o {,h!L@sdZddlZddlZddlmZddlmZddlmZddl m Z m Z ddl m Z mZddlmZdd lmZdd lmZmZdd lmZdd lmZdd lmZddlmZddlmZe dZ!edZ"dZ#dZ$dZ%dZ&dZ'dZ(dZ)dZ*dZ+dZ,de,Z-ej.ej/Z0dZ1ddZ2d d!Z3d"d#Z4d$d%Z5d&d'Z6d(d)Z7d*d+Z8Gd,d-d-e9Z:d.d/Z;d0d1ZdS)6z Cross Site Request Forgery Middleware. This module provides a middleware that implements protection against request forgeries from other sites. N) defaultdicturlsplit)settings)DisallowedHostImproperlyConfigured) HttpHeadersUnreadablePostError) get_callable)patch_vary_headers)constant_time_compareget_random_string)MiddlewareMixin)cached_propertyis_same_domain) log_response)_lazy_re_compilezdjango.security.csrfz [^a-zA-Z0-9]z?Origin checking failed - %s does not match any trusted origins.z%Referer checking failed - no Referer.z@Referer checking failed - %s does not match any trusted origins.zCSRF cookie not set.zCSRF token missing.z/Referer checking failed - Referer is malformed.zCReferer checking failed - Referer is insecure while host is secure.zhas incorrect lengthzhas invalid characters  _csrftokencCs ttjS)z/Return the view to be used for CSRF rejections.)r rCSRF_FAILURE_VIEWrrL/var/www/html/rh/venv/lib/python3.10/site-packages/django/middleware/csrf.py_get_failure_view2s rcCs tttdS)N) allowed_chars)r CSRF_SECRET_LENGTHCSRF_ALLOWED_CHARSrrrr_get_new_csrf_string7s rcsPt}ttfdd|Dfdd|D}dfdd|D}||S)z Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a token by adding a mask and applying it to the secret. c3|]}|VqdSNindex.0xcharsrr Bz&_mask_cipher_secret..c3s(|]\}}||tVqdSr )lenr$r%yr&rrr(Cs&)rrzipjoin)secretmaskpairscipherrr&r_mask_cipher_secret;s &r4csZ|dt}|td}ttfdd|Dfdd|D}dfdd|DS)z Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length CSRF_TOKEN_LENGTH, and that its first half is a mask), use it to decrypt the second half to produce the original secret. Nc3rr r!r#r&rrr(Pr)z'_unmask_cipher_token..r*c3s |] \}}||VqdSr rr,r&rrr(Qs)rrr.r/)tokenr1r2rr&r_unmask_cipher_tokenGs  &r6cCst}|j|dd|S)zDGenerate a new random CSRF_COOKIE value, and add it to request.META.T) CSRF_COOKIECSRF_COOKIE_NEEDS_UPDATE)rMETAupdaterequest csrf_secretrrr_add_new_csrf_cookieTsr>cCs6d|jvr|jd}d|jd<t|St|}t|S)a Return the CSRF token required for a POST form. The token is an alphanumeric value. A new token is created if one is not already set. A side effect of calling this function is to make the csrf_protect decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie' header to the outgoing response. For this reason, you may need to use this function lazily, as is done by the csrf context processor. r7Tr8)r9r>r4r;rrr get_token`s  r?cCs t|dS)zi Change the CSRF token in use for a request - should be done on login for security purposes. N)r>)r<rrr rotate_tokenus r@c@eZdZddZdS)InvalidTokenFormatcC ||_dSr reasonselfrErrr__init__~ zInvalidTokenFormat.__init__N__name__ __module__ __qualname__rHrrrrrB} rBcCs.t|ttfvr ttt|rttdS)z Raise an InvalidTokenFormat error if the token has an invalid length or characters that aren't allowed. The token argument can be a CSRF cookie secret or non-cookie CSRF token, and either masked or unmasked. N)r+CSRF_TOKEN_LENGTHrrBREASON_INCORRECT_LENGTHinvalid_token_chars_researchREASON_INVALID_CHARACTERS)r5rrr_check_token_formats  rTcCs.t|tkr t|}t|tksJt||S)a Return whether the given CSRF token matches the given CSRF secret, after unmasking the token if necessary. This function assumes that the request_csrf_token argument has been validated to have the correct length (CSRF_SECRET_LENGTH or CSRF_TOKEN_LENGTH characters) and allowed characters, and that if it has length CSRF_TOKEN_LENGTH, it is a masked secret. )r+rOr6rr )request_csrf_tokenr=rrr_does_token_matchs  rVc@rA) RejectRequestcCrCr rDrFrrrrHrIzRejectRequest.