U PN^"-@sddlZddlZddlZddlZddlmZddlmZmZm Z m Z m Z ddl m Z mZmZddlmZddlmZddlmZddlmZd d lmZmZmZd ZeeZdd d Z dddZ!d ddZ"GdddeZ#Gddde$Z%Gddde%Z&GdddeZ'ddZ(dS)!N)wraps) Blueprint current_appgrequestsession)BadDataSignatureExpiredURLSafeTimedSerializer) BadRequest) safe_str_cmp)ValidationError)CSRF)FlaskWTFDeprecationWarning string_typesurlparse) generate_csrf validate_csrf CSRFProtectcCsvt|dtjdd}t|dddd}|tkrl|tkrJttd t|<t |dd }t t|| t|t |S) aGenerate a CSRF token. The token is cached for a request, so multiple calls to this function will generate the same token. During testing, it might be useful to access the signed token in ``g.csrf_token`` and the raw token in ``session['csrf_token']``. :param secret_key: Used to securely sign the token. Default is ``WTF_CSRF_SECRET_KEY`` or ``SECRET_KEY``. :param token_key: Key where token is stored in session for comparision. Default is ``WTF_CSRF_FIELD_NAME`` or ``'csrf_token'``. WTF_CSRF_SECRET_KEY%A secret key is required to use CSRF.messageWTF_CSRF_FIELD_NAME csrf_token%A field name is required to use CSRF.@wtf-csrf-tokenZsalt) _get_configr secret_keyrrhashlibsha1osurandom hexdigestr setattrdumpsget)r! token_key field_namesr-5/tmp/pip-install-o1yuzyg2/flask-wtf/flask_wtf/csrf.pyrs$  rcCst|dtjdd}t|dddd}t|ddd d }|s>td |tkrNtd t|d d}z|j||d}Wn6tk rtdYntk rtdYnXt t||stddS)a Check if the given data is a valid CSRF token. This compares the given signed token to the one stored in the session. :param data: The signed CSRF token to be checked. :param secret_key: Used to securely sign the token. Default is ``WTF_CSRF_SECRET_KEY`` or ``SECRET_KEY``. :param time_limit: Number of seconds that the token is valid. Default is ``WTF_CSRF_TIME_LIMIT`` or 3600 seconds (60 minutes). :param token_key: Key where token is stored in session for comparision. Default is ``WTF_CSRF_FIELD_NAME`` or ``'csrf_token'``. :raises ValidationError: Contains the reason that validation failed. .. versionchanged:: 0.14 Raises ``ValidationError`` with a specific error message rather than returning ``True`` or ``False``. rrrrrrWTF_CSRF_TIME_LIMITF)requiredzThe CSRF token is missing.z"The CSRF session token is missing.rr)Zmax_agezThe CSRF token has expired.zThe CSRF token is invalid.zThe CSRF tokens do not match.N) r rr!r rr loadsr rr )datar!Z time_limitr*r+r,tokenr-r-r.r4s>  rTCSRF is not configured.cCs.|dkrtj||}|r*|dkr*t||S)aFind config value based on provided value, Flask config, and default value. :param value: already provided config value :param config_name: Flask ``config`` key :param default: default value if not provided or configured :param required: whether the value must not be ``None`` :param message: error message if required config is not found :raises KeyError: if required config is not found N)rconfigr)KeyError)valueZ config_namedefaultr1rr-r-r.r fs  r cs,eZdZfddZddZddZZS)_FlaskFormCSRFcs|j|_tt||SN)metasuperr: setup_form)selfform __class__r-r.r>sz_FlaskFormCSRF.setup_formcCst|jj|jjdS)N)r!r*)rr< csrf_secretcsrf_field_name)r?Zcsrf_token_fieldr-r-r.generate_csrf_tokensz"_FlaskFormCSRF.generate_csrf_tokenc CsjtddrdSz t|j|jj|jj|jjWn4tk rd}zt |j dW5d}~XYnXdS)N csrf_validFr) rr)rr3r<rCZcsrf_time_limitrDr loggerinfoargs)r?r@fielder-r-r.validate_csrf_tokens z"_FlaskFormCSRF.validate_csrf_token)__name__ __module__ __qualname__r>rErL __classcell__r-r-rAr.r:~s r:c@sJeZdZdZdddZddZddZd d Zd d Zd dZ ddZ dS)ra[Enable CSRF protection globally for a Flask app. :: app = Flask(__name__) csrf = CsrfProtect(app) Checks the ``csrf_token`` field sent with forms, or the ``X-CSRFToken`` header sent with JavaScript requests. Render the token in templates using ``{{ csrf_token() }}``. See the :ref:`csrf` documentation. NcCs"t|_t|_|r||dSr;)set _exempt_views_exempt_blueprintsinit_appr?appr-r-r.