heckyel/mediagoblin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote branch 'remotes/elrond/idea/csrf_improvement'

Browse Source
This commit is contained in:
Christopher Allan Webber 2011-10-15 10:28:37 -05:00
commit 76c94f6edf
2 changed files with 7 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
mediagoblin/config_spec.ini
View File

@ -42,7 +42,7 @@ celery_setup_elsewhere = boolean(default=False)
allow_attachments = boolean(default=False) allow_attachments = boolean(default=False)
# Cookie stuff # Cookie stuff
csrf_cookie_name = string(default='mediagoblin_nonce') csrf_cookie_name = string(default='mediagoblin_csrftoken')
[storage:publicstore] [storage:publicstore]
storage_class = string(default="mediagoblin.storage.filestorage:BasicFileStorage") storage_class = string(default="mediagoblin.storage.filestorage:BasicFileStorage")

15
mediagoblin/middleware/csrf.py
View File

@ -25,9 +25,9 @@ from mediagoblin import mg_globals
# Use the system (hardware-based) random number generator if it exists. # Use the system (hardware-based) random number generator if it exists.
# -- this optimization is lifted from Django # -- this optimization is lifted from Django
if hasattr(random, 'SystemRandom'): if hasattr(random, 'SystemRandom'):
randrange = random.SystemRandom().randrange getrandbits = random.SystemRandom().getrandbits
else: else:
randrange = random.randrange getrandbits = random.getrandbits
class CsrfForm(Form): class CsrfForm(Form):
@ -54,7 +54,7 @@ class CsrfMiddleware(object):
and matches the form token for non-safe requests. and matches the form token for non-safe requests.
""" """
MAX_CSRF_KEY = 2 << 63 CSRF_KEYLEN = 64
SAFE_HTTP_METHODS = ("GET", "HEAD", "OPTIONS", "TRACE") SAFE_HTTP_METHODS = ("GET", "HEAD", "OPTIONS", "TRACE")
def __init__(self, mg_app): def __init__(self, mg_app):
@ -92,9 +92,8 @@ class CsrfMiddleware(object):
response.set_cookie( response.set_cookie(
mg_globals.app_config['csrf_cookie_name'], mg_globals.app_config['csrf_cookie_name'],
request.environ['CSRF_TOKEN'], request.environ['CSRF_TOKEN'],
max_age=60 * 60 * 24 * 7 * 52, path=request.environ['SCRIPT_NAME'],
path='/', domain=mg_globals.app_config.get('csrf_cookie_domain'),
domain=mg_globals.app_config.get('csrf_cookie_domain', None),
secure=(request.scheme.lower() == 'https'), secure=(request.scheme.lower() == 'https'),
httponly=True) httponly=True)
@ -104,9 +103,7 @@ class CsrfMiddleware(object):
def _make_token(self, request): def _make_token(self, request):
"""Generate a new token to use for CSRF protection.""" """Generate a new token to use for CSRF protection."""
return hashlib.md5("%s%s" % return "%s" % (getrandbits(self.CSRF_KEYLEN),)
(randrange(0, self.MAX_CSRF_KEY),
randrange(0, self.MAX_CSRF_KEY))).hexdigest()
def verify_tokens(self, request): def verify_tokens(self, request):
"""Verify that the CSRF Cookie exists and that it matches the """Verify that the CSRF Cookie exists and that it matches the