</span>
<span class="n">REASON_NO_REFERER</span> <span class="o">=</span> <span class="s2">"Referer checking failed - no Referer."</span>
<span class="n">REASON_BAD_REFERER</span> <span class="o">=</span> <span class="s2">"Referer checking failed - </span><span class="si">%s</span><span class="s2"> does not match any trusted origins."</span>
<span class="n">REASON_NO_CSRF_COOKIE</span> <span class="o">=</span> <span class="s2">"CSRF cookie not set."</span>
<span class="n">REASON_BAD_TOKEN</span> <span class="o">=</span> <span class="s2">"CSRF token missing or incorrect."</span>
<span class="n">REASON_MALFORMED_REFERER</span> <span class="o">=</span> <span class="s2">"Referer checking failed - Referer is malformed."</span>
<span class="n">REASON_INSECURE_REFERER</span> <span class="o">=</span> <span class="s2">"Referer checking failed - Referer is insecure while host is secure."</span>
<span class="n">CSRF_SECRET_LENGTH</span> <span class="o">=</span> <span class="mi">32</span>
<span class="n">CSRF_TOKEN_LENGTH</span> <span class="o">=</span> <span class="mi">2</span> <span class="o">*</span> <span class="n">CSRF_SECRET_LENGTH</span>
<span class="n">CSRF_ALLOWED_CHARS</span> <span class="o">=</span> <span class="n">string</span><span class="o">.</span><span class="n">ascii_letters</span> <span class="o">+</span> <span class="n">string</span><span class="o">.</span><span class="n">digits</span>
<span class="n">CSRF_SESSION_KEY</span> <span class="o">=</span> <span class="s1">'_csrftoken'</span>
<span class="k">def</span> <span class="nf">_get_failure_view</span><span class="p">():</span>
<span class="sd">"""</span>
<span class="sd"> Returns the view to be used for CSRF rejections</span>
<span class="sd"> """</span>
<span class="k">return</span> <span class="n">get_callable</span><span class="p">(</span><span class="n">settings</span><span class="o">.</span><span class="n">CSRF_FAILURE_VIEW</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">_get_new_csrf_string</span><span class="p">():</span>
<span class="k">return</span> <span class="n">get_random_string</span><span class="p">(</span><span class="n">CSRF_SECRET_LENGTH</span><span class="p">,</span> <span class="n">allowed_chars</span><span class="o">=</span><span class="n">CSRF_ALLOWED_CHARS</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">_salt_cipher_secret</span><span class="p">(</span><span class="n">secret</span><span class="p">):</span>
<span class="sd">"""</span>
<span class="sd"> Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a</span>
<span class="sd"> token by adding a salt and using it to encrypt the secret.</span>
<span class="sd"> """</span>
<span class="n">salt</span> <span class="o">=</span> <span class="n">_get_new_csrf_string</span><span class="p">()</span>
<span class="n">chars</span> <span class="o">=</span> <span class="n">CSRF_ALLOWED_CHARS</span>
<span class="n">pairs</span> <span class="o">=</span> <span class="nb">zip</span><span class="p">((</span><span class="n">chars</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">secret</span><span class="p">),</span> <span class="p">(</span><span class="n">chars</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">salt</span><span class="p">))</span>
<span class="n">cipher</span> <span class="o">=</span> <span class="s1">''</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">chars</span><span class="p">[(</span><span class="n">x</span> <span class="o">+</span> <span class="n">y</span><span class="p">)</span> <span class="o">%</span> <span class="nb">len</span><span class="p">(</span><span class="n">chars</span><span class="p">)]</span> <span class="k">for</span> <span class="n">x</span><span class="p">,</span> <span class="n">y</span> <span class="ow">in</span> <span class="n">pairs</span><span class="p">)</span>
<span class="k">return</span> <span class="n">salt</span> <span class="o">+</span> <span class="n">cipher</span>
<span class="k">def</span> <span class="nf">_unsalt_cipher_token</span><span class="p">(</span><span class="n">token</span><span class="p">):</span>
<span class="sd">"""</span>
<span class="sd"> Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length</span>
<span class="sd"> CSRF_TOKEN_LENGTH, and that its first half is a salt), use it to decrypt</span>
<span class="sd"> the second half to produce the original secret.</span>
<span class="sd"> """</span>
<span class="n">salt</span> <span class="o">=</span> <span class="n">token</span><span class="p">[:</span><span class="n">CSRF_SECRET_LENGTH</span><span class="p">]</span>
<span class="n">token</span> <span class="o">=</span> <span class="n">token</span><span class="p">[</span><span class="n">CSRF_SECRET_LENGTH</span><span class="p">:]</span>
