Skip to content
Snippets Groups Projects
Commit 3b50185d authored by Robin Sonnabend's avatar Robin Sonnabend
Browse files

Use hmac.compare_digest for csrf token comparison

parent c881adf3
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 3 additions and 2 deletions
decorators.py
+ 3
2
View file @ 3b50185d
from flask import request, flash, abort from flask import request, flash, abort
from functools import wraps from functools import wraps
from hmac import compare_digest
from models.database import ALL_MODELS from models.database import ALL_MODELS
from shared import current_user from shared import current_user
...@@ -97,8 +98,8 @@ def protect_csrf(function): ...@@ -97,8 +98,8 @@ def protect_csrf(function):
@wraps(function) @wraps(function)
def _decorated_function(*args, **kwargs): def _decorated_function(*args, **kwargs):
token = request.args.get("csrf_token") token = request.args.get("csrf_token")
if token != get_csrf_token(): true_token = get_csrf_token()
print(token, get_csrf_token()) if token is None or not compare_digest(token, true_token):
abort(400) abort(400)
return function(*args, **kwargs) return function(*args, **kwargs)
return _decorated_function return _decorated_function
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment