o

3�a�5�@s*
dZd
dl
Z
d
dlZd
dlZd
dlmZ
d
dlmZ
d
dlm	Z	m
Z

d
dlmZ
d
dl
mZ
d
dlmZmZ
d
d	lmZ
d
d
lmZ
d
dlmZ
e
�d�
Zd
ZdZdZdZdZdZdZ de Z!ej"ej#Z$dZ%dd�Z&dd�Z'dd�Z(dd�Z)dd�Z*d d!�Z+d"d#�Z,d$d%�Z-d&d'�Z.Gd(d)�d)e�Z/dS)*z�
Cross Site Request Forgery Middleware.

This module provides a middleware that implements protection
against request forgeries from other sites.
�N)
�urlparse)
�settings)�DisallowedHost�ImproperlyConfigured)
�get_callable)
�patch_vary_headers)�constant_time_compare�get_random_string)
�MiddlewareMixin)
�is_same_domain)
�log_responsezdjango.security.csrfz%Referer checking failed - no Referer.z@Referer checking failed - %s does not match any trusted origins.zCSRF cookie not set.z CSRF token missing or incorrect.z/Referer checking failed - Referer is malformed.zCReferer checking failed - Referer is insecure while host is secure.� ��
_csrftokencCs
tt
j�
S)
z/Return the view to be used for CSRF rejections.)rr�CSRF_FAILURE_VIEW�rr�8/usr/lib/python3/dist-packages/django/middleware/csrf.py�_get_failure_view$s
rcCstt
td
�S)N)
�
allowed_chars)r	�CSRF_SECRET_LENGTH�CSRF_ALLOWED_CHARSrrrr�_get_new_csrf_string)s
rc
sPt�}
t
�t�f
d
d�|D�
�f
d
d�|
D�
�}d��f
dd�|D�
�
}|
|S)z�
    Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a
    token by adding a mask and applying it to the secret.
    c
3��|]}
��|
�
V
qdS�
N�
�index��.0�
x�
�charsrr�	<genexpr>4��z&_mask_cipher_secret.<locals>.<genexpr>�c
3s(�|]\}
}�|
|t��
V
qdSr)
�len�rr�
yrrrr!5s�&)rr�zip�join)�secret�mask�pairs�cipherrrr�_mask_cipher_secret-s

&


r-c
sZ|d
t�}
|td
�}t
�t�f
dd�|D�
�f
dd�|
D�
�}d��f
dd�|D�
�
S)z�
    Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length
    CSRF_TOKEN_LENGTH, and that its first half is a mask), use it to decrypt
    the second half to produce the original secret.
    Nc
3rrrrrrrr!Br"z'_unmask_cipher_token.<locals>.<genexpr>r#c
3s �|]\}
}�|
|V
qdSrrr%rrrr!Cs�)rrr'r()�tokenr*r+rrr�_unmask_cipher_token9s


&

r/cCs
tt
��
Sr)r-rrrrr�_get_new_csrf_tokenFs

r0c
Cs@d
|jv
rt
�}
t|
�
|jd
<nt|jd
�
}
d|jd<t|
�
S)a�

    Return the CSRF token required for a POST form. The token is an
    alphanumeric value. A new token is created if one is not already set.

    A side effect of calling this function is to make the csrf_protect
    decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie'
    header to the outgoing response.  For this reason, you may need to use this
    function lazily, as is done by the csrf context processor.
    �CSRF_COOKIET�CSRF_COOKIE_USED)�METArr-r/)�request�csrf_secretrrr�	get_tokenJs






r6c

Cs|j�
d
t�d��

d
|_dS)zi
    Change the CSRF token in use for a request - should be done on login
    for security purposes.
    T)r2r1N)r3�updater0�csrf_cookie_needs_reset)
r4rrr�rotate_token]s


�
r9c

Cs<t�
d
|�r	t�St|�
tkr|St|�
tkrt|�
St�S)Nz[^a-zA-Z0-9])�re�searchr0r$�CSRF_TOKEN_LENGTHrr-)
r.rrr�_sanitize_tokenis




r=cCstt
|�
t
|
�
�Sr)rr/)�request_csrf_token�
csrf_tokenrrr�_compare_masked_tokenszs

�r@c@sHeZ
dZd
Zdd�Zdd�Zdd�Zdd	�Zd
d�Zdd
�Z	dd�Z
dS)�CsrfViewMiddlewarez�
    Require a present and correct csrfmiddlewaretoken for POST requests that
    have a CSRF cookie, and set an outgoing CSRF cookie.

