o g'@sddlZddlZddlZddlZddlmZddlmZddlmZddlm Z ddlm Z ddlm Z ddl m Z dd l mZdd l mZdd lmZdd lmZdd lmZdZeeZdddZd ddZ d!ddZGdddeZGdddZGdddeZddZ dS)"N)urlparse) Blueprint) current_app)g)request)session)BadData)SignatureExpired)URLSafeTimedSerializer) BadRequest)ValidationError)CSRF) generate_csrf validate_csrf CSRFProtectcCst|dtjdd}t|dddd}|tvrWt|dd}|tvr+tt d  t|<z | t|}Wnt yPtt d  t|<| t|}Ynwt t||t|S) aGenerate a CSRF token. The token is cached for a request, so multiple calls to this function will generate the same token. During testing, it might be useful to access the signed token in ``g.csrf_token`` and the raw token in ``session['csrf_token']``. :param secret_key: Used to securely sign the token. Default is ``WTF_CSRF_SECRET_KEY`` or ``SECRET_KEY``. :param token_key: Key where token is stored in session for comparison. Default is ``WTF_CSRF_FIELD_NAME`` or ``'csrf_token'``. WTF_CSRF_SECRET_KEY%A secret key is required to use CSRF.messageWTF_CSRF_FIELD_NAME csrf_token%A field name is required to use CSRF.wtf-csrf-tokensalt@) _get_configr secret_keyrr rhashlibsha1osurandom hexdigestdumps TypeErrorsetattrget)r token_key field_namestokenr+[/var/www/html/portale_awareness/portale-venv/lib/python3.10/site-packages/flask_wtf/csrf.pyrs0     rc Cst|dtjdd}t|dddd}t|ddd d }|std |tvr'td t|d d}z |j||d}Wn!tyG}ztd|d}~wtyW}ztd|d}~wwt t||sdtddS)aCheck if the given data is a valid CSRF token. This compares the given signed token to the one stored in the session. :param data: The signed CSRF token to be checked. :param secret_key: Used to securely sign the token. Default is ``WTF_CSRF_SECRET_KEY`` or ``SECRET_KEY``. :param time_limit: Number of seconds that the token is valid. Default is ``WTF_CSRF_TIME_LIMIT`` or 3600 seconds (60 minutes). :param token_key: Key where token is stored in session for comparison. Default is ``WTF_CSRF_FIELD_NAME`` or ``'csrf_token'``. :raises ValidationError: Contains the reason that validation failed. .. versionchanged:: 0.14 Raises ``ValidationError`` with a specific error message rather than returning ``True`` or ``False``. rrrrrrWTF_CSRF_TIME_LIMITF)requiredzThe CSRF token is missing.z"The CSRF session token is missing.rr)max_agezThe CSRF token has expired.NzThe CSRF token is invalid.zThe CSRF tokens do not match.) rrrr rr loadsr rhmaccompare_digest)datar time_limitr'r(r)r*er+r+r,rBs<   rTCSRF is not configured.cCs.|dur tj||}|r|durt||S)aFind config value based on provided value, Flask config, and default value. :param value: already provided config value :param config_name: Flask ``config`` key :param default: default value if not provided or configured :param required: whether the value must not be ``None`` :param message: error message if required config is not found :raises KeyError: if required config is not found N)rconfigr& RuntimeError)value config_namedefaultr/rr+r+r,rvs  rcs,eZdZfddZddZddZZS)_FlaskFormCSRFcs|j|_t|SN)metasuper setup_form)selfform __class__r+r,rAs z_FlaskFormCSRF.setup_formcCst|jj|jjdS)N)rr')rr? csrf_secretcsrf_field_name)rBcsrf_token_fieldr+r+r,generate_csrf_tokens z"_FlaskFormCSRF.generate_csrf_tokenc Cs^tddrdSzt|j|jj|jj|jjWdSty.