217 lines
8.7 KiB
Python
217 lines
8.7 KiB
Python
"""
|
|
Cross Site Request Forgery Middleware.
|
|
|
|
This module provides a middleware that implements protection
|
|
against request forgeries from other sites.
|
|
"""
|
|
|
|
import hashlib
|
|
import re
|
|
import random
|
|
|
|
from django.conf import settings
|
|
from django.core.urlresolvers import get_callable
|
|
from django.utils.cache import patch_vary_headers
|
|
from django.utils.http import same_origin
|
|
from django.utils.log import getLogger
|
|
from django.utils.crypto import constant_time_compare, get_random_string
|
|
|
|
logger = getLogger('django.request')
|
|
|
|
REASON_NO_REFERER = "Referer checking failed - no Referer."
|
|
REASON_BAD_REFERER = "Referer checking failed - %s does not match %s."
|
|
REASON_NO_CSRF_COOKIE = "CSRF cookie not set."
|
|
REASON_BAD_TOKEN = "CSRF token missing or incorrect."
|
|
|
|
CSRF_KEY_LENGTH = 32
|
|
|
|
def _get_failure_view():
|
|
"""
|
|
Returns the view to be used for CSRF rejections
|
|
"""
|
|
return get_callable(settings.CSRF_FAILURE_VIEW)
|
|
|
|
|
|
def _get_new_csrf_key():
|
|
return get_random_string(CSRF_KEY_LENGTH)
|
|
|
|
|
|
def get_token(request):
|
|
"""
|
|
Returns the the CSRF token required for a POST form. The token is an
|
|
alphanumeric value.
|
|
|
|
A side effect of calling this function is to make the the csrf_protect
|
|
decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie'
|
|
header to the outgoing response. For this reason, you may need to use this
|
|
function lazily, as is done by the csrf context processor.
|
|
"""
|
|
request.META["CSRF_COOKIE_USED"] = True
|
|
return request.META.get("CSRF_COOKIE", None)
|
|
|
|
|
|
def _sanitize_token(token):
|
|
# Allow only alphanum, and ensure we return a 'str' for the sake
|
|
# of the post processing middleware.
|
|
if len(token) > CSRF_KEY_LENGTH:
|
|
return _get_new_csrf_key()
|
|
token = re.sub('[^a-zA-Z0-9]+', '', str(token.decode('ascii', 'ignore')))
|
|
if token == "":
|
|
# In case the cookie has been truncated to nothing at some point.
|
|
return _get_new_csrf_key()
|
|
return token
|
|
|
|
|
|
class CsrfViewMiddleware(object):
|
|
"""
|
|
Middleware that requires a present and correct csrfmiddlewaretoken
|
|
for POST requests that have a CSRF cookie, and sets an outgoing
|
|
CSRF cookie.
|
|
|
|
This middleware should be used in conjunction with the csrf_token template
|
|
tag.
|
|
"""
|
|
# The _accept and _reject methods currently only exist for the sake of the
|
|
# requires_csrf_token decorator.
|
|
def _accept(self, request):
|
|
# Avoid checking the request twice by adding a custom attribute to
|
|
# request. This will be relevant when both decorator and middleware
|
|
# are used.
|
|
request.csrf_processing_done = True
|
|
return None
|
|
|
|
def _reject(self, request, reason):
|
|
return _get_failure_view()(request, reason=reason)
|
|
|
|
def process_view(self, request, callback, callback_args, callback_kwargs):
|
|
|
|
if getattr(request, 'csrf_processing_done', False):
|
|
return None
|
|
|
|
try:
|
|
csrf_token = _sanitize_token(
|
|
request.COOKIES[settings.CSRF_COOKIE_NAME])
|
|
# Use same token next time
|
|
request.META['CSRF_COOKIE'] = csrf_token
|
|
except KeyError:
|
|
csrf_token = None
|
|
# Generate token and store it in the request, so it's
|
|
# available to the view.
|
|
request.META["CSRF_COOKIE"] = _get_new_csrf_key()
|
|
|
|
# Wait until request.META["CSRF_COOKIE"] has been manipulated before
|
|
# bailing out, so that get_token still works
|
|
if getattr(callback, 'csrf_exempt', False):
|
|
return None
|
|
|
|
# Assume that anything not defined as 'safe' by RC2616 needs protection
|
|
if request.method not in ('GET', 'HEAD', 'OPTIONS', 'TRACE'):
|
|
if getattr(request, '_dont_enforce_csrf_checks', False):
