U gg'@sddlZddlZddlZddlZddlmZddlmZddlmZddlm Z ddlm Z ddlm Z ddl m Z dd l mZdd l mZdd lmZdd lmZdd lmZdZeeZdddZd ddZd!ddZGdddeZGdddZGdddeZddZ dS)"N)urlparse) Blueprint) current_app)g)request)session)BadData)SignatureExpired)URLSafeTimedSerializer) BadRequest)ValidationError)CSRF) generate_csrf validate_csrf CSRFProtectcCst|dtjdd}t|dddd}|tkrt|dd}|tkrVtt d  t|<z| t|}Wn:t k rtt d  t|<| t|}YnXt t||t|S) aGenerate a CSRF token. The token is cached for a request, so multiple calls to this function will generate the same token. During testing, it might be useful to access the signed token in ``g.csrf_token`` and the raw token in ``session['csrf_token']``. :param secret_key: Used to securely sign the token. Default is ``WTF_CSRF_SECRET_KEY`` or ``SECRET_KEY``. :param token_key: Key where token is stored in session for comparison. Default is ``WTF_CSRF_FIELD_NAME`` or ``'csrf_token'``. WTF_CSRF_SECRET_KEY%A secret key is required to use CSRF.messageWTF_CSRF_FIELD_NAME csrf_token%A field name is required to use CSRF.wtf-csrf-tokensalt@) _get_configr secret_keyrr rhashlibsha1osurandom hexdigestdumps TypeErrorsetattrget)r token_key field_namestokenr+2/tmp/pip-unpacked-wheel-htolim9p/flask_wtf/csrf.pyrs.   rc Cst|dtjdd}t|dddd}t|ddd d }|s>td |tkrNtd t|d d}z|j||d}WnVtk r}ztd|W5d}~XYn,tk r}ztd|W5d}~XYnXt t||stddS)aCheck if the given data is a valid CSRF token. This compares the given signed token to the one stored in the session. :param data: The signed CSRF token to be checked. :param secret_key: Used to securely sign the token. Default is ``WTF_CSRF_SECRET_KEY`` or ``SECRET_KEY``. :param time_limit: Number of seconds that the token is valid. Default is ``WTF_CSRF_TIME_LIMIT`` or 3600 seconds (60 minutes). :param token_key: Key where token is stored in session for comparison. Default is ``WTF_CSRF_FIELD_NAME`` or ``'csrf_token'``. :raises ValidationError: Contains the reason that validation failed. .. versionchanged:: 0.14 Raises ``ValidationError`` with a specific error message rather than returning ``True`` or ``False``. rrrrrrWTF_CSRF_TIME_LIMITF)requiredzThe CSRF token is missing.z"The CSRF session token is missing.rr)Zmax_agezThe CSRF token has expired.NzThe CSRF token is invalid.zThe CSRF tokens do not match.) rrrr rr loadsr rhmaccompare_digest)datarZ time_limitr'r(r)r*er+r+r,rBs4 rTCSRF is not configured.cCs.|dkrtj||}|r*|dkr*t||S)aFind config value based on provided value, Flask config, and default value. :param value: already provided config value :param config_name: Flask ``config`` key :param default: default value if not provided or configured :param required: whether the value must not be ``None`` :param message: error message if required config is not found :raises KeyError: if required config is not found N)rconfigr& RuntimeError)valueZ config_namedefaultr/rr+r+r,rvs  rcs,eZdZfddZddZddZZS)_FlaskFormCSRFcs|j|_t|SN)metasuper setup_form)selfform __class__r+r,r>sz_FlaskFormCSRF.setup_formcCst|jj|jjdS)N)rr')rr< csrf_secretcsrf_field_name)r?Zcsrf_token_fieldr+r+r,generate_csrf_tokensz"_FlaskFormCSRF.generate_csrf_tokenc CsjtddrdSz t|j|jj|jj|jjWn4tk rd}zt |j dW5d}~XYnXdS)N csrf_validFr) rr&rr3r<rCZcsrf_time_limitrDr loggerinfoargs)r?r@fieldr4r+r+r,validate_csrf_tokens z"_FlaskFormCSRF.validate_csrf_token)__name__ __module__ __qualname__r>rErK __classcell__r+r+rAr,r:s r:c@sBeZdZdZdddZddZddZd d Zd d Zd dZ dS)ra[Enable CSRF protection globally for a Flask app. :: app = Flask(__name__) csrf = CSRFProtect(app) Checks the ``csrf_token`` field sent with forms, or the ``X-CSRFToken`` header sent with JavaScript requests. Render the token in templates using ``{{ csrf_token() }}``. See the :ref:`csrf` documentation. NcCs"t|_t|_|r||dSr;)set _exempt_views_exempt_blueprintsinit_app)r?appr+r+r,__init__szCSRFProtect.__init__csjd<jddjddtjddddd gjd<jd d jd d dgjddjddtjjd <ddj fdd}dS)NZcsrfWTF_CSRF_ENABLEDTWTF_CSRF_CHECK_DEFAULTWTF_CSRF_METHODSPOSTPUTPATCHDELETErrWTF_CSRF_HEADERSz X-CSRFTokenz X-CSRF-Tokenr-r.WTF_CSRF_SSL_STRICTcSsdtiS)Nr)rr+r+r+r,z&CSRFProtect.init_app..csjdsdSjdsdStjjdkr0dStjs:dSjtjjkrRdSjtj}|j d|j }|j krdS dS)NrVrWrX.) r6rmethodZendpointZ blueprintsr&Z blueprintrRZview_functionsrMrLrQprotect)viewdestrTr?r+r, csrf_protects   z*CSRFProtect.init_app..csrf_protect) extensionsr6 setdefaultrPr&rZ jinja_envglobalsZcontext_processorZbefore_request)r?rTrgr+rfr,rSs   zCSRFProtect.init_appcCsvtjd}tj|}|r|StjD]$}||r$tj|}|r$|Sq$tjdD]}tj|}|rT|SqTdS)Nrr])rr6rr@r&endswithheaders)r?r(Z base_tokenkeyr header_namer+r+r,_get_csrf_tokens        zCSRFProtect._get_csrf_tokenc CstjtjdkrdSzt|WnBtk rf}z$t|j d| |j dW5d}~XYnXtj rtjdrtj s| ddtj d}ttj |s| ddt_dS) NrXrr^zThe referrer header is missing.zhttps:///z%The referrer does not match the host.T)rrbrr6rror rGrHrI_error_responseZ is_secureZreferrerhost same_originrrF)r?r4Z good_referrerr+r+r,rcs"   zCSRFProtect.protectcCsLt|tr|j||St|tr*|}nd|j|jf}|j||S)aMark a view or blueprint to be excluded from CSRF protection. :: @app.route('/some-view', methods=['POST']) @csrf.exempt def some_view(): ... :: bp = Blueprint(...) csrf.exempt(bp) ra) isinstancerrRaddstrjoinrMrLrQ)r?rdZ view_locationr+r+r,exempts    zCSRFProtect.exemptcCs t|dSr;) CSRFError)r?reasonr+r+r,rq2szCSRFProtect._error_response)N) rLrMrN__doc__rUrSrorcrxrqr+r+r+r,rs )rc@seZdZdZdZdS)ryzRaise if the client sends invalid CSRF data with the request. Generates a 400 Bad Request response with the failure reason by default. Customize the response by registering a handler with :meth:`flask.Flask.errorhandler`. zCSRF validation failed.N)rLrMrNr{ descriptionr+r+r+r,ry6srycCs4t|}t|}|j|jko2|j|jko2|j|jkSr;)rschemehostnameport)Z current_uriZ compare_uricurrentcomparer+r+r,rsAs   rs)NN)NNN)NTr5)!rr1loggingr urllib.parserZflaskrrrrrZ itsdangerousrr r Zwerkzeug.exceptionsr Zwtformsr Zwtforms.csrf.corer __all__ getLoggerrLrGrrrr:rryrsr+r+r+r,s8              + 5