<span class="n">chars</span> <span class="o">=</span> <span class="n">CSRF_ALLOWED_CHARS</span>
<span class="n">pairs</span> <span class="o">=</span> <span class="nb">zip</span><span class="p">((</span><span class="n">chars</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">token</span><span class="p">),</span> <span class="p">(</span><span class="n">chars</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">salt</span><span class="p">))</span>
<span class="n">secret</span> <span class="o">=</span> <span class="s1">''</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">chars</span><span class="p">[</span><span class="n">x</span> <span class="o">-</span> <span class="n">y</span><span class="p">]</span> <span class="k">for</span> <span class="n">x</span><span class="p">,</span> <span class="n">y</span> <span class="ow">in</span> <span class="n">pairs</span><span class="p">)</span> <span class="c1"># Note negative values are ok</span>
<span class="k">return</span> <span class="n">secret</span>
<span class="k">def</span> <span class="nf">_get_new_csrf_token</span><span class="p">():</span>
<span class="k">return</span> <span class="n">_salt_cipher_secret</span><span class="p">(</span><span class="n">_get_new_csrf_string</span><span class="p">())</span>
<span class="k">def</span> <span class="nf">get_token</span><span class="p">(</span><span class="n">request</span><span class="p">):</span>
<span class="sd">"""</span>
<span class="sd"> Returns the CSRF token required for a POST form. The token is an</span>
<span class="sd"> alphanumeric value. A new token is created if one is not already set.</span>
<span class="sd"> A side effect of calling this function is to make the csrf_protect</span>
<span class="sd"> decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie'</span>
<span class="sd"> header to the outgoing response. For this reason, you may need to use this</span>
<span class="sd"> function lazily, as is done by the csrf context processor.</span>
<span class="sd"> """</span>
<span class="k">if</span> <span class="s2">"CSRF_COOKIE"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="p">:</span>
<span class="n">csrf_secret</span> <span class="o">=</span> <span class="n">_get_new_csrf_string</span><span class="p">()</span>
<span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="p">[</span><span class="s2">"CSRF_COOKIE"</span><span class="p">]</span> <span class="o">=</span> <span class="n">_salt_cipher_secret</span><span class="p">(</span><span class="n">csrf_secret</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">csrf_secret</span> <span class="o">=</span> <span class="n">_unsalt_cipher_token</span><span class="p">(</span><span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="p">[</span><span class="s2">"CSRF_COOKIE"</span><span class="p">])</span>
<span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="p">[</span><span class="s2">"CSRF_COOKIE_USED"</span><span class="p">]</span> <span class="o">=</span> <span class="kc">True</span>
<span class="k">return</span> <span class="n">_salt_cipher_secret</span><span class="p">(</span><span class="n">csrf_secret</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">rotate_token</span><span class="p">(</span><span class="n">request</span><span class="p">):</span>
<span class="sd">"""</span>
<span class="sd"> Changes the CSRF token in use for a request - should be done on login</span>
<span class="sd"> for security purposes.</span>
<span class="sd"> """</span>
<span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="o">.</span><span class="n">update</span><span class="p">({</span>
<span class="s2">"CSRF_COOKIE_USED"</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span>
<span class="s2">"CSRF_COOKIE"</span><span class="p">:</span> <span class="n">_get_new_csrf_token</span><span class="p">(),</span>
<span class="p">})</span>
<span class="n">request</span><span class="o">.</span><span class="n">csrf_cookie_needs_reset</span> <span class="o">=</span> <span class="kc">True</span>
<span class="k">def</span> <span class="nf">_sanitize_token</span><span class="p">(</span><span class="n">token</span><span class="p">):</span>
<span class="c1"># Allow only ASCII alphanumerics</span>
<span class="k">if</span> <span class="n">re</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="s1">'[^a-zA-Z0-9]'</span><span class="p">,</span> <span class="n">force_text</span><span class="p">(</span><span class="n">token</span><span class="p">)):</span>
<span class="k">return</span> <span class="n">_get_new_csrf_token</span><span class="p">()</span>
<span class="k">elif</span> <span class="nb">len</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="o">==</span> <span class="n">CSRF_TOKEN_LENGTH</span><span class="p">:</span>