|
|
# Mechanism to turn off CSRF checks for test suite.
|
|
# It comes after the creation of CSRF cookies, so that
|
|
# everything else continues to work exactly the same
|
|
# (e.g. cookies are sent, etc.), but before any
|
|
# branches that call reject().
|
|
return self._accept(request)
|
|
|
|
if request.is_secure():
|
|
# Suppose user visits http://example.com/
|
|
# An active network attacker (man-in-the-middle, MITM) sends a
|
|
# POST form that targets https://example.com/detonate-bomb/ and
|
|
# submits it via JavaScript.
|
|
#
|
|
# The attacker will need to provide a CSRF cookie and token, but
|
|
# that's no problem for a MITM and the session-independent
|
|
# nonce we're using. So the MITM can circumvent the CSRF
|
|
# protection. This is true for any HTTP connection, but anyone
|
|
# using HTTPS expects better! For this reason, for
|
|
# https://example.com/ we need additional protection that treats
|
|
# http://example.com/ as completely untrusted. Under HTTPS,
|
|
# Barth et al. found that the Referer header is missing for
|
|
# same-domain requests in only about 0.2% of cases or less, so
|
|
# we can use strict Referer checking.
|
|
referer = request.META.get('HTTP_REFERER')
|
|
if referer is None:
|
|
logger.warning('Forbidden (%s): %s',
|
|
REASON_NO_REFERER, request.path,
|
|
extra={
|
|
'status_code': 403,
|
|
'request': request,
|
|
}
|
|
)
|
|
return self._reject(request, REASON_NO_REFERER)
|
|
|
|
# Note that request.get_host() includes the port.
|
|
good_referer = 'https://%s/' % request.get_host()
|
|
if not same_origin(referer, good_referer):
|
|
reason = REASON_BAD_REFERER % (referer, good_referer)
|
|
logger.warning('Forbidden (%s): %s', reason, request.path,
|
|
extra={
|
|
'status_code': 403,
|
|
'request': request,
|
|
}
|
|
)
|
|
return self._reject(request, reason)
|
|
|
|
if csrf_token is None:
|
|
# No CSRF cookie. For POST requests, we insist on a CSRF cookie,
|
|
# and in this way we can avoid all CSRF attacks, including login
|
|
# CSRF.
|
|
logger.warning('Forbidden (%s): %s',
|
|
REASON_NO_CSRF_COOKIE, request.path,
|
|
extra={
|
|
'status_code': 403,
|
|
'request': request,
|
|
}
|
|
)
|
|
return self._reject(request, REASON_NO_CSRF_COOKIE)
|
|
|
|
# Check non-cookie token for match.
|
|
request_csrf_token = ""
|
|
if request.method == "POST":
|
|
request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')
|
|
|
|
if request_csrf_token == "":
|
|
# Fall back to X-CSRFToken, to make things easier for AJAX,
|
|
# and possible for PUT/DELETE.
|
|
request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')
|
|
|
|
if not constant_time_compare(request_csrf_token, csrf_token):
|
|
logger.warning('Forbidden (%s): %s',
|
|
REASON_BAD_TOKEN, request.path,
|
|
extra={
|
|
'status_code': 403,
|
|
'request': request,
|
|
}
|
|
)
|
|
return self._reject(request, REASON_BAD_TOKEN)
|
|
|
|
return self._accept(request)
|
|
|
|
def process_response(self, request, response):
|
|
if getattr(response, 'csrf_processing_done', False):
|
|
return response
|
|
|
|
# If CSRF_COOKIE is unset, then CsrfViewMiddleware.process_view was
|
|
# never called, probaby because a request middleware returned a response
|
|
# (for example, contrib.auth redirecting to a login page).
|
|
if request.META.get("CSRF_COOKIE") is None:
|
|
return response
|
|
|
|
if not request.META.get("CSRF_COOKIE_USED", False):
|
|
return response
|
|
|
|
# Set the CSRF cookie even if it's already set, so we renew
|
|
# the expiry timer.
|
|
response.set_cookie(settings.CSRF_COOKIE_NAME,
|
|
request.META["CSRF_COOKIE"],
|
|
max_age = 60 * 60 * 24 * 7 * 52,
|
|
domain=settings.CSRF_COOKIE_DOMAIN,
|
|
path=settings.CSRF_COOKIE_PATH,
|
|
secure=settings.CSRF_COOKIE_SECURE
|
|
)
|
|
# Content varies with the CSRF cookie, so set the Vary header.
|
|
patch_vary_headers(response, ('Cookie',))
|
|
response.csrf_processing_done = True
|
|
return response
|