U [+d=M@sdZddlZddlZddlmZddlmZddlmZddl m Z m Z ddl m Z ddlmZdd lmZdd lmZdd lmZmZdd lmZdd lmZddlmZddlmZddlm Z e!dZ"e dZ#dZ$dZ%dZ&dZ'dZ(dZ)dZ*dZ+dZ,dZ-de-Z.ej/ej0Z1dZ2dd Z3d!d"Z4d#d$Z5d%d&Z6d'd(Z7d)d*Z8d+d,Z9Gd-d.d.e:Z;d/d0ZGd5d6d6eZ?dS)7z Cross Site Request Forgery Middleware. This module provides a middleware that implements protection against request forgeries from other sites. N) defaultdicturlparse)settings)DisallowedHostImproperlyConfigured)UnreadablePostError) HttpHeaders) get_callable)patch_vary_headers)constant_time_compareget_random_string)MiddlewareMixin)cached_propertyis_same_domain) log_response)_lazy_re_compilezdjango.security.csrfz [^a-zA-Z0-9]z?Origin checking failed - %s does not match any trusted origins.z%Referer checking failed - no Referer.z@Referer checking failed - %s does not match any trusted origins.zCSRF cookie not set.zCSRF token missing.z/Referer checking failed - Referer is malformed.zCReferer checking failed - Referer is insecure while host is secure.zhas incorrect lengthzhas invalid characters Z _csrftokencCs ttjS)z/Return the view to be used for CSRF rejections.)r rZCSRF_FAILURE_VIEWrr:/tmp/pip-unpacked-wheel-n7e__lmp/django/middleware/csrf.py_get_failure_view2srcCs tttdS)N) allowed_chars)r CSRF_SECRET_LENGTHCSRF_ALLOWED_CHARSrrrr_get_new_csrf_string7srcsPt}ttfdd|Dfdd|D}dfdd|D}||S)z Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a token by adding a mask and applying it to the secret. c3s|]}|VqdSNindex.0xcharsrr Bsz&_mask_cipher_secret..c3s&|]\}}||tVqdSr)lenr!r"yr#rrr%Cs)rrzipjoin)secretmaskpairscipherrr#r_mask_cipher_secret;s &r0csZ|dt}|td}ttfdd|Dfdd|D}dfdd|DS)z Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length CSRF_TOKEN_LENGTH, and that its first half is a mask), use it to decrypt the second half to produce the original secret. Nc3s|]}|VqdSrrr r#rrr%Psz'_unmask_cipher_token..r&c3s|]\}}||VqdSrrr(r#rrr%Qs)rrr*r+)tokenr-r.rr#r_unmask_cipher_tokenGs   &r2cCs*t}|jtjrt|n|dd|S)zDGenerate a new random CSRF_COOKIE value, and add it to request.META.T) CSRF_COOKIECSRF_COOKIE_NEEDS_UPDATE)rMETAupdaterZCSRF_COOKIE_MASKEDr0request csrf_secretrrr_add_new_csrf_cookieTs  r:cCs0d|jkr |jd}d|jd<nt|}t|S)a Return the CSRF token required for a POST form. The token is an alphanumeric value. A new token is created if one is not already set. A side effect of calling this function is to make the csrf_protect decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie' header to the outgoing response. For this reason, you may need to use this function lazily, as is done by the csrf context processor. r3Tr4)r5r:r0r7rrr get_tokenfs   r;cCs t|dS)zi Change the CSRF token in use for a request - should be done on login for security purposes. N)r:)r8rrr rotate_token{sr<c@seZdZddZdS)InvalidTokenFormatcCs ||_dSrreasonselfr?rrr__init__szInvalidTokenFormat.