<span class="k">return</span> <span class="n">token</span>
<span class="k">elif</span> <span class="nb">len</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="o">==</span> <span class="n">CSRF_SECRET_LENGTH</span><span class="p">:</span>
<span class="c1"># Older Django versions set cookies to values of CSRF_SECRET_LENGTH</span>
<span class="c1"># alphanumeric characters. For backwards compatibility, accept</span>
<span class="c1"># such values as unsalted secrets.</span>
<span class="c1"># It's easier to salt here and be consistent later, rather than add</span>
<span class="c1"># different code paths in the checks, although that might be a tad more</span>
<span class="c1"># efficient.</span>
<span class="k">return</span> <span class="n">_salt_cipher_secret</span><span class="p">(</span><span class="n">token</span><span class="p">)</span>
<span class="k">return</span> <span class="n">_get_new_csrf_token</span><span class="p">()</span>
<span class="k">def</span> <span class="nf">_compare_salted_tokens</span><span class="p">(</span><span class="n">request_csrf_token</span><span class="p">,</span> <span class="n">csrf_token</span><span class="p">):</span>
<span class="c1"># Assume both arguments are sanitized -- that is, strings of</span>
<span class="c1"># length CSRF_TOKEN_LENGTH, all CSRF_ALLOWED_CHARS.</span>
<span class="k">return</span> <span class="n">constant_time_compare</span><span class="p">(</span>
<span class="n">_unsalt_cipher_token</span><span class="p">(</span><span class="n">request_csrf_token</span><span class="p">),</span>
<span class="n">_unsalt_cipher_token</span><span class="p">(</span><span class="n">csrf_token</span><span class="p">),</span>
<span class="p">)</span>
<div class="viewcode-block" id="CsrfViewMiddleware"><a class="viewcode-back" href="../../../ref/middleware.html#django.middleware.csrf.CsrfViewMiddleware">[docs]</a><span class="k">class</span> <span class="nc">CsrfViewMiddleware</span><span class="p">(</span><span class="n">MiddlewareMixin</span><span class="p">):</span>
<span class="sd">"""</span>
<span class="sd"> Middleware that requires a present and correct csrfmiddlewaretoken</span>
<span class="sd"> for POST requests that have a CSRF cookie, and sets an outgoing</span>
<span class="sd"> CSRF cookie.</span>
<span class="sd"> This middleware should be used in conjunction with the csrf_token template</span>
<span class="sd"> tag.</span>
<span class="sd"> """</span>
<span class="c1"># The _accept and _reject methods currently only exist for the sake of the</span>
<span class="c1"># requires_csrf_token decorator.</span>
<span class="k">def</span> <span class="nf">_accept</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">request</span><span class="p">):</span>
<span class="c1"># Avoid checking the request twice by adding a custom attribute to</span>
<span class="c1"># request. This will be relevant when both decorator and middleware</span>
<span class="c1"># are used.</span>
<span class="n">request</span><span class="o">.</span><span class="n">csrf_processing_done</span> <span class="o">=</span> <span class="kc">True</span>
<span class="k">return</span> <span class="kc">None</span>
<span class="k">def</span> <span class="nf">_reject</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">reason</span><span class="p">):</span>
<span class="n">logger</span><span class="o">.</span><span class="n">warning</span><span class="p">(</span>
<span class="s1">'Forbidden (</span><span class="si">%s</span><span class="s1">): </span><span class="si">%s</span><span class="s1">'</span><span class="p">,</span> <span class="n">reason</span><span class="p">,</span> <span class="n">request</span><span class="o">.</span><span class="n">path</span><span class="p">,</span>
<span class="n">extra</span><span class="o">=</span><span class="p">{</span>
<span class="s1">'status_code'</span><span class="p">:</span> <span class="mi">403</span><span class="p">,</span>
<span class="s1">'request'</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span>
<span class="p">}</span>
<span class="p">)</span>
<span class="k">return</span> <span class="n">_get_failure_view</span><span class="p">()(</span><span class="n">request</span><span class="p">,</span> <span class="n">reason</span><span class="o">=</span><span class="n">reason</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">_get_token</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">request</span><span class="p">):</span>
<span class="k">if</span> <span class="n">settings</span><span class="o">.</span><span class="n">CSRF_USE_SESSIONS</span><span class="p">:</span>
<span class="k">try</span><span class="p">:</span>
