Integrated csrf tokens into url_for (fixes #109)

59c1e26c · Julian Rother · 01a9a386 · 59c1e26c · 59c1e26c · 59c1e26c
Commit 59c1e26c authored Oct 15, 2016 by Julian Rother
--- a/server.py
+++ b/server.py
@@ -71,7 +71,10 @@ def mod_required(func):
 			return func(*args, **kwargs)
 	return decorator

+csrf_endpoints = []
+
 def csrf_protect(func):
+	csrf_endpoints.append(func.__name__)
 	@wraps(func)
 	def decorator(*args, **kwargs):
 		if '_csrf_token' in request.values:
@@ -79,13 +82,19 @@ def csrf_protect(func):
 		elif request.get_json() and ('_csrf_token' in request.get_json()):
 			token = request.get_json()['_csrf_token']
 		else:
-			token = none
+			token = None
 		if not ('_csrf_token' in session) or (session['_csrf_token'] != token ) or not token: 
 			return 'csrf test failed', 403
 		else:
 			return func(*args, **kwargs)
 	return decorator

+@app.url_defaults
+def csrf_inject(endpoint, values):
+	if endpoint not in csrf_endpoints or not session['_csrf_token']:
+		return
+	values['_csrf_token'] = session['_csrf_token']
+
 def evalperm(perms):
 	cperms = []
 	lperms = []

--- a/templates/course.html
+++ b/templates/course.html
@@ -51,7 +51,7 @@
 </div>
 <div class="panel panel-default">
 	<div class="panel-heading">
-		<h1 class="panel-title">Videos{% if ismod() %} <a class="btn btn-default" style="margin-right: 5px;" href="{{ url_for('create', table='lectures', time=datetime.now(), title='Noch kein Titel', visible='0', course_id=course.id, ref=request.url, _csrf_token=session['_csrf_token']) }}">Neuer Termin</a><a class="btn btn-default" style="margin-right: 5px;" href="{{url_for('import_from', id=course['id'])}}">Campus Import</a>{% endif %} <a class="fa fa-rss-square pull-right" aria-hidden="true" href="{{url_for('feed', handle=course.handle)}}" style="text-decoration: none"></a> </h1>
+		<h1 class="panel-title">Videos{% if ismod() %} <a class="btn btn-default" style="margin-right: 5px;" href="{{ url_for('create', table='lectures', time=datetime.now(), title='Noch kein Titel', visible='0', course_id=course.id, ref=request.url) }}">Neuer Termin</a><a class="btn btn-default" style="margin-right: 5px;" href="{{url_for('import_from', id=course['id'])}}">Campus Import</a>{% endif %} <a class="fa fa-rss-square pull-right" aria-hidden="true" href="{{url_for('feed', handle=course.handle)}}" style="text-decoration: none"></a> </h1>
 	</div>
 	<ul class="list-group lectureslist">
 		{% for l in lectures %}

--- a/templates/courses.html
+++ b/templates/courses.html
@@ -9,7 +9,7 @@
 			</li>
 			{% if ismod() %} 
 			<li>
-				<a class="btn btn-default" href="{{ url_for('create', table='courses', handle='new'+(randint(0,1000)|string), title='Neue Veranstaltung', responsible=session.user.givenName, ref=request.url, _csrf_token=session['_csrf_token']) }}">Neue Veranstaltung</a>
+				<a class="btn btn-default" href="{{ url_for('create', table='courses', handle='new'+(randint(0,1000)|string), title='Neue Veranstaltung', responsible=session.user.givenName, ref=request.url) }}">Neue Veranstaltung</a>
 			</li>
 			{% endif %}
 			<li class="dropdown" style="padding-right: 0px">

--- a/templates/index.html
+++ b/templates/index.html
@@ -54,7 +54,7 @@
 	<div class="col-xs-12">
 		<ul class="list-inline pull-right">
 			<li style="padding-right: 0px;">
-				<a class="btn btn-default" href="{{ url_for('create', table='announcements', text='Neue Ankündigung', time_publish=datetime.now().replace(hour=0, minute=0, second=0, microsecond=0), time_expire=datetime.now().replace(hour=0, minute=0, second=0, microsecond=0)+timedelta(days=7), ref=request.url, _csrf_token=session['_csrf_token']) }}">Neue Ankündigung</a>
+				<a class="btn btn-default" href="{{ url_for('create', table='announcements', text='Neue Ankündigung', time_publish=datetime.now().replace(hour=0, minute=0, second=0, microsecond=0), time_expire=datetime.now().replace(hour=0, minute=0, second=0, microsecond=0)+timedelta(days=7), ref=request.url) }}">Neue Ankündigung</a>
 			</li>
 		</ul>
 	</div>