首页 仓库(发现) 帮助
登录
guorui
/
Ruoyi-Flask-admin
1
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
目录树: bbe822a5c0
分支列表 标签列表
Ruoyi-Flask-adm...
/
flasky
/
Lib
/
site-packages
/
wtforms
/
ext
/
csrf
/
session.py

session.py 2.6 KB
文件历史 原始文件

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071 
  1. """
    2. 

  2. A provided CSRF implementation which puts CSRF data in a session.
    3. 

  3. 

  4. This can be used fairly comfortably with many `request.session` type
    5. 

  5. objects, including the Werkzeug/Flask session store, Django sessions, and
    6. 

  6. potentially other similar objects which use a dict-like API for storing
    7. 

  7. session keys.
    8. 

  8. 

  9. The basic concept is a randomly generated value is stored in the user's
    10. 

  10. session, and an hmac-sha1 of it (along with an optional expiration time,
    11. 

  11. for extra security) is used as the value of the csrf_token. If this token
    12. 

  12. validates with the hmac of the random value + expiration time, and the
    13. 

  13. expiration time is not passed, the CSRF validation will pass.
    14. 

  14. """
    15. 

  15. from __future__ import unicode_literals
    16. 

  16. 

  17. import hmac
    18. 

  18. import os
    19. 

  19. 

  20. from hashlib import sha1
    21. 

  21. from datetime import datetime, timedelta
    22. 

  22. 

  23. from ...validators import ValidationError
    24. 

  24. from .form import SecureForm
    25. 

  25. 

  26. __all__ = ('SessionSecureForm', )
    27. 

  27. 

  28. 

  29. class SessionSecureForm(SecureForm):
    30. 

  30.     TIME_FORMAT = '%Y%m%d%H%M%S'
    31. 

  31.     TIME_LIMIT = timedelta(minutes=30)
    32. 

  32.     SECRET_KEY = None
    33. 

  33. 

  34.     def generate_csrf_token(self, csrf_context):
    35. 

  35.         if self.SECRET_KEY is None:
    36. 

  36.             raise Exception('must set SECRET_KEY in a subclass of this form for it to work')
    37. 

  37.         if csrf_context is None:
    38. 

  38.             raise TypeError('Must provide a session-like object as csrf context')
    39. 

  39. 

  40.         session = getattr(csrf_context, 'session', csrf_context)
    41. 

  41. 

  42.         if 'csrf' not in session:
    43. 

  43.             session['csrf'] = sha1(os.urandom(64)).hexdigest()
    44. 

  44. 

  45.         self.csrf_token.csrf_key = session['csrf']
    46. 

  46.         if self.TIME_LIMIT:
    47. 

  47.             expires = (datetime.now() + self.TIME_LIMIT).strftime(self.TIME_FORMAT)
    48. 

  48.             csrf_build = '%s%s' % (session['csrf'], expires)
    49. 

  49.         else:
    50. 

  50.             expires = ''
    51. 

  51.             csrf_build = session['csrf']
    52. 

  52. 

  53.         hmac_csrf = hmac.new(self.SECRET_KEY, csrf_build.encode('utf8'), digestmod=sha1)
    54. 

  54.         return '%s##%s' % (expires, hmac_csrf.hexdigest())
    55. 

  55. 

  56.     def validate_csrf_token(self, field):
    57. 

  57.         if not field.data or '##' not in field.data:
    58. 

  58.             raise ValidationError(field.gettext('CSRF token missing'))
    59. 

  59. 

  60.         expires, hmac_csrf = field.data.split('##')
    61. 

  61. 

  62.         check_val = (field.csrf_key + expires).encode('utf8')
    63. 

  63. 

  64.         hmac_compare = hmac.new(self.SECRET_KEY, check_val, digestmod=sha1)
    65. 

  65.         if hmac_compare.hexdigest() != hmac_csrf:
    66. 

  66.             raise ValidationError(field.gettext('CSRF failed'))
    67. 

  67. 

  68.         if self.TIME_LIMIT:
    69. 

  69.             now_formatted = datetime.now().strftime(self.TIME_FORMAT)
    70. 

  70.             if now_formatted > expires:
    71. 

  71.                 raise ValidationError(field.gettext('CSRF token expired'))
    72.