__init__NrJrrrrrWrNrWc@seZdZdZeddZeddZeddZdd Zd d Z d d Z ddZ ddZ ddZ ddZddZddZddZddZdS)CsrfViewMiddlewarez Require a present and correct csrfmiddlewaretoken for POST requests that have a CSRF cookie, and set an outgoing CSRF cookie. This middleware should be used in conjunction with the {% csrf_token %} template tag. cCddtjDS)NcSsg|] }t|jdqS*)rnetloclstripr$originrrr szACsrfViewMiddleware.csrf_trusted_origins_hosts..rCSRF_TRUSTED_ORIGINSrGrrrcsrf_trusted_origins_hostssz-CsrfViewMiddleware.csrf_trusted_origins_hostscCrY)NcSsh|]}d|vr|qSrZrr^rrr sz;CsrfViewMiddleware.allowed_origins_exact..rarcrrrallowed_origins_exactsz(CsrfViewMiddleware.allowed_origins_exactcCs:tt}ddtjDD]}||j|jdq |S)z A mapping of allowed schemes to list of allowed netlocs, where all subdomains of the netloc are allowed. css |] }d|vrt|VqdS)r[Nrr^rrrr(sz?CsrfViewMiddleware.allowed_origin_subdomains..r[)rlistrrbschemeappendr\r])rGallowed_origin_subdomainsparsedrrrrjs  z,CsrfViewMiddleware.allowed_origin_subdomainscCs d|_dS)NT)csrf_processing_done)rGr<rrr_acceptszCsrfViewMiddleware._acceptcCs(t||d}td||j||td|S)NrDzForbidden (%s): %s)responser<logger)rrpathro)rGr<rErnrrr_rejectszCsrfViewMiddleware._rejectcCstjrz|jt}Wn#tytdwz|jtj}Wn t y*d}Ynwt ||dur5dSt |t kr?t |}|S)a Return the CSRF secret originally associated with the request, or None if it didn't have one. If the CSRF_USE_SESSIONS setting is false, raises InvalidTokenFormat if the request's secret has invalid characters or an invalid length. zCSRF_USE_SESSIONS is enabled, but request.session is not set. SessionMiddleware must appear before CsrfViewMiddleware in MIDDLEWARE.N)rCSRF_USE_SESSIONSsessiongetCSRF_SESSION_KEYAttributeErrorrCOOKIESCSRF_COOKIE_NAMEKeyErrorrTr+rOr6rGr<r=rrr _get_secrets&   zCsrfViewMiddleware._get_secretc Csptjr|jt|jdkr|jd|jt<dSdS|jtj|jdtjtj tj tj tj tj dt|ddS)Nr7)max_agedomainrpsecurehttponlysamesite)Cookie)rrrrsrtrur9 set_cookierxCSRF_COOKIE_AGECSRF_COOKIE_DOMAINCSRF_COOKIE_PATHCSRF_COOKIE_SECURECSRF_COOKIE_HTTPONLYCSRF_COOKIE_SAMESITEr rGr<rnrrr_set_csrf_cookies z#CsrfViewMiddleware._set_csrf_cookiecs|jd}z|}Wn tyYnwd|rdnd|f}||kr'dS||jvr.dSzt|}Wn ty>YdSw|j}|jt fdd|j |d DS) N HTTP_ORIGINz%s://%shttpshttpTFc3s|]}t|VqdSr rr$hostrequest_netlocrrr($s  z6CsrfViewMiddleware._origin_verified..r) r9get_hostr is_securerfr ValueErrorrhr\anyrjrt)rGr<request_origin good_host good_origin parsed_originrequest_schemerrr_origin_verifieds0        z#CsrfViewMiddleware._origin_verifiedcs|jddurttztWn tyttwdjjfvr,ttjdkr5tt t fdd|j DrCdSt j rIt jnt j}|durfz|}Wntyettw|}|dvrtd||f}tj|sttdS)N HTTP_REFERERr*rc3s|] }tj|VqdSr )rr\rrefererrrr(;s  z4CsrfViewMiddleware._check_referer..)44380z%s:%s)r9rtrWREASON_NO_REFERERrrREASON_MALFORMED_REFERERrhr\REASON_INSECURE_REFERERrrdrrrSESSION_COOKIE_DOMAINrrrREASON_BAD_REFERERgeturlget_portr)rGr< good_referer server_portrrr_check_referer)s@         z!CsrfViewMiddleware._check_referercCs0|dkrt|}d|d}d|d|dS)NPOSTzthe z HTTP headerzCSRF token from  .)rparse_header_name)rGrE token_source header_namerrr_bad_token_messageVs  z%CsrfViewMiddleware._bad_token_messagec Csz||}Wnty}z td|jdd}~ww|dur%ttd}|jdkr?z |jdd}Wn ty>Ynw|dkr[z|j t j }Wn t yVtt wt j }nd}zt|Wntyz}z ||j|}t|d}~wwt||s|d|}t|dS)Nz CSRF cookie rr*rcsrfmiddlewaretoken incorrect)r{rBrWrEREASON_NO_CSRF_COOKIEmethodrrtr r9rCSRF_HEADER_NAMEryREASON_CSRF_TOKEN_MISSINGrTrrV)rGr<r=excrUrrErrr _check_token]sD      zCsrfViewMiddleware._check_tokencCsFz||}Wntyt|YdSw|dur!||jd<dSdS)Nr7)r{rBr>r9rzrrrprocess_requests z"CsrfViewMiddleware.process_requestc Cs t|ddrdSt|ddrdS|jdvr||St|ddr%||Sd|jvr;||s:||t|jdSn%|r`z||Wnt y_}z |||j WYd}~Sd}~wwz| |Wnt y}z |||j WYd}~Sd}~ww||S)NrlF csrf_exempt)GETHEADOPTIONSTRACE_dont_enforce_csrf_checksr) getattrrrmr9rrqREASON_BAD_ORIGINrrrWrEr)rGr<callback callback_argscallback_kwargsrrrr process_views8         zCsrfViewMiddleware.process_viewcCs&|jdr|||d|jd<|S)Nr8F)r9rtrrrrrprocess_responses   z#CsrfViewMiddleware.process_responseN)rKrLrM__doc__rrdrfrjrmrqr{rrrrrrrrrrrrrXs&     -4 9rX)?rloggingstring collectionsr urllib.parser django.confrdjango.core.exceptionsrr django.httprr django.urlsr django.utils.cacher django.utils.cryptor r django.utils.deprecationrdjango.utils.functionalrdjango.utils.httprdjango.utils.logrdjango.utils.regex_helperr getLoggerrorQrrrrrrrrPrSrrO ascii_lettersdigitsrrurrr4r6r>r?r@ ExceptionrBrTrVrWrXrrrrsX