o 3a5@s*dZddlZddlZddlZddlmZddlmZddlm Z m Z ddl m Z ddl mZddlmZmZdd lmZdd lmZdd lmZed Zd ZdZdZdZdZdZdZ de Z!ej"ej#Z$dZ%ddZ&ddZ'ddZ(ddZ)ddZ*d d!Z+d"d#Z,d$d%Z-d&d'Z.Gd(d)d)eZ/dS)*z Cross Site Request Forgery Middleware. This module provides a middleware that implements protection against request forgeries from other sites. N)urlparse)settings)DisallowedHostImproperlyConfigured) get_callable)patch_vary_headers)constant_time_compareget_random_string)MiddlewareMixin)is_same_domain) log_responsezdjango.security.csrfz%Referer checking failed - no Referer.z@Referer checking failed - %s does not match any trusted origins.zCSRF cookie not set.z CSRF token missing or incorrect.z/Referer checking failed - Referer is malformed.zCReferer checking failed - Referer is insecure while host is secure.  _csrftokencCs ttjS)z/Return the view to be used for CSRF rejections.)rrCSRF_FAILURE_VIEWrr8/usr/lib/python3/dist-packages/django/middleware/csrf.py_get_failure_view$s rcCs tttdS)N) allowed_chars)r CSRF_SECRET_LENGTHCSRF_ALLOWED_CHARSrrrr_get_new_csrf_string)s rcsPt}ttfdd|Dfdd|D}dfdd|D}||S)z Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a token by adding a mask and applying it to the secret. c3|]}|VqdSNindex.0xcharsrr 4z&_mask_cipher_secret..c3s(|]\}}||tVqdSr)lenrryrrrr!5s&)rrzipjoin)secretmaskpairscipherrrr_mask_cipher_secret-s &r-csZ|dt}|td}ttfdd|Dfdd|D}dfdd|DS)z Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length CSRF_TOKEN_LENGTH, and that its first half is a mask), use it to decrypt the second half to produce the original secret. Nc3rrrrrrrr!Br"z'_unmask_cipher_token..r#c3s |] \}}||VqdSrrr%rrrr!Cs)rrr'r()tokenr*r+rrr_unmask_cipher_token9s  &r/cCs ttSr)r-rrrrr_get_new_csrf_tokenFs r0cCs@d|jvrt}t||jd<nt|jd}d|jd<t|S)a Return the CSRF token required for a POST form. The token is an alphanumeric value. A new token is created if one is not already set. A side effect of calling this function is to make the csrf_protect decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie' header to the outgoing response. For this reason, you may need to use this function lazily, as is done by the csrf context processor. CSRF_COOKIETCSRF_COOKIE_USED)METArr-r/)request csrf_secretrrr get_tokenJs  r6cCs|jdtdd|_dS)zi Change the CSRF token in use for a request - should be done on login for security purposes. T)r2r1N)r3updater0csrf_cookie_needs_reset)r4rrr rotate_token]s  r9cCs<td|r tSt|tkr|St|tkrt|StS)Nz [^a-zA-Z0-9])researchr0r$CSRF_TOKEN_LENGTHrr-)r.rrr_sanitize_tokenis   r=cCstt|t|Sr)rr/)request_csrf_token csrf_tokenrrr_compare_masked_tokenszsr@c@sHeZdZdZddZddZddZdd Zd d Zd d Z ddZ dS)CsrfViewMiddlewarez Require a present and correct csrfmiddlewaretoken for POST requests that have a CSRF cookie, and set an outgoing CSRF cookie. This middleware should be used in conjunction with the {% csrf_token %} template tag. cCs d|_dS)NT)csrf_processing_done)selfr4rrr_acceptszCsrfViewMiddleware._acceptcCs(t||d}td||j||td|S)N)reasonzForbidden (%s): %s)responser4logger)rr pathrG)rCr4rErFrrr_rejectszCsrfViewMiddleware._rejectcCsltjrz|jtWStytdwz|jtj}Wn t y(YdSwt |}||kr4d|_ |S)NzCSRF_USE_SESSIONS is enabled, but request.session is not set. SessionMiddleware must appear before CsrfViewMiddleware in MIDDLEWARE.T) rCSRF_USE_SESSIONSsessiongetCSRF_SESSION_KEYAttributeErrorrCOOKIESCSRF_COOKIE_NAMEKeyErrorr=r8)rCr4 cookie_tokenr?rrr _get_tokens"  zCsrfViewMiddleware._get_tokenc Csptjr|jt|jdkr|jd|jt<dSdS|jtj|jdtjtj tj tj tj tj dt|ddS)Nr1)max_agedomainrHsecurehttponlysamesite)Cookie)rrJrKrLrMr3 set_cookierPCSRF_COOKIE_AGECSRF_COOKIE_DOMAINCSRF_COOKIE_PATHCSRF_COOKIE_SECURECSRF_COOKIE_HTTPONLYCSRF_COOKIE_SAMESITErrCr4rFrrr _set_tokens zCsrfViewMiddleware._set_tokencCs$||}|dur||jd<dSdS)Nr1)rSr3)rCr4r?rrrprocess_requests z"CsrfViewMiddleware.process_requestc st|ddrdSt|ddrdS|jdvrt|ddr ||S|r|jddur4||tStdj j fvrF||t Sj dkrQ||t St jrWt jnt j}|durm|}|d vrld ||f}nz|}Wn ty|Ynwtt j}|dur||tfd d |Dst}|||S||} | dur||tSd} |jd krz |jdd} Wn tyYnw| dkr|jt jd} t| } t | | s||t!S||S)NrBF csrf_exempt)GETHEADOPTIONSTRACE_dont_enforce_csrf_checks HTTP_REFERERr#https)44380z%s:%sc3s|] }tj|VqdSr)r netloc)rhostrefererrrr!sz2CsrfViewMiddleware.process_view..POSTcsrfmiddlewaretoken)"getattrmethodrD is_securer3rLrIREASON_NO_REFERERrschemernREASON_MALFORMED_REFERERREASON_INSECURE_REFERERrrJSESSION_COOKIE_DOMAINr\get_portget_hostrlistCSRF_TRUSTED_ORIGINSappendanyREASON_BAD_REFERERgeturlrSREASON_NO_CSRF_COOKIErrOSErrorCSRF_HEADER_NAMEr=r@REASON_BAD_TOKEN) rCr4callback callback_argscallback_kwargs good_referer server_port good_hostsrEr?r>rrpr process_viewsh                        zCsrfViewMiddleware.process_viewcCsDt|ddst|ddr|S|jdds|S|||d|_|S)Nr8Fcsrf_cookie_setr2T)rtr3rLrbrrarrrprocess_response=s   z#CsrfViewMiddleware.process_responseN) __name__ __module__ __qualname____doc__rDrIrSrbrcrrrrrrrAs   prA)0rloggingr:string urllib.parser django.confrdjango.core.exceptionsrr django.urlsrdjango.utils.cacherdjango.utils.cryptorr django.utils.deprecationr django.utils.httpr django.utils.logr getLoggerrGrwrrrryrzrr< ascii_lettersdigitsrrMrrr-r/r0r6r9r=r@rArrrrsD