blinkster: web/lib/django/contrib/csrf/middleware.py@0d40e90630ef (annotated)

0 0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	1	"""
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	2	Cross Site Request Forgery Middleware.
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	3
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	4	This module provides a middleware that implements protection
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	5	against request forgeries from other sites.
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	6	"""
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	7
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	8	import re
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	9	import itertools
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	10	try:
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	11	from functools import wraps
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	12	except ImportError:
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	13	from django.utils.functional import wraps # Python 2.3, 2.4 fallback.
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	14
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	15	from django.conf import settings
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	16	from django.http import HttpResponseForbidden
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	17	from django.utils.hashcompat import md5_constructor
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	18	from django.utils.safestring import mark_safe
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	19
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	20	_ERROR_MSG = mark_safe('<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>')
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	21
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	22	_POST_FORM_RE = \
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	23	re.compile(r'(<form\W[^>]\bmethod\s=\s(\'\|"\|)POST(\'\|"\|)\b[^>]>)', re.IGNORECASE)
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	24
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	25	_HTML_TYPES = ('text/html', 'application/xhtml+xml')
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	26
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	27	def _make_token(session_id):
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	28	return md5_constructor(settings.SECRET_KEY + session_id).hexdigest()
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	29
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	30	class CsrfViewMiddleware(object):
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	31	"""
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	32	Middleware that requires a present and correct csrfmiddlewaretoken
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	33	for POST requests that have an active session.
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	34	"""
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	35	def process_view(self, request, callback, callback_args, callback_kwargs):
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	36	if request.method == 'POST':
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	37	if getattr(callback, 'csrf_exempt', False):
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	38	return None
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	39
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	40	if request.is_ajax():
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	41	return None
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	42
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	43	try:
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	44	session_id = request.COOKIES[settings.SESSION_COOKIE_NAME]
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	45	except KeyError:
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	46	# No session, no check required
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	47	return None
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	48
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	49	csrf_token = _make_token(session_id)
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	50	# check incoming token
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	51	try:
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	52	request_csrf_token = request.POST['csrfmiddlewaretoken']
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	53	except KeyError:
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	54	return HttpResponseForbidden(_ERROR_MSG)
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	55
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	56	if request_csrf_token != csrf_token:
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	57	return HttpResponseForbidden(_ERROR_MSG)
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	58
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	59	return None
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	60
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	61	class CsrfResponseMiddleware(object):
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	62	"""
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	63	Middleware that post-processes a response to add a
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	64	csrfmiddlewaretoken if the response/request have an active
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	65	session.
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	66	"""
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	67	def process_response(self, request, response):
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	68	if getattr(response, 'csrf_exempt', False):
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	69	return response
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	70
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	71	csrf_token = None
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	72	try:
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	73	# This covers a corner case in which the outgoing response
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	74	# both contains a form and sets a session cookie. This
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	75	# really should not be needed, since it is best if views
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	76	# that create a new session (login pages) also do a
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	77	# redirect, as is done by all such view functions in
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	78	# Django.
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	79	cookie = response.cookies[settings.SESSION_COOKIE_NAME]
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	80	csrf_token = _make_token(cookie.value)
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	81	except KeyError:
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	82	# Normal case - look for existing session cookie
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	83	try:
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	84	session_id = request.COOKIES[settings.SESSION_COOKIE_NAME]
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	85	csrf_token = _make_token(session_id)
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	86	except KeyError:
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	87	# no incoming or outgoing cookie
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	88	pass
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	89
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	90	if csrf_token is not None and \
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	91	response['Content-Type'].split(';')[0] in _HTML_TYPES:
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	92
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	93	# ensure we don't add the 'id' attribute twice (HTML validity)
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	94	idattributes = itertools.chain(("id='csrfmiddlewaretoken'",),
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	95	itertools.repeat(''))
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	96	def add_csrf_field(match):
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	97	"""Returns the matched <form> tag plus the added <input> element"""
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	98	return mark_safe(match.group() + "<div style='display:none;'>" + \
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	99	"<input type='hidden' " + idattributes.next() + \
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	100	" name='csrfmiddlewaretoken' value='" + csrf_token + \
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	101	"' /></div>")
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	102
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	103	# Modify any POST forms
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	104	response.content = _POST_FORM_RE.sub(add_csrf_field, response.content)
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	105	return response
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	106
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	107	class CsrfMiddleware(CsrfViewMiddleware, CsrfResponseMiddleware):
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	108	"""Django middleware that adds protection against Cross Site
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	109	Request Forgeries by adding hidden form fields to POST forms and
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	110	checking requests for the correct value.
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	111
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	112	In the list of middlewares, SessionMiddleware is required, and
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	113	must come after this middleware. CsrfMiddleWare must come after
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	114	compression middleware.
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	115
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	116	If a session ID cookie is present, it is hashed with the
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	117	SECRET_KEY setting to create an authentication token. This token
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	118	is added to all outgoing POST forms and is expected on all
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	119	incoming POST requests that have a session ID cookie.
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	120
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	121	If you are setting cookies directly, instead of using Django's
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	122	session framework, this middleware will not work.
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	123
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	124	CsrfMiddleWare is composed of two middleware, CsrfViewMiddleware
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	125	and CsrfResponseMiddleware which can be used independently.
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	126	"""
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	127	pass
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	128
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	129	def csrf_response_exempt(view_func):
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	130	"""
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	131	Modifies a view function so that its response is exempt
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	132	from the post-processing of the CSRF middleware.
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	133	"""
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	134	def wrapped_view(args, *kwargs):
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	135	resp = view_func(args, *kwargs)
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	136	resp.csrf_exempt = True
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	137	return resp
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	138	return wraps(view_func)(wrapped_view)
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	139
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	140	def csrf_view_exempt(view_func):
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	141	"""
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	142	Marks a view function as being exempt from CSRF view protection.
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	143	"""
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	144	# We could just do view_func.csrf_exempt = True, but decorators
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	145	# are nicer if they don't have side-effects, so we return a new
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	146	# function.
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	147	def wrapped_view(args, *kwargs):
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	148	return view_func(args, *kwargs)
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	149	wrapped_view.csrf_exempt = True
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	150	return wraps(view_func)(wrapped_view)
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	151
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	152	def csrf_exempt(view_func):
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	153	"""
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	154	Marks a view function as being exempt from the CSRF checks
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	155	and post processing.
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	156
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	157	This is the same as using both the csrf_view_exempt and
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	158	csrf_response_exempt decorators.
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	159	"""
0d40e90630ef Blinkster creation ymh <ymh.work@gmail.com> parents: diff changeset	160	return csrf_response_exempt(csrf_view_exempt(view_func))

author	ymh <ymh.work@gmail.com>
	Wed, 20 Jan 2010 00:34:04 +0100
changeset 0	0d40e90630ef
child 29	cc9b7e14412b
permissions	-rw-r--r--