__init__N__name__ __module__ __qualname__rBrrrrr=sr=cCs.t|ttfkrttt|r*ttdS)z Raise an InvalidTokenFormat error if the token has an invalid length or characters that aren't allowed. The token argument can be a CSRF cookie secret or non-cookie CSRF token, and either masked or unmasked. N)r'CSRF_TOKEN_LENGTHrr=REASON_INCORRECT_LENGTHinvalid_token_chars_researchREASON_INVALID_CHARACTERS)r1rrr_check_token_formats rLcCs.t|tkrt|}t|tks$tt||S)a Return whether the given CSRF token matches the given CSRF secret, after unmasking the token if necessary. This function assumes that the request_csrf_token argument has been validated to have the correct length (CSRF_SECRET_LENGTH or CSRF_TOKEN_LENGTH characters) and allowed characters, and that if it has length CSRF_TOKEN_LENGTH, it is a masked secret. )r'rGr2rAssertionErrorr )request_csrf_tokenr9rrr_does_token_matchs rOc@seZdZddZdS) RejectRequestcCs ||_dSrr>r@rrrrBszRejectRequest.__init__NrCrrrrrPsrPc@seZdZdZeddZeddZeddZdd Zd d Z d d Z ddZ ddZ ddZ ddZddZddZddZddZdS)CsrfViewMiddlewarez Require a present and correct csrfmiddlewaretoken for POST requests that have a CSRF cookie, and set an outgoing CSRF cookie. This middleware should be used in conjunction with the {% csrf_token %} template tag. cCsddtjDS)NcSsg|]}t|jdqS*)rnetloclstripr!originrrr szACsrfViewMiddleware.csrf_trusted_origins_hosts..rCSRF_TRUSTED_ORIGINSrArrrcsrf_trusted_origins_hostssz-CsrfViewMiddleware.csrf_trusted_origins_hostscCsddtjDS)NcSsh|]}d|kr|qSrRrrVrrr sz;CsrfViewMiddleware.allowed_origins_exact..rYr[rrrallowed_origins_exactsz(CsrfViewMiddleware.allowed_origins_exactcCs:tt}ddtjDD]}||j|jdq|S)z A mapping of allowed schemes to list of allowed netlocs, where all subdomains of the netloc are allowed. css|]}d|krt|VqdS)rSNrrVrrrr%sz?CsrfViewMiddleware.allowed_origin_subdomains..rS)rlistrrZschemeappendrTrU)rAallowed_origin_subdomainsparsedrrrrbs  z,CsrfViewMiddleware.allowed_origin_subdomainscCs d|_dS)NT)csrf_processing_done)rAr8rrr_acceptszCsrfViewMiddleware._acceptcCs(t||d}td||j||td|S)Nr>zForbidden (%s): %s)responser8logger)rrpathrg)rAr8r?rfrrr_rejectszCsrfViewMiddleware._rejectcCstjr6z|jt}Wqhtk r2tdYqhXn2z|jtj}Wnt k r^d}Yn Xt ||dkrtdSt |t krt |}|S)a Return the CSRF secret originally associated with the request, or None if it didn't have one. If the CSRF_USE_SESSIONS setting is false, raises InvalidTokenFormat if the request's secret has invalid characters or an invalid length. zCSRF_USE_SESSIONS is enabled, but request.session is not set. SessionMiddleware must appear before CsrfViewMiddleware in MIDDLEWARE.N)rCSRF_USE_SESSIONSsessiongetCSRF_SESSION_KEYAttributeErrorrZCOOKIESCSRF_COOKIE_NAMEKeyErrorrLr'rGr2rAr8r9rrr _get_secrets"   zCsrfViewMiddleware._get_secretc Csjtjr.