fixed csrf protection

34e97658 · nd · bd27a38d · 34e97658 · 34e97658 · 34e97658
Verified Commit 34e97658 authored 4 years ago by nd
--- a/uffd/csrf/csrf.py
+++ b/uffd/csrf/csrf.py
@@ -8,23 +8,31 @@ bp = Blueprint("csrf", __name__)
 csrfEndpoints = []
 # pylint: enable=invalid-name
-def csrf_protect(func):
+def csrf_protect(blueprint=None, endpoint=None):
-	csrfEndpoints.append(func.__name__)
+	def wraper(func):
-	@wraps(func)
+		if not endpoint:
-	def decorator(*args, **kwargs):
+			if blueprint:
-		if '_csrf_token' in request.values:
+				urlendpoint = "{}.{}".format(blueprint.name, func.__name__)
-			token = request.values['_csrf_token']
+			else:
-		elif request.get_json() and ('_csrf_token' in request.get_json()):
+				urlendpoint = func.__name__
-			token = request.get_json()['_csrf_token']
+		csrfEndpoints.append(urlendpoint)
-		else:
+		@wraps(func)
-			token = None
+		def decorator(*args, **kwargs):
-		if ('_csrf_token' not in session) or (session['_csrf_token'] != token) or not token:
+			if '_csrf_token' in request.values:
-			return 'csrf test failed', 403
+				token = request.values['_csrf_token']
-		return func(*args, **kwargs)
+			elif request.get_json() and ('_csrf_token' in request.get_json()):
-	return decorator
+				token = request.get_json()['_csrf_token']
+			else:
+				token = None
+			if ('_csrf_token' not in session) or (session['_csrf_token'] != token) or not token:
+				return 'csrf test failed', 403
+			return func(*args, **kwargs)
+		return decorator
+	return wraper
-@bp.url_defaults
+@bp.app_url_defaults
 def csrf_inject(endpoint, values):
+	print(endpoint, csrfEndpoints, endpoint not in csrfEndpoints)
 	if endpoint not in csrfEndpoints or not session.get('_csrf_token'):
 		return
 	values['_csrf_token'] = session['_csrf_token']
--- a/uffd/selfservice/views.py
+++ b/uffd/selfservice/views.py
@@ -26,7 +26,7 @@ def self_index():
 	return render_template('self.html', user=get_current_user())
 @bp.route("/update", methods=(['POST']))
-@csrf_protect
+@csrf_protect(blueprint=bp)
 def self_update():
 	pass
--- a/uffd/session/views.py
+++ b/uffd/session/views.py
 import datetime
+import random
+import string
 import functools
 from flask import Blueprint, render_template, request, url_for, redirect, flash, current_app, session
@@ -36,6 +38,7 @@ def login():
 		return redirect(url_for('.login'))
 	session['user_uid'] = user.uid
 	session['logintime'] = datetime.datetime.now().timestamp()
+	session['_csrf_token'] = ''.join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(64))
 	return redirect(request.values.get('ref', url_for('index')))
 def get_current_user():

--- a/uffd/user/views.py
+++ b/uffd/user/views.py
@@ -44,6 +44,7 @@ def user_show(uid=None):
 @bp_user.route("/<int:uid>/update", methods=['POST'])
 @bp_user.route("/new", methods=['POST'])
+@csrf_protect(blueprint=bp_user)
 def user_update(uid=False):
 	conn = get_conn()
 	if uid:
@@ -70,7 +71,7 @@ def user_update(uid=False):
 	return redirect(url_for('.user_list'))
 @bp_user.route("/<int:uid>/del")
-@csrf_protect
+@csrf_protect(blueprint=bp_user)
 def user_delete(uid):
 	conn = get_conn()
 	conn.search(current_app.config["LDAP_BASE_USER"], '(&(objectclass=person)(uidNumber={}))'.format((escape_filter_chars(uid))))