<span class="k">return</span> <span class="n">request</span><span class="o">.</span><span class="n">session</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">CSRF_SESSION_KEY</span><span class="p">)</span>
<span class="k">except</span> <span class="ne">AttributeError</span><span class="p">:</span>
<span class="k">raise</span> <span class="n">ImproperlyConfigured</span><span class="p">(</span>
<span class="s1">'CSRF_USE_SESSIONS is enabled, but request.session is not '</span>
<span class="s1">'set. SessionMiddleware must appear before CsrfViewMiddleware '</span>
<span class="s1">'in MIDDLEWARE</span><span class="si">%s</span><span class="s1">.'</span> <span class="o">%</span> <span class="p">(</span><span class="s1">'_CLASSES'</span> <span class="k">if</span> <span class="n">settings</span><span class="o">.</span><span class="n">MIDDLEWARE</span> <span class="ow">is</span> <span class="kc">None</span> <span class="k">else</span> <span class="s1">''</span><span class="p">)</span>
<span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">try</span><span class="p">:</span>
<span class="n">cookie_token</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">COOKIES</span><span class="p">[</span><span class="n">settings</span><span class="o">.</span><span class="n">CSRF_COOKIE_NAME</span><span class="p">]</span>
<span class="k">except</span> <span class="ne">KeyError</span><span class="p">:</span>
<span class="k">return</span> <span class="kc">None</span>
<span class="n">csrf_token</span> <span class="o">=</span> <span class="n">_sanitize_token</span><span class="p">(</span><span class="n">cookie_token</span><span class="p">)</span>
<span class="k">if</span> <span class="n">csrf_token</span> <span class="o">!=</span> <span class="n">cookie_token</span><span class="p">:</span>
<span class="c1"># Cookie token needed to be replaced;</span>
<span class="c1"># the cookie needs to be reset.</span>
<span class="n">request</span><span class="o">.</span><span class="n">csrf_cookie_needs_reset</span> <span class="o">=</span> <span class="kc">True</span>
<span class="k">return</span> <span class="n">csrf_token</span>
<span class="k">def</span> <span class="nf">_set_token</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">response</span><span class="p">):</span>
<span class="k">if</span> <span class="n">settings</span><span class="o">.</span><span class="n">CSRF_USE_SESSIONS</span><span class="p">:</span>
<span class="n">request</span><span class="o">.</span><span class="n">session</span><span class="p">[</span><span class="n">CSRF_SESSION_KEY</span><span class="p">]</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="p">[</span><span class="s1">'CSRF_COOKIE'</span><span class="p">]</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">response</span><span class="o">.</span><span class="n">set_cookie</span><span class="p">(</span>
<span class="n">settings</span><span class="o">.</span><span class="n">CSRF_COOKIE_NAME</span><span class="p">,</span>
<span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="p">[</span><span class="s1">'CSRF_COOKIE'</span><span class="p">],</span>
<span class="n">max_age</span><span class="o">=</span><span class="n">settings</span><span class="o">.</span><span class="n">CSRF_COOKIE_AGE</span><span class="p">,</span>
<span class="n">domain</span><span class="o">=</span><span class="n">settings</span><span class="o">.</span><span class="n">CSRF_COOKIE_DOMAIN</span><span class="p">,</span>
<span class="n">path</span><span class="o">=</span><span class="n">settings</span><span class="o">.</span><span class="n">CSRF_COOKIE_PATH</span><span class="p">,</span>
<span class="n">secure</span><span class="o">=</span><span class="n">settings</span><span class="o">.</span><span class="n">CSRF_COOKIE_SECURE</span><span class="p">,</span>
<span class="n">httponly</span><span class="o">=</span><span class="n">settings</span><span class="o">.</span><span class="n">CSRF_COOKIE_HTTPONLY</span><span class="p">,</span>
<span class="p">)</span>
<span class="c1"># Set the Vary header since content varies with the CSRF cookie.</span>
<span class="n">patch_vary_headers</span><span class="p">(</span><span class="n">response</span><span class="p">,</span> <span class="p">(</span><span class="s1">'Cookie'</span><span class="p">,))</span>
<span class="k">def</span> <span class="nf">process_request</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">request</span><span class="p">):</span>
<span class="n">csrf_token</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">_get_token</span><span class="p">(</span><span class="n">request</span><span class="p">)</span>
<span class="k">if</span> <span class="n">csrf_token</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span><span class="p">:</span>