}z t |j dd}~ww)N csrf_validFr) rr&rr4r?rFcsrf_time_limitrGr loggerinfoargs)rBrCfieldr6r+r+r,validate_csrf_tokens  z"_FlaskFormCSRF.validate_csrf_token)__name__ __module__ __qualname__rArIrP __classcell__r+r+rDr,r=s r=c@sBeZdZdZdddZddZddZd d Zd d Zd dZ dS)ra[Enable CSRF protection globally for a Flask app. :: app = Flask(__name__) csrf = CSRFProtect(app) Checks the ``csrf_token`` field sent with forms, or the ``X-CSRFToken`` header sent with JavaScript requests. Render the token in templates using ``{{ csrf_token() }}``. See the :ref:`csrf` documentation. NcCs&t|_t|_|r||dSdSr>)set _exempt_views_exempt_blueprintsinit_app)rBappr+r+r,__init__s zCSRFProtect.__init__csjd<jddjddtjdgdjd<jddjd d d gjd d jddtjjd<ddj fdd}dS)NcsrfWTF_CSRF_ENABLEDTWTF_CSRF_CHECK_DEFAULTWTF_CSRF_METHODS)POSTPUTPATCHDELETErrWTF_CSRF_HEADERSz X-CSRFTokenz X-CSRF-Tokenr-r.WTF_CSRF_SSL_STRICTcSsdtiS)Nr)rr+r+r+r,sz&CSRFProtect.init_app..csjdsdSjdsdStjjdvrdStjsdSjtjjvr)dSjtj}|j d|j }|j vr@dS dS)Nr\r]r^.) r8rmethodendpoint blueprintsr& blueprintrWview_functionsrRrQrVprotect)viewdestrYrBr+r, csrf_protects    z*CSRFProtect.init_app..csrf_protect) extensionsr8 setdefaultrUr&r jinja_envglobalscontext_processorbefore_request)rBrYrpr+ror,rXs   zCSRFProtect.init_appcCsvtjd}tj|}|r|StjD]}||r$tj|}|r$|SqtjdD]}tj|}|r8|Sq*dS)Nrrc)rr8rrCr&endswithheaders)rBr( base_tokenkeyr header_namer+r+r,_get_csrf_tokens      zCSRFProtect._get_csrf_tokenc Cstjtjdvr dSzt|Wn"ty4}zt|j d| |j dWYd}~nd}~wwtj rWtjdrWtj sE| ddtj d}ttj |sW| ddt_dS) Nr^rrdzThe referrer header is missing.zhttps:///z%The referrer does not match the host.T)rrgrr8rr|r rLrMrN_error_response is_securereferrerhost same_originrrJ)rBr6 good_referrerr+r+r,rls     zCSRFProtect.protectcCsLt|tr |j||St|tr|}n d|j|jf}|j||S)aMark a view or blueprint to be excluded from CSRF protection. :: @app.route('/some-view', methods=['POST']) @csrf.exempt def some_view(): ... :: bp = Blueprint(...) csrf.exempt(bp) rf) isinstancerrWaddstrjoinrRrQrV)rBrm view_locationr+r+r,exempts    zCSRFProtect.exemptcCst|r>) CSRFError)rBreasonr+r+r,r~2szCSRFProtect._error_responser>) rQrRrS__doc__rZrXr|rlrr~r+r+r+r,rs ) rc@seZdZdZdZdS)rzRaise if the client sends invalid CSRF data with the request. Generates a 400 Bad Request response with the failure reason by default. Customize the response by registering a handler with :meth:`flask.Flask.errorhandler`. zCSRF validation failed.N)rQrRrSr descriptionr+r+r+r,r6srcCs4t|}t|}|j|jko|j|jko|j|jkSr>)rschemehostnameport) current_uri compare_uricurrentcomparer+r+r,rAs   r)NN)NNN)NTr7)!rr2loggingr urllib.parserflaskrrrrr itsdangerousrr r werkzeug.exceptionsr wtformsr wtforms.csrf.corer __all__ getLoggerrQrLrrrr=rrrr+r+r+r,s6               +5