o h'@sddlZddlZddlZddlZddlmZddlmZddlmZddlm Z ddlm Z ddlm Z ddl m Z dd l mZdd l mZdd lmZdd lmZdd lmZdZeeZdddZd ddZ d!ddZGdddeZGdddZGdddeZddZ dS)"N)urlparse) Blueprint) current_app)g)request)session)BadData)SignatureExpired)URLSafeTimedSerializer) BadRequest)ValidationError)CSRF) generate_csrf validate_csrf CSRFProtectcCst|dtjdd}t|dddd}|tvrWt|dd}|tvr+tt d  t|<z | t|}Wnt yPtt d  t|<| t|}Ynwt t||t|S) aGenerate a CSRF token. The token is cached for a request, so multiple calls to this function will generate the same token. During testing, it might be useful to access the signed token in ``g.csrf_token`` and the raw token in ``session['csrf_token']``. :param secret_key: Used to securely sign the token. Default is ``WTF_CSRF_SECRET_KEY`` or ``SECRET_KEY``. :param token_key: Key where token is stored in session for comparison. Default is ``WTF_CSRF_FIELD_NAME`` or ``'csrf_token'``. WTF_CSRF_SECRET_KEY%A secret key is required to use CSRF.messageWTF_CSRF_FIELD_NAME csrf_token%A field name is required to use CSRF.wtf-csrf-tokensalt@) _get_configr secret_keyrr rhashlibsha1osurandom hexdigestdumps TypeErrorsetattrget)r token_key field_namestokenr+A/var/www/html/venv/lib/python3.10/site-packages/flask_wtf/csrf.pyrs0     rc Cst|dtjdd}t|dddd}t|ddd d }|std |tvr'td t|d d}z |j||d}Wn!tyG}ztd|d}~wtyW}ztd|d}~wwt t||sdtddS)aCheck if the given data is a valid CSRF token. This compares the given signed token to the one stored in the session. :param data: The signed CSRF token to be checked. :param secret_key: Used to securely sign the token. Default is ``WTF_CSRF_SECRET_KEY`` or ``SECRET_KEY``. :param time_limit: Number of seconds that the token is valid. Default is ``WTF_CSRF_TIME_LIMIT`` or 3600 seconds (60 minutes). :param token_key: Key where token is stored in session for comparison. Default is ``WTF_CSRF_FIELD_NAME`` or ``'csrf_token'``. :raises ValidationError: Contains the reason that validation failed. .. versionchanged:: 0.14 Raises ``ValidationError`` with a specific error message rather than returning ``True`` or ``False``. rrrrrrWTF_CSRF_TIME_LIMITF)requiredzThe CSRF token is missing.z"The CSRF session token is missing.rr)max_agezThe CSRF token has expired.NzThe CSRF token is invalid.zThe CSRF tokens do not match.) rrrr rr loadsr rhmaccompare_digest)datarZ time_limitr'r(r)r*er+r+r,rBs<   rTCSRF is not configured.cCs.|dur tj||}|r|durt||S)aFind config value based on provided value, Flask config, and default value. :param value: already provided config value :param config_name: Flask ``config`` key :param default: default value if not provided or configured :param required: whether the value must not be ``None`` :param message: error message if required config is not found :raises KeyError: if required config is not found N)rconfigr& RuntimeError)valueZ config_namedefaultr/rr+r+r,rvs  rcs,eZdZfddZddZddZZS)_FlaskFormCSRFcs|j|_t|SN)metasuper setup_form)selfform __class__r+r,r?s z_FlaskFormCSRF.setup_formcCst|jj|jjdS)N)rr')rr= csrf_secretcsrf_field_name)r@Zcsrf_token_fieldr+r+r,generate_csrf_tokens z"_FlaskFormCSRF.generate_csrf_tokenc Cs^tddrdSzt|j|jj|jj|jjWdSty.