Changeset 8193 for django/trunk/django/contrib/csrf
- Timestamp:
- 08/02/08 00:56:57 (4 months ago)
- Files:
-
- django/trunk/django/contrib/csrf/middleware.py (modified) (5 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
django/trunk/django/contrib/csrf/middleware.py
r6671 r8193 3 3 4 4 This module provides a middleware that implements protection 5 against request forgeries from other sites. 5 against request forgeries from other sites. 6 """ 6 7 7 """ 8 import re 9 import itertools 10 8 11 from django.conf import settings 9 12 from django.http import HttpResponseForbidden 13 from django.utils.hashcompat import md5_constructor 10 14 from django.utils.safestring import mark_safe 11 import md512 import re13 import itertools14 15 15 16 _ERROR_MSG = mark_safe('<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>') … … 17 18 _POST_FORM_RE = \ 18 19 re.compile(r'(<form\W[^>]*\bmethod=(\'|"|)POST(\'|"|)\b[^>]*>)', re.IGNORECASE) 19 20 _HTML_TYPES = ('text/html', 'application/xhtml+xml') 20 21 _HTML_TYPES = ('text/html', 'application/xhtml+xml') 21 22 22 23 def _make_token(session_id): 23 return md5 .new(settings.SECRET_KEY + session_id).hexdigest()24 return md5_constructor(settings.SECRET_KEY + session_id).hexdigest() 24 25 25 26 class CsrfMiddleware(object): 26 27 """Django middleware that adds protection against Cross Site 27 Request Forgeries by adding hidden form fields to POST forms and 28 checking requests for the correct value. 29 30 In the list of middlewares, SessionMiddleware is required, and must come 31 after this middleware. CsrfMiddleWare must come after compression 28 Request Forgeries by adding hidden form fields to POST forms and 29 checking requests for the correct value. 30 31 In the list of middlewares, SessionMiddleware is required, and must come 32 after this middleware. CsrfMiddleWare must come after compression 32 33 middleware. 33 34 If a session ID cookie is present, it is hashed with the SECRET_KEY 35 setting to create an authentication token. This token is added to all 36 outgoing POST forms and is expected on all incoming POST requests that 34 35 If a session ID cookie is present, it is hashed with the SECRET_KEY 36 setting to create an authentication token. This token is added to all 37 outgoing POST forms and is expected on all incoming POST requests that 37 38 have a session ID cookie. 38 39 If you are setting cookies directly, instead of using Django's session 39 40 If you are setting cookies directly, instead of using Django's session 40 41 framework, this middleware will not work. 41 42 """ 42 43 43 44 def process_request(self, request): 44 45 if request.method == 'POST': … … 55 56 except KeyError: 56 57 return HttpResponseForbidden(_ERROR_MSG) 57 58 58 59 if request_csrf_token != csrf_token: 59 60 return HttpResponseForbidden(_ERROR_MSG) 60 61 61 62 return None 62 63 … … 67 68 csrf_token = _make_token(cookie.value) 68 69 except KeyError: 69 # No outgoing cookie to set session, but 70 # No outgoing cookie to set session, but 70 71 # a session might already exist. 71 72 try: … … 75 76 # no incoming or outgoing cookie 76 77 pass 77 78 78 79 if csrf_token is not None and \ 79 80 response['Content-Type'].split(';')[0] in _HTML_TYPES: 80 81 81 82 # ensure we don't add the 'id' attribute twice (HTML validity) 82 idattributes = itertools.chain(("id='csrfmiddlewaretoken'",), 83 idattributes = itertools.chain(("id='csrfmiddlewaretoken'",), 83 84 itertools.repeat('')) 84 85 def add_csrf_field(match):
