# HG changeset patch # User Thierry Florac # Date 1513250396 -3600 # Node ID cd0086f5b00ba0b159f44c9ab49a659ef977961d # Parent 44393819638c612a57a79ebc4e138d890ce3d164 Removed custom CSRF handling code diff -r 44393819638c -r cd0086f5b00b src/pyams_security/csrf.py --- a/src/pyams_security/csrf.py Thu Dec 14 12:19:33 2017 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,51 +0,0 @@ -# -# Copyright (c) 2008-2015 Thierry Florac -# All Rights Reserved. -# -# This software is subject to the provisions of the Zope Public License, -# Version 2.1 (ZPL). A copy of the ZPL should accompany this distribution. -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED -# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS -# FOR A PARTICULAR PURPOSE. -# - -__docformat__ = 'restructuredtext' - - -# import standard library - -# import interfaces -from pyramid.interfaces import INewRequest, INewResponse - -# import packages -from pyramid.events import subscriber -from pyramid.exceptions import BadCSRFToken -from pyramid.session import check_csrf_origin -from pyramid.util import strings_differ - - -CSRF_TOKEN_COOKIE_NAME = 'csrf_token' - - -@subscriber(INewRequest) -def handle_new_request(event): - """Handle any request with CSRF token cookie""" - request = event.request - if (request.method == 'POST') or request.is_xhr: - check_csrf_origin(request) - post_token = request.cookies.get(CSRF_TOKEN_COOKIE_NAME) - session_token = request.session.get_csrf_token() - if (not post_token) or strings_differ(post_token, session_token): - raise BadCSRFToken('Invalid CSRF token') - - -@subscriber(INewResponse) -def handle_new_response(event): - """Handle new response to manage CSRF token cookie""" - request = event.request - if not request.path.startswith('/--static--/'): - token = request.session.get_csrf_token() - event.response.set_cookie(CSRF_TOKEN_COOKIE_NAME, token, - secure=request.scheme == 'https', - httponly=True)