<span class="c1"># Use same token next time.</span>
<span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="p">[</span><span class="s1">'CSRF_COOKIE'</span><span class="p">]</span> <span class="o">=</span> <span class="n">csrf_token</span>
<span class="k">def</span> <span class="nf">process_view</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">callback</span><span class="p">,</span> <span class="n">callback_args</span><span class="p">,</span> <span class="n">callback_kwargs</span><span class="p">):</span>
<span class="k">if</span> <span class="nb">getattr</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="s1">'csrf_processing_done'</span><span class="p">,</span> <span class="kc">False</span><span class="p">):</span>
<span class="k">return</span> <span class="kc">None</span>
<span class="c1"># Wait until request.META["CSRF_COOKIE"] has been manipulated before</span>
<span class="c1"># bailing out, so that get_token still works</span>
<span class="k">if</span> <span class="nb">getattr</span><span class="p">(</span><span class="n">callback</span><span class="p">,</span> <span class="s1">'csrf_exempt'</span><span class="p">,</span> <span class="kc">False</span><span class="p">):</span>
<span class="k">return</span> <span class="kc">None</span>
<span class="c1"># Assume that anything not defined as 'safe' by RFC7231 needs protection</span>
<span class="k">if</span> <span class="n">request</span><span class="o">.</span><span class="n">method</span> <span class="ow">not</span> <span class="ow">in</span> <span class="p">(</span><span class="s1">'GET'</span><span class="p">,</span> <span class="s1">'HEAD'</span><span class="p">,</span> <span class="s1">'OPTIONS'</span><span class="p">,</span> <span class="s1">'TRACE'</span><span class="p">):</span>
<span class="k">if</span> <span class="nb">getattr</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="s1">'_dont_enforce_csrf_checks'</span><span class="p">,</span> <span class="kc">False</span><span class="p">):</span>
<span class="c1"># Mechanism to turn off CSRF checks for test suite.</span>
<span class="c1"># It comes after the creation of CSRF cookies, so that</span>
<span class="c1"># everything else continues to work exactly the same</span>
<span class="c1"># (e.g. cookies are sent, etc.), but before any</span>
<span class="c1"># branches that call reject().</span>
<span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">_accept</span><span class="p">(</span><span class="n">request</span><span class="p">)</span>
<span class="k">if</span> <span class="n">request</span><span class="o">.</span><span class="n">is_secure</span><span class="p">():</span>
<span class="c1"># Suppose user visits http://example.com/</span>
<span class="c1"># An active network attacker (man-in-the-middle, MITM) sends a</span>
<span class="c1"># POST form that targets https://example.com/detonate-bomb/ and</span>
<span class="c1"># submits it via JavaScript.</span>
<span class="c1">#</span>
<span class="c1"># The attacker will need to provide a CSRF cookie and token, but</span>
<span class="c1"># that's no problem for a MITM and the session-independent</span>
<span class="c1"># secret we're using. So the MITM can circumvent the CSRF</span>
<span class="c1"># protection. This is true for any HTTP connection, but anyone</span>
<span class="c1"># using HTTPS expects better! For this reason, for</span>
<span class="c1"># https://example.com/ we need additional protection that treats</span>
<span class="c1"># http://example.com/ as completely untrusted. Under HTTPS,</span>
<span class="c1"># Barth et al. found that the Referer header is missing for</span>
<span class="c1"># same-domain requests in only about 0.2% of cases or less, so</span>
<span class="c1"># we can use strict Referer checking.</span>
<span class="n">referer</span> <span class="o">=</span> <span class="n">force_text</span><span class="p">(</span>
<span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s1">'HTTP_REFERER'</span><span class="p">),</span>
<span class="n">strings_only</span><span class="o">=</span><span class="kc">True</span><span class="p">,</span>
<span class="n">errors</span><span class="o">=</span><span class="s1">'replace'</span>
<span class="p">)</span>
<span class="k">if</span> <span class="n">referer</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>
<span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">_reject</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">REASON_NO_REFERER</span><span class="p">)</span>
<span class="n">referer</span> <span class="o">=</span> <span class="n">urlparse</span><span class="p">(</span><span class="n">referer</span><span class="p">)</span>
