Commit 3b50185d authored by Robin Sonnabend's avatar Robin Sonnabend
Browse files

Use hmac.compare_digest for csrf token comparison

parent c881adf3
from flask import request, flash, abort from flask import request, flash, abort
from functools import wraps from functools import wraps
from hmac import compare_digest
from models.database import ALL_MODELS from models.database import ALL_MODELS
from shared import current_user from shared import current_user
...@@ -97,8 +98,8 @@ def protect_csrf(function): ...@@ -97,8 +98,8 @@ def protect_csrf(function):
@wraps(function) @wraps(function)
def _decorated_function(*args, **kwargs): def _decorated_function(*args, **kwargs):
token = request.args.get("csrf_token") token = request.args.get("csrf_token")
if token != get_csrf_token(): true_token = get_csrf_token()
print(token, get_csrf_token()) if token is None or not compare_digest(token, true_token):
abort(400) abort(400)
return function(*args, **kwargs) return function(*args, **kwargs)
return _decorated_function return _decorated_function
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment