U ak5@s*dZddlZddlZddlZddlmZddlmZddlm Z m Z ddl m Z ddl mZddlmZmZdd lmZdd lmZdd lmZed Zd ZdZdZdZdZdZdZ de Z!ej"ej#Z$dZ%ddZ&ddZ'ddZ(ddZ)ddZ*d d!Z+d"d#Z,d$d%Z-d&d'Z.Gd(d)d)eZ/dS)*z Cross Site Request Forgery Middleware. This module provides a middleware that implements protection against request forgeries from other sites. N)urlparse)settings)DisallowedHostImproperlyConfigured) get_callable)patch_vary_headers)constant_time_compareget_random_string)MiddlewareMixin)is_same_domain) log_responsezdjango.security.csrfz%Referer checking failed - no Referer.z@Referer checking failed - %s does not match any trusted origins.zCSRF cookie not set.z CSRF token missing or incorrect.z/Referer checking failed - Referer is malformed.zCReferer checking failed - Referer is insecure while host is secure. Z _csrftokencCs ttjS)z/Return the view to be used for CSRF rejections.)rrZCSRF_FAILURE_VIEWrr/home/adriano.carvalho/ftp/files/BrinquedotecaVirtual/brinquedotecavirtual/venv/lib/python3.8/site-packages/django/middleware/csrf.py_get_failure_view$srcCs tttdS)N) allowed_chars)r CSRF_SECRET_LENGTHCSRF_ALLOWED_CHARSrrrr_get_new_csrf_string)srcsPt}ttfdd|Dfdd|D}dfdd|D}||S)z Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a token by adding a salt and using it to encrypt the secret. c3s|]}|VqdSNindex.0xcharsrr 4sz&_salt_cipher_secret..c3s&|]\}}||tVqdSr)lenrryrrrr5s)rrzipjoin)secretsaltpairscipherrrr_salt_cipher_secret-s &r)csZ|dt}|td}ttfdd|Dfdd|D}dfdd|DS)z Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length CSRF_TOKEN_LENGTH, and that its first half is a salt), use it to decrypt the second half to produce the original secret. Nc3s|]}|VqdSrrrrrrrBsz'_unsalt_cipher_token..rc3s|]\}}||VqdSrrr!rrrrCs)rrr#r$)tokenr&r'rrr_unsalt_cipher_token9s   &r+cCs ttSr)r)rrrrr_get_new_csrf_tokenFsr,cCs@d|jkr t}t||jd<nt|jd}d|jd<t|S)a Return the CSRF token required for a POST form. The token is an alphanumeric value. A new token is created if one is not already set. A side effect of calling this function is to make the csrf_protect decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie' header to the outgoing response. For this reason, you may need to use this function lazily, as is done by the csrf context processor. CSRF_COOKIETCSRF_COOKIE_USED)METArr)r+)requestZ csrf_secretrrr get_tokenJs  r1cCs|jdtdd|_dS)zi Change the CSRF token in use for a request - should be done on login for security purposes. T)r.r-N)r/updater,csrf_cookie_needs_reset)r0rrr rotate_token]s r4cCs<td|rtSt|tkr"|St|tkr6t|StS)Nz [^a-zA-Z0-9])researchr,r CSRF_TOKEN_LENGTHrr))r*rrr_sanitize_tokenis   r8cCstt|t|Sr)rr+)request_csrf_token csrf_tokenrrr_compare_salted_tokenszsr;c@sHeZdZdZddZddZddZdd Zd d Zd d Z ddZ dS)CsrfViewMiddlewarez Require a present and correct csrfmiddlewaretoken for POST requests that have a CSRF cookie, and set an outgoing CSRF cookie. This middleware should be used in conjunction with the {% csrf_token %} template tag. cCs d|_dS)NT)csrf_processing_done)selfr0rrr_acceptszCsrfViewMiddleware._acceptcCs(t||d}td||j||td|S)N)reasonzForbidden (%s): %s)responser0logger)rr pathrB)r>r0r@rArrr_rejectszCsrfViewMiddleware._rejectcCstjrFz|jtWStk rBtdtjdkr6dndYqXnBz|jtj }Wnt k rlYdSXt |}||krd|_ |SdS)NzCSRF_USE_SESSIONS is enabled, but request.session is not set. SessionMiddleware must appear before CsrfViewMiddleware in MIDDLEWARE%s.Z_CLASSESrT) rCSRF_USE_SESSIONSsessiongetCSRF_SESSION_KEYAttributeErrorrZ MIDDLEWAREZCOOKIESCSRF_COOKIE_NAMEKeyErrorr8r3)r>r0Z cookie_tokenr:rrr _get_tokens" zCsrfViewMiddleware._get_tokenc Csjtjr.|jt|jdkrf|jd|jt<n8|jtj|jdtjtj tj tj tj tj dt|ddS)Nr-)Zmax_agedomainrCsecurehttponlysamesite)Cookie)rrErFrGrHr/ set_cookierJZCSRF_COOKIE_AGECSRF_COOKIE_DOMAINZCSRF_COOKIE_PATHZCSRF_COOKIE_SECUREZCSRF_COOKIE_HTTPONLYZCSRF_COOKIE_SAMESITErr>r0rArrr _set_tokens zCsrfViewMiddleware._set_tokencCs ||}|dk r||jd<dS)Nr-)rLr/)r>r0r:rrrprocess_requests z"CsrfViewMiddleware.process_requestc st|ddrdSt|ddr dS|jdkrt|ddrB||S|rN|jddkrl||tStdj j fkr||t Sj dkr||t St jrt jnt j}|dk r|}|d krd ||f}n"z |}Wntk rYnXtt j}|dk r||tfd d |DsNt}|||S|jd } | dkrp||tSd} |jdkrz|jdd} Wntk rYnX| dkr|jt jd} t| } t| | s||t S||S)Nr=FZ csrf_exempt)GETHEADOPTIONSTRACEZ_dont_enforce_csrf_checksZ HTTP_REFERERrhttps)44380z%s:%sc3s|]}tj|VqdSr)r netloc)rhostZrefererrrrsz2CsrfViewMiddleware.process_view..r-POSTZcsrfmiddlewaretoken)!getattrmethodr?Z is_securer/rGrDREASON_NO_REFERERrschemer^REASON_MALFORMED_REFERERREASON_INSECURE_REFERERrrEZSESSION_COOKIE_DOMAINrSZget_portget_hostrlistZCSRF_TRUSTED_ORIGINSappendanyREASON_BAD_REFERERgeturlREASON_NO_CSRF_COOKIEraOSErrorZCSRF_HEADER_NAMEr8r;REASON_BAD_TOKEN) r>r0callback callback_argscallback_kwargsZ good_refererZ server_portZ good_hostsr@r:r9rr`r process_viewsb                        zCsrfViewMiddleware.process_viewcCsDt|ddst|ddr|S|jdds.|S|||d|_|S)Nr3Fcsrf_cookie_setr.T)rbr/rGrUrurTrrrprocess_response:s   z#CsrfViewMiddleware.process_responseN) __name__ __module__ __qualname____doc__r?rDrLrUrVrtrvrrrrr<s  mr<)0rzloggingr5string urllib.parserZ django.confrZdjango.core.exceptionsrrZ django.urlsrZdjango.utils.cacherZdjango.utils.cryptorr Zdjango.utils.deprecationr Zdjango.utils.httpr Zdjango.utils.logr getLoggerrBrdrlrnrprfrgrr7 ascii_lettersdigitsrrHrrr)r+r,r1r4r8r;r<rrrrsB