<span class="c1"># Make sure we have a valid URL for Referer.</span>
<span class="k">if</span> <span class="s1">''</span> <span class="ow">in</span> <span class="p">(</span><span class="n">referer</span><span class="o">.</span><span class="n">scheme</span><span class="p">,</span> <span class="n">referer</span><span class="o">.</span><span class="n">netloc</span><span class="p">):</span>
<span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">_reject</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">REASON_MALFORMED_REFERER</span><span class="p">)</span>
<span class="c1"># Ensure that our Referer is also secure.</span>
<span class="k">if</span> <span class="n">referer</span><span class="o">.</span><span class="n">scheme</span> <span class="o">!=</span> <span class="s1">'https'</span><span class="p">:</span>
<span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">_reject</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">REASON_INSECURE_REFERER</span><span class="p">)</span>
<span class="c1"># If there isn't a CSRF_COOKIE_DOMAIN, require an exact match</span>
<span class="c1"># match on host:port. If not, obey the cookie rules (or those</span>
<span class="c1"># for the session cookie, if CSRF_USE_SESSIONS).</span>
<span class="n">good_referer</span> <span class="o">=</span> <span class="p">(</span>
<span class="n">settings</span><span class="o">.</span><span class="n">SESSION_COOKIE_DOMAIN</span>
<span class="k">if</span> <span class="n">settings</span><span class="o">.</span><span class="n">CSRF_USE_SESSIONS</span>
<span class="k">else</span> <span class="n">settings</span><span class="o">.</span><span class="n">CSRF_COOKIE_DOMAIN</span>
<span class="p">)</span>
<span class="k">if</span> <span class="n">good_referer</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span><span class="p">:</span>
<span class="n">server_port</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">get_port</span><span class="p">()</span>
<span class="k">if</span> <span class="n">server_port</span> <span class="ow">not</span> <span class="ow">in</span> <span class="p">(</span><span class="s1">'443'</span><span class="p">,</span> <span class="s1">'80'</span><span class="p">):</span>
<span class="n">good_referer</span> <span class="o">=</span> <span class="s1">'</span><span class="si">%s</span><span class="s1">:</span><span class="si">%s</span><span class="s1">'</span> <span class="o">%</span> <span class="p">(</span><span class="n">good_referer</span><span class="p">,</span> <span class="n">server_port</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="c1"># request.get_host() includes the port.</span>
<span class="n">good_referer</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">get_host</span><span class="p">()</span>
<span class="c1"># Here we generate a list of all acceptable HTTP referers,</span>
<span class="c1"># including the current host since that has been validated</span>
<span class="c1"># upstream.</span>
<span class="n">good_hosts</span> <span class="o">=</span> <span class="nb">list</span><span class="p">(</span><span class="n">settings</span><span class="o">.</span><span class="n">CSRF_TRUSTED_ORIGINS</span><span class="p">)</span>
<span class="n">good_hosts</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">good_referer</span><span class="p">)</span>
<span class="k">if</span> <span class="ow">not</span> <span class="nb">any</span><span class="p">(</span><span class="n">is_same_domain</span><span class="p">(</span><span class="n">referer</span><span class="o">.</span><span class="n">netloc</span><span class="p">,</span> <span class="n">host</span><span class="p">)</span> <span class="k">for</span> <span class="n">host</span> <span class="ow">in</span> <span class="n">good_hosts</span><span class="p">):</span>
<span class="n">reason</span> <span class="o">=</span> <span class="n">REASON_BAD_REFERER</span> <span class="o">%</span> <span class="n">referer</span><span class="o">.</span><span class="n">geturl</span><span class="p">()</span>
<span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">_reject</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">reason</span><span class="p">)</span>
<span class="n">csrf_token</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s1">'CSRF_COOKIE'</span><span class="p">)</span>
<span class="k">if</span> <span class="n">csrf_token</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>
<span class="c1"># No CSRF cookie. For POST requests, we insist on a CSRF cookie,</span>
<span class="c1"># and in this way we can avoid all CSRF attacks, including login</span>
<span class="c1"># CSRF.</span>
