Permalink
Browse files

Adds CSRF protection to the CTK.

git-svn-id: svn://cherokee-project.com/CTK/trunk@6747 5dc97367-97f1-0310-9951-d761b3857238
  • Loading branch information...
1 parent 5ab1927 commit 10cd5bfd5a888bb4e430bab2e6c2f43daa883d57 @alobbs alobbs committed Jun 8, 2011
Showing with 38 additions and 8 deletions.
  1. +18 −6 CTK/Server.py
  2. +8 −2 CTK/SortableList.py
  3. +6 −0 CTK/Submitter.py
  4. +6 −0 CTK/TextField.py
View
@@ -92,20 +92,27 @@ def _do_handle (self):
# Get a copy of the server (it did fork!)
server = get_server()
- # Check security cookie
+ # Security Checks
sec_error = False
-
if server.use_sec_cookie:
if not self.env['CTK_COOKIE']:
- sec_error = True
+ sec_error = "Cookie"
elif not server.sec_cookie:
server.sec_cookie = self.env['CTK_COOKIE'][:]
else:
if server.sec_cookie != self.env['CTK_COOKIE']:
- sec_error = True
+ sec_error = "Cookie"
+
+ if server.use_sec_submit:
+ if not server.sec_submit:
+ server.sec_submit = self.env['CTK_SUBMITTER_SECRET'][:]
+
+ if self.env['REQUEST_METHOD'] == 'POST':
+ if not server.sec_submit in url:
+ sec_error = "Submit"
if sec_error:
- response = HTTP_Response (error=403, body="Cookie check failed")
+ response = HTTP_Response (error=403, body="%s check failed" %(sec_error))
self.send (str(response))
return
@@ -199,17 +206,22 @@ def __init__ (self):
self.exiting = False
self.use_sec_cookie = False
self.sec_cookie = None
+ self.use_sec_submit = False
+ self.sec_submit = None
def init_server (self, *args, **kwargs):
# Is it already init?
if self._is_init:
return
self._is_init = True
- # Security cookie
+ # Security cookie/submit
if 'sec_cookie' in kwargs:
self.use_sec_cookie = kwargs.pop('sec_cookie')
+ if 'sec_submit' in kwargs:
+ self.use_sec_submit = kwargs.pop('sec_submit')
+
# Instance SCGI server
self._scgi = pyscgi.ServerFactory (*args, **kwargs)
View
@@ -21,6 +21,7 @@
#
from Table import Table
+from Server import get_server
from PageCleaner import Uniq_Block
from Server import publish, post, cfg, cfg_reply_ajax_ok
@@ -88,9 +89,14 @@ def __init__ (self, callback, container, *args, **kwargs):
self.url = "/sortablelist_%d"%(self.uniq_id)
self.container = container
+ # Secure submit
+ srv = get_server()
+ if srv.use_sec_submit:
+ self.url += '?key=%s' %(srv.sec_submit)
+
# Register the public URL
- publish (self.url, changed_handler_func, method='POST',
- callback=callback, key_id='%s_order'%(self.id), **kwargs)
+ publish (r"^/sortablelist_%d"%(self.uniq_id), changed_handler_func,
+ method='POST', callback=callback, key_id='%s_order'%(self.id), **kwargs)
def Render (self):
render = Table.Render (self)
View
@@ -26,6 +26,7 @@
from Container import Container
from TextField import TextField
from PageCleaner import Uniq_Block
+from Server import get_server
HEADER = ['<script type="text/javascript" src="/CTK/js/Submitter.js"></script>']
@@ -99,6 +100,11 @@ def __init__ (self, submit_url):
self.url = submit_url
self.id = "submitter%d" %(self.uniq_id)
+ # Secure submit
+ srv = get_server()
+ if srv.use_sec_submit:
+ self.url += '?key=%s' %(srv.sec_submit)
+
def Render (self):
# Child render
render = Container.Render(self)
View
@@ -28,6 +28,7 @@
from Widget import Widget
from Server import cfg
from util import to_utf8
+from Server import get_server
HEADER = [
'<script type="text/javascript" src="/CTK/js/jquery.form-defaults.js"></script>'
@@ -235,6 +236,11 @@ def __init__ (self, key, url, optional=False, props=None):
self.url = url
TextCfg.__init__ (self, key, optional, props)
+ # Secure submit
+ srv = get_server()
+ if srv.use_sec_submit:
+ self.url += '?key=%s' %(srv.sec_submit)
+
def Render (self):
value = cfg.get_val (self.key, '')

0 comments on commit 10cd5bf

Please sign in to comment.