__init__szCSRFProtect.__init__csjd<jddjddtjddddd gjd<jd d jd d dgjddjddtjjd <ddj fdd}dS)NZcsrfWTF_CSRF_ENABLEDTWTF_CSRF_CHECK_DEFAULTWTF_CSRF_METHODSPOSTPUTPATCHDELETErrWTF_CSRF_HEADERSz X-CSRFTokenz X-CSRF-Tokenr/r0WTF_CSRF_SSL_STRICTcSsdtiS)Nr)rr-r-r-r.z&CSRFProtect.init_app..csjdsdSjdsdStjjdkr0dStjs:dSjtj}|sPdStjjkr`dSd|j|j f}|j kr~dS dS)NrXrYrZ%s.%s) r6rmethodZendpointZview_functionsr)Z blueprintrSrNrMrRprotect)viewdestrVr?r-r. csrf_protects"    z*CSRFProtect.init_app..csrf_protect) extensionsr6 setdefaultrQr)rZ jinja_envglobalsZcontext_processorZbefore_request)r?rVrir-rhr.rTs$   zCSRFProtect.init_appcCsbtjd}tjD]$}||rtj|}|r|SqtjdD]}tj|}|r@|Sq@dS)Nrr_)rr6rr@endswithheadersr))r?r+keyr header_namer-r-r._get_csrf_tokens       zCSRFProtect._get_csrf_tokenc CstjtjdkrdSzt|WnBtk rf}z$t|j d| |j dW5d}~XYnXtj rtjdrtj s| dd tj}ttj |s| ddt_dS)NrZrr`zThe referrer header is missing.z https://{0}/z%The referrer does not match the host.T)rrdrr6rrqr rGrHrI_error_responseZ is_secureZreferrerformathost same_originrrF)r?rKZ good_referrerr-r-r.res"    zCSRFProtect.protectcCsLt|tr|j|j|St|tr,|}nd|j|jf}|j||S)aMark a view or blueprint to be excluded from CSRF protection. :: @app.route('/some-view', methods=['POST']) @csrf.exempt def some_view(): ... :: bp = Blueprint(...) csrf.exempt(bp) rc) isinstancerrSaddnamerrNrMrR)r?rfZ view_locationr-r-r.exempt s   zCSRFProtect.exemptcCs t|dSr;) CSRFError)r?reasonr-r-r.rr&szCSRFProtect._error_responsecs0tjtdddtfdd}||_S)aRegister a function that will generate the response for CSRF errors. .. deprecated:: 0.14 Use the standard Flask error system with ``@app.errorhandler(CSRFError)`` instead. This will be removed in version 1.0. The function will be passed one argument, ``reason``. By default it will raise a :class:`~flask_wtf.csrf.CSRFError`. :: @csrf.error_handler def csrf_error(reason): return render_template('error.html', reason=reason) Due to historical reasons, the function may either return a response or raise an exception with :func:`flask.abort`. z"@csrf.error_handler" is deprecated. Use the standard Flask error system with "@app.errorhandler(CSRFError)" instead. This will beremoved in 1.0. stacklevelcs&t|}t|jdd|ddS)NT)Zas_text)response)rZ make_responserzget_data)r{rrfr-r.handlerBsz*CSRFProtect.error_handler..handler)warningswarnrrrr)r?rfrr-rr. error_handler)szCSRFProtect.error_handler)N) rMrNrO__doc__rWrTrqreryrrrr-r-r-r.rs /rcs"eZdZdZdfdd ZZS) CsrfProtectzW .. deprecated:: 0.14 Renamed to :class:`~flask_wtf.csrf.CSRFProtect`. Ncs(tjtdddtt|j|ddS)NzU"flask_wtf.CsrfProtect" has been renamed to "CSRFProtect" and will be removed in 1.0.r|r})rV)rrrr=rrWrUrAr-r.rWQs zCsrfProtect.__init__)N)rMrNrOrrWrPr-r-rAr.rKsrc@seZdZdZdZdS)rzzRaise if the client sends invalid CSRF data with the request. Generates a 400 Bad Request response with the failure reason by default. Customize the response by registering a handler with :meth:`flask.Flask.errorhandler`. zCSRF validation failed.N)rMrNrOr descriptionr-r-r-r.rzYsrzcCs4t|}t|}|j|jko2|j|jko2|j|jkSr;)rschemehostnameport)Z current_uriZ compare_uricurrentcomparer-r-r.ruds   ru)NN)NNN)NTr5))r"loggingr$r functoolsrZflaskrrrrrZ itsdangerousrr r Zwerkzeug.exceptionsr Zwerkzeug.securityr Zwtformsr Zwtforms.csrf.corer_compatrrr__all__ getLoggerrMrGrrr r:objectrrrzrur-r-r-r.s2       3 2