Skip to content

Commit

Permalink
Adds CSRF protection to the CTK.
Browse files Browse the repository at this point in the history 
git-svn-id: svn://cherokee-project.com/CTK/trunk@6747 5dc97367-97f1-0310-9951-d761b3857238
  • Loading branch information
@alobbs
alobbs committed Jun 8, 2011
1 parent 5ab1927 commit 10cd5bf
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 8 deletions.
24 changes: 18 additions & 6 deletions CTK/Server.py
View file
Expand Up @@ -92,20 +92,27 @@ def _do_handle (self):
# Get a copy of the server (it did fork!)
server = get_server()

# Check security cookie
# Security Checks
sec_error = False

if server.use_sec_cookie:
if not self.env['CTK_COOKIE']:
sec_error = True
sec_error = "Cookie"
elif not server.sec_cookie:
server.sec_cookie = self.env['CTK_COOKIE'][:]
else:
if server.sec_cookie != self.env['CTK_COOKIE']:
sec_error = True
sec_error = "Cookie"

if server.use_sec_submit:
if not server.sec_submit:
server.sec_submit = self.env['CTK_SUBMITTER_SECRET'][:]

if self.env['REQUEST_METHOD'] == 'POST':
if not server.sec_submit in url:
sec_error = "Submit"

if sec_error:
response = HTTP_Response (error=403, body="Cookie check failed")
response = HTTP_Response (error=403, body="%s check failed" %(sec_error))
self.send (str(response))
return

Expand Down Expand Up @@ -199,17 +206,22 @@ def __init__ (self):
self.exiting = False
self.use_sec_cookie = False
self.sec_cookie = None
self.use_sec_submit = False
self.sec_submit = None

def init_server (self, *args, **kwargs):
# Is it already init?
if self._is_init:
return
self._is_init = True

# Security cookie
# Security cookie/submit
if 'sec_cookie' in kwargs:
self.use_sec_cookie = kwargs.pop('sec_cookie')

if 'sec_submit' in kwargs:
self.use_sec_submit = kwargs.pop('sec_submit')

# Instance SCGI server
self._scgi = pyscgi.ServerFactory (*args, **kwargs)

Expand Down
10 changes: 8 additions & 2 deletions CTK/SortableList.py
View file
Expand Up @@ -21,6 +21,7 @@
#

from Table import Table
from Server import get_server
from PageCleaner import Uniq_Block
from Server import publish, post, cfg, cfg_reply_ajax_ok

Expand Down Expand Up @@ -88,9 +89,14 @@ def __init__ (self, callback, container, *args, **kwargs):
self.url = "/sortablelist_%d"%(self.uniq_id)
self.container = container

# Secure submit
srv = get_server()
if srv.use_sec_submit:
self.url += '?key=%s' %(srv.sec_submit)

# Register the public URL
publish (self.url, changed_handler_func, method='POST',
callback=callback, key_id='%s_order'%(self.id), **kwargs)
publish (r"^/sortablelist_%d"%(self.uniq_id), changed_handler_func,
method='POST', callback=callback, key_id='%s_order'%(self.id), **kwargs)

def Render (self):
render = Table.Render (self)
Expand Down
6 changes: 6 additions & 0 deletions CTK/Submitter.py
View file
Expand Up @@ -26,6 +26,7 @@
from Container import Container
from TextField import TextField
from PageCleaner import Uniq_Block
from Server import get_server

HEADER = ['<script type="text/javascript" src="/CTK/js/Submitter.js"></script>']

Expand Down Expand Up @@ -99,6 +100,11 @@ def __init__ (self, submit_url):
self.url = submit_url
self.id = "submitter%d" %(self.uniq_id)

# Secure submit
srv = get_server()
if srv.use_sec_submit:
self.url += '?key=%s' %(srv.sec_submit)

def Render (self):
# Child render
render = Container.Render(self)
Expand Down
6 changes: 6 additions & 0 deletions CTK/TextField.py
View file
Expand Up @@ -28,6 +28,7 @@
from Widget import Widget
from Server import cfg
from util import to_utf8
from Server import get_server

HEADER = [
'<script type="text/javascript" src="/CTK/js/jquery.form-defaults.js"></script>'
Expand Down Expand Up @@ -235,6 +236,11 @@ def __init__ (self, key, url, optional=False, props=None):
self.url = url
TextCfg.__init__ (self, key, optional, props)

# Secure submit
srv = get_server()
if srv.use_sec_submit:
self.url += '?key=%s' %(srv.sec_submit)

def Render (self):
value = cfg.get_val (self.key, '')

Expand Down

0 comments on commit 10cd5bf

Please sign in to comment.