    This middleware should be used in conjunction with the {% csrf_token %}
    template tag.
    cCs
d
|
_dS)NT)
�csrf_processing_done)�selfr4rrr�_accept�s
zCsrfViewMiddleware._acceptcCs(t�|
|d
�}t
d||
j||
td�
|S)N)
�reasonzForbidden (%s): %s)�responser4�logger)rr�pathrG)rCr4rErFrrr�_reject�s





�zCsrfViewMiddleware._rejectcCsltj
rz|
j�t�
WSty


td
�
�
wz|
jtj}Wn
t	y(


YdSwt
|�
}||kr4d|
_|S)Nz�CSRF_USE_SESSIONS is enabled, but request.session is not set. SessionMiddleware must appear before CsrfViewMiddleware in MIDDLEWARE.T)r�CSRF_USE_SESSIONS�session�get�CSRF_SESSION_KEY�AttributeErrorr�COOKIES�CSRF_COOKIE_NAME�KeyErrorr=r8)rCr4�cookie_tokenr?rrr�
_get_token�s"





��


�

zCsrfViewMiddleware._get_tokenc
Csptj
r|
j�t�
|
jd
kr|
jd
|
jt<dSdS|jtj|
jd
tjtj	tj
tjtjtj
d�
t|d�
dS)Nr1)�max_age�domainrH�secure�httponly�samesite)
�Cookie)rrJrKrLrMr3�
set_cookierP�CSRF_COOKIE_AGE�CSRF_COOKIE_DOMAIN�CSRF_COOKIE_PATH�CSRF_COOKIE_SECURE�CSRF_COOKIE_HTTPONLY�CSRF_COOKIE_SAMESITEr�rCr4rFrrr�
_set_token�s


�







�zCsrfViewMiddleware._set_tokencCs$|�|
�
}|du
r||
j
d
<dSdS)Nr1)rSr3)rCr4r?rrr�process_request�s


�z"CsrfViewMiddleware.process_requestcs�
t|
d
d�rdSt|dd�rdS|
j
dv
r�t|
dd�r |�|
�
S|
��r�|
j�d�
��dur4|�|
t�St��
�d�j	�j
fvrF|�|
t�S�j	dkrQ|�|
t�St
jrWt
jnt
j}|du
rm|
��}|d	v
rld
||f}nz|
��}Wn	ty|


Yn
wtt
j�
}|du
r�|�|�

t�f
dd�|D�
�
s�t���}|�|
|�S|�|
�
}	|	dur�|�|
t�Sd}
|
j
d
kr�z	|
j�dd�}
Wn	ty�


Yn
w|
dkr�|
j�t
jd�}
t|
�
}
t |
|	�s�|�|
t!�S|�|
�
S)NrBF�csrf_exempt)�GET�HEAD�OPTIONS�TRACE�_dont_enforce_csrf_checks�HTTP_REFERERr#�https)�443�80z%s:%sc
3s�|]	}
t�j
|
�V
qdSr)r�netloc)r�host�
�refererrrr!
s�z2CsrfViewMiddleware.process_view.<locals>.<genexpr>�POST�csrfmiddlewaretoken)"�getattr�methodrD�	is_securer3rLrI�REASON_NO_REFERERr�schemern�REASON_MALFORMED_REFERER�REASON_INSECURE_REFERERrrJ�SESSION_COOKIE_DOMAINr\�get_port�get_hostr�list�CSRF_TRUSTED_ORIGINS�append�any�REASON_BAD_REFERER�geturlrS�REASON_NO_CSRF_COOKIErr�OSError�CSRF_HEADER_NAMEr=r@�REASON_BAD_TOKEN)rCr4�callback�
callback_args�callback_kwargs�good_referer�server_port�
good_hostsrEr?r>rrpr�process_view�sh










��


�

�












�



zCsrfViewMiddleware.process_viewcCsDt|
d
d�st|dd�r|S|
j
�dd�s|S|�|
|�
d|_|S)Nr8F�csrf_cookie_setr2T)rtr3rLrbr�rarrr�process_response=
s





z#CsrfViewMiddleware.process_responseN)�__name__�
__module__�__qualname__�__doc__rDrIrSrbrcr�r�rrrrrA�s
	
prA)0r��loggingr:�string�urllib.parser�django.confr�django.core.exceptionsrr�django.urlsr�django.utils.cacher�django.utils.cryptorr	�django.utils.deprecationr
�django.utils.httpr�django.utils.logr�	getLoggerrGrwr�r�r�ryrzrr<�
ascii_letters�digitsrrMrrr-r/r0r6r9r=r@rArrrr�<module>
sD