}z t |j dd}~ww)N csrf_validFr) rr&rr4r=rDZcsrf_time_limitrEr loggerinfoargs)r@rAfieldr5r+r+r,validate_csrf_tokens  z"_FlaskFormCSRF.validate_csrf_token)__name__ __module__ __qualname__r?rFrL __classcell__r+r+rBr,r;s r;c@sBeZdZdZdddZddZddZd d Zd d Zd dZ dS)ra[Enable CSRF protection globally for a Flask app. :: app = Flask(__name__) csrf = CSRFProtect(app) Checks the ``csrf_token`` field sent with forms, or the ``X-CSRFToken`` header sent with JavaScript requests. Render the token in templates using ``{{ csrf_token() }}``. See the :ref:`csrf` documentation. NcCs&t|_t|_|r||dSdSr<)set _exempt_views_exempt_blueprintsinit_app)r@appr+r+r,__init__s zCSRFProtect.__init__csjd<jddjddtjdgdjd<jddjd d d gjd d jddtjjd<ddj fdd}dS)NZcsrfWTF_CSRF_ENABLEDTWTF_CSRF_CHECK_DEFAULTWTF_CSRF_METHODS)POSTPUTPATCHDELETErrWTF_CSRF_HEADERSz X-CSRFTokenz X-CSRF-Tokenr-r.WTF_CSRF_SSL_STRICTcSsdtiS)Nr)rr+r+r+r,sz&CSRFProtect.init_app..csjdsdSjdsdStjjdvrdStjsdSjtjjvr)dSjtj}|j d|j }|j vr@dS dS)NrWrXrY.) r7rmethodZendpointZ blueprintsr& blueprintrSZview_functionsrNrMrRprotect)viewdestrUr@r+r, csrf_protects    z*CSRFProtect.init_app..csrf_protect) extensionsr7 setdefaultrQr&rZ jinja_envglobalsZcontext_processorZbefore_request)r@rUrhr+rgr,rTs   zCSRFProtect.init_appcCsvtjd}tj|}|r|StjD]}||r$tj|}|r$|SqtjdD]}tj|}|r8|Sq*dS)Nrr^)rr7rrAr&endswithheaders)r@r(Z base_tokenkeyr header_namer+r+r,_get_csrf_tokens      zCSRFProtect._get_csrf_tokenc Cstjtjdvr dSzt|Wn"ty4}zt|j d| |j dWYd}~nd}~wwtj rWtjdrWtj sE| ddtj d}ttj |sW| ddt_dS) NrYrr_zThe referrer header is missing.zhttps:///z%The referrer does not match the host.T)rrbrr7rrpr rHrIrJ_error_responseZ is_secureZreferrerhost same_originrrG)r@r5Z good_referrerr+r+r,rds     zCSRFProtect.protectcCsLt|tr |j||St|tr|}n d|j|jf}|j||S)aMark a view or blueprint to be excluded from CSRF protection. :: @app.route('/some-view', methods=['POST']) @csrf.exempt def some_view(): ... :: bp = Blueprint(...) csrf.exempt(bp) ra) isinstancerrSaddstrjoinrNrMrR)r@reZ view_locationr+r+r,exempts    zCSRFProtect.exemptcCst|r<) CSRFError)r@reasonr+r+r,rr2szCSRFProtect._error_responser<) rMrNrO__doc__rVrTrprdryrrr+r+r+r,rs ) rc@seZdZdZdZdS)rzzRaise if the client sends invalid CSRF data with the request. Generates a 400 Bad Request response with the failure reason by default. Customize the response by registering a handler with :meth:`flask.Flask.errorhandler`. zCSRF validation failed.N)rMrNrOr| descriptionr+r+r+r,rz6srzcCs4t|}t|}|j|jko|j|jko|j|jkSr<)rschemehostnameport)Z current_uriZ compare_uricurrentcomparer+r+r,rtAs   rt)NN)NNN)NTr6)!rr2loggingr urllib.parserZflaskrrrrrZ itsdangerousrr r Zwerkzeug.exceptionsr Zwtformsr Zwtforms.csrf.corer __all__ getLoggerrMrHrrrr;rrzrtr+r+r+r,s6               +5