<span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">_reject</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">REASON_NO_CSRF_COOKIE</span><span class="p">)</span>
<span class="c1"># Check non-cookie token for match.</span>
<span class="n">request_csrf_token</span> <span class="o">=</span> <span class="s2">""</span>
<span class="k">if</span> <span class="n">request</span><span class="o">.</span><span class="n">method</span> <span class="o">==</span> <span class="s2">"POST"</span><span class="p">:</span>
<span class="k">try</span><span class="p">:</span>
<span class="n">request_csrf_token</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">POST</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s1">'csrfmiddlewaretoken'</span><span class="p">,</span> <span class="s1">''</span><span class="p">)</span>
<span class="k">except</span> <span class="ne">IOError</span><span class="p">:</span>
<span class="c1"># Handle a broken connection before we've completed reading</span>
<span class="c1"># the POST data. process_view shouldn't raise any</span>
<span class="c1"># exceptions, so we'll ignore and serve the user a 403</span>
<span class="c1"># (assuming they're still listening, which they probably</span>
<span class="c1"># aren't because of the error).</span>
<span class="k">pass</span>
<span class="k">if</span> <span class="n">request_csrf_token</span> <span class="o">==</span> <span class="s2">""</span><span class="p">:</span>
<span class="c1"># Fall back to X-CSRFToken, to make things easier for AJAX,</span>
<span class="c1"># and possible for PUT/DELETE.</span>
<span class="n">request_csrf_token</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">settings</span><span class="o">.</span><span class="n">CSRF_HEADER_NAME</span><span class="p">,</span> <span class="s1">''</span><span class="p">)</span>
<span class="n">request_csrf_token</span> <span class="o">=</span> <span class="n">_sanitize_token</span><span class="p">(</span><span class="n">request_csrf_token</span><span class="p">)</span>
<span class="k">if</span> <span class="ow">not</span> <span class="n">_compare_salted_tokens</span><span class="p">(</span><span class="n">request_csrf_token</span><span class="p">,</span> <span class="n">csrf_token</span><span class="p">):</span>
<span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">_reject</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">REASON_BAD_TOKEN</span><span class="p">)</span>
<span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">_accept</span><span class="p">(</span><span class="n">request</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">process_response</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">response</span><span class="p">):</span>
<span class="k">if</span> <span class="ow">not</span> <span class="nb">getattr</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="s1">'csrf_cookie_needs_reset'</span><span class="p">,</span> <span class="kc">False</span><span class="p">):</span>
<span class="k">if</span> <span class="nb">getattr</span><span class="p">(</span><span class="n">response</span><span class="p">,</span> <span class="s1">'csrf_cookie_set'</span><span class="p">,</span> <span class="kc">False</span><span class="p">):</span>
<span class="k">return</span> <span class="n">response</span>
<span class="k">if</span> <span class="ow">not</span> <span class="n">request</span><span class="o">.</span><span class="n">META</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">"CSRF_COOKIE_USED"</span><span class="p">,</span> <span class="kc">False</span><span class="p">):</span>
<span class="k">return</span> <span class="n">response</span>
<span class="c1"># Set the CSRF cookie even if it's already set, so we renew</span>
<span class="c1"># the expiry timer.</span>
<span class="bp">self</span><span class="o">.</span><span class="n">_set_token</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">response</span><span class="p">)</span>
<span class="n">response</span><span class="o">.</span><span class="n">csrf_cookie_set</span> <span class="o">=</span> <span class="kc">True</span>
<span class="k">return</span> <span class="n">response</span></div>
</pre></div>
</div>
</div>
</div>
<div class="yui-b" id="sidebar">
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<div id="searchbox" style="display: none" role="search">
<h3>Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="../../../search.html" method="get">
<input type="text" name="q" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<h3>Last update:</h3>
<p class="topless">Feb 11, 2019</p>
</div>
</div>
<div id="ft">
<div class="nav">
<a href="../../index.html" title="Module code" accesskey="U">up</a></div>
</div>
</div>
<div class="clearer"></div>
</div>
</body>
</html>
