Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Adds CSRF protection to the CTK.

git-svn-id: svn://cherokee-project.com/CTK/trunk@6747 5dc97367-97f1-0310-9951-d761b3857238
  • Loading branch information...
commit 10cd5bfd5a888bb4e430bab2e6c2f43daa883d57 1 parent 5ab1927
@alobbs alobbs authored
View
24 CTK/Server.py
@@ -92,20 +92,27 @@ def _do_handle (self):
# Get a copy of the server (it did fork!)
server = get_server()
- # Check security cookie
+ # Security Checks
sec_error = False
-
if server.use_sec_cookie:
if not self.env['CTK_COOKIE']:
- sec_error = True
+ sec_error = "Cookie"
elif not server.sec_cookie:
server.sec_cookie = self.env['CTK_COOKIE'][:]
else:
if server.sec_cookie != self.env['CTK_COOKIE']:
- sec_error = True
+ sec_error = "Cookie"
+
+ if server.use_sec_submit:
+ if not server.sec_submit:
+ server.sec_submit = self.env['CTK_SUBMITTER_SECRET'][:]
+
+ if self.env['REQUEST_METHOD'] == 'POST':
+ if not server.sec_submit in url:
+ sec_error = "Submit"
if sec_error:
- response = HTTP_Response (error=403, body="Cookie check failed")
+ response = HTTP_Response (error=403, body="%s check failed" %(sec_error))
self.send (str(response))
return
@@ -199,6 +206,8 @@ def __init__ (self):
self.exiting = False
self.use_sec_cookie = False
self.sec_cookie = None
+ self.use_sec_submit = False
+ self.sec_submit = None
def init_server (self, *args, **kwargs):
# Is it already init?
@@ -206,10 +215,13 @@ def init_server (self, *args, **kwargs):
return
self._is_init = True
- # Security cookie
+ # Security cookie/submit
if 'sec_cookie' in kwargs:
self.use_sec_cookie = kwargs.pop('sec_cookie')
+ if 'sec_submit' in kwargs:
+ self.use_sec_submit = kwargs.pop('sec_submit')
+
# Instance SCGI server
self._scgi = pyscgi.ServerFactory (*args, **kwargs)
View
10 CTK/SortableList.py
@@ -21,6 +21,7 @@
#
from Table import Table
+from Server import get_server
from PageCleaner import Uniq_Block
from Server import publish, post, cfg, cfg_reply_ajax_ok
@@ -88,9 +89,14 @@ def __init__ (self, callback, container, *args, **kwargs):
self.url = "/sortablelist_%d"%(self.uniq_id)
self.container = container
+ # Secure submit
+ srv = get_server()
+ if srv.use_sec_submit:
+ self.url += '?key=%s' %(srv.sec_submit)
+
# Register the public URL
- publish (self.url, changed_handler_func, method='POST',
- callback=callback, key_id='%s_order'%(self.id), **kwargs)
+ publish (r"^/sortablelist_%d"%(self.uniq_id), changed_handler_func,
+ method='POST', callback=callback, key_id='%s_order'%(self.id), **kwargs)
def Render (self):
render = Table.Render (self)
View
6 CTK/Submitter.py
@@ -26,6 +26,7 @@
from Container import Container
from TextField import TextField
from PageCleaner import Uniq_Block
+from Server import get_server
HEADER = ['<script type="text/javascript" src="/CTK/js/Submitter.js"></script>']
@@ -99,6 +100,11 @@ def __init__ (self, submit_url):
self.url = submit_url
self.id = "submitter%d" %(self.uniq_id)
+ # Secure submit
+ srv = get_server()
+ if srv.use_sec_submit:
+ self.url += '?key=%s' %(srv.sec_submit)
+
def Render (self):
# Child render
render = Container.Render(self)
View
6 CTK/TextField.py
@@ -28,6 +28,7 @@
from Widget import Widget
from Server import cfg
from util import to_utf8
+from Server import get_server
HEADER = [
'<script type="text/javascript" src="/CTK/js/jquery.form-defaults.js"></script>'
@@ -235,6 +236,11 @@ def __init__ (self, key, url, optional=False, props=None):
self.url = url
TextCfg.__init__ (self, key, optional, props)
+ # Secure submit
+ srv = get_server()
+ if srv.use_sec_submit:
+ self.url += '?key=%s' %(srv.sec_submit)
+
def Render (self):
value = cfg.get_val (self.key, '')

0 comments on commit 10cd5bf

Please sign in to comment.
Something went wrong with that request. Please try again.