|jt|jdkrf|jd|jt<n8|jtj|jdtjtj tj tj tj tj dt|ddS)Nr3)Zmax_agedomainrhsecurehttponlysamesite)Cookie)rrjrkrlrmr5 set_cookieroZCSRF_COOKIE_AGECSRF_COOKIE_DOMAINZCSRF_COOKIE_PATHZCSRF_COOKIE_SECUREZCSRF_COOKIE_HTTPONLYZCSRF_COOKIE_SAMESITEr rAr8rfrrr_set_csrf_cookies z#CsrfViewMiddleware._set_csrf_cookiecs|jd}z |}Wntk r*Yn&Xd|r:dnd|f}||krPdS||jkr^dSz t|}Wntk rYdSX|j}|jt fdd|j |d DS) N HTTP_ORIGINz%s://%shttpshttpTFc3s|]}t|VqdSrrr!hostZrequest_netlocrrr%*sz6CsrfViewMiddleware._origin_verified..r) r5get_hostr is_securer^r ValueErrorr`rTanyrbrl)rAr8Zrequest_originZ good_hostZ good_originZ parsed_originZrequest_schemerrr_origin_verifieds,      z#CsrfViewMiddleware._origin_verifiedcs|jddkrttz tWntk rDttYnXdjjfkr^ttjdkrptt t fdd|j DrdSt j rt jnt j}|dkrz |}Wqtk rttYqXn|}|dkrd||f}tj|sttdS)NZ HTTP_REFERERr&r}c3s|]}tj|VqdSr)rrTrZrefererrrr%Asz4CsrfViewMiddleware._check_referer..)44380z%s:%s)r5rlrPREASON_NO_REFERERrrREASON_MALFORMED_REFERERr`rTREASON_INSECURE_REFERERrr\rrjZSESSION_COOKIE_DOMAINryrrREASON_BAD_REFERERgeturlZget_portr)rAr8Z good_refererZ server_portrrr_check_referer/s:      z!CsrfViewMiddleware._check_referercCs0|dkrt|}d|d}d|d|dS)NPOSTzthe z HTTP headerzCSRF token from  .)r Zparse_header_name)rAr? token_source header_namerrr_bad_token_message\s  z%CsrfViewMiddleware._bad_token_messagec Cs8z||}Wn4tk rB}ztd|jdW5d}~XYnX|dkrTttd}|jdkrz|jdd}Wntk rYnX|dkrz|j t j }Wnt k rtt YnXt j }nd}z t|Wn:tk r}z||j|}t|W5d}~XYnXt||s4|d|}t|dS)Nz CSRF cookie rr&rZcsrfmiddlewaretokenZ incorrect)rrr=rPr?REASON_NO_CSRF_COOKIEmethodrrlrr5rZCSRF_HEADER_NAMErpREASON_CSRF_TOKEN_MISSINGrLrrO)rAr8r9excrNrr?rrr _check_tokencs6$    zCsrfViewMiddleware._check_tokencCsBz||}Wntk r*t|YnX|dk r>||jd<dS)Nr3)rrr=r:r5rqrrrprocess_requests z"CsrfViewMiddleware.process_requestc Cst|ddrdSt|ddr dS|jdkr4||St|ddrJ||Sd|jkrv||s||t|jdSnL|rz||Wn4t k r}z|||j WYSd}~XYnXz| |Wn6t k r}z|||j WYSd}~XYnX||S)NrdFZ csrf_exempt)GETHEADOPTIONSTRACEZ_dont_enforce_csrf_checksr|) getattrrrer5rriREASON_BAD_ORIGINrrrPr?r)rAr8callback callback_argscallback_kwargsrrrr process_views0         $$zCsrfViewMiddleware.process_viewcCs&|jdr"|||d|jd<|S)Nr4F)r5rlr{rzrrrprocess_responses   z#CsrfViewMiddleware.process_responseN)rDrErF__doc__rr\r^rbrerirrr{rrrrrrrrrrrrQs$     -4 9rQ)@rloggingstring collectionsr urllib.parserZ django.confrZdjango.core.exceptionsrrZ django.httprZdjango.http.requestr Z django.urlsr Zdjango.utils.cacher Zdjango.utils.cryptor r Zdjango.utils.deprecationrZdjango.utils.functionalrZdjango.utils.httprZdjango.utils.logrZdjango.utils.regex_helperr getLoggerrgrIrrrrrrrrHrKrrG ascii_lettersdigitsrrmrrr0r2r:r;r< Exceptionr=rLrOrPrQrrrrsX