[odrs-web] Protect all forms against CSRF
- From: Richard Hughes <rhughes src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [odrs-web] Protect all forms against CSRF
- Date: Sat, 21 Sep 2019 12:16:13 +0000 (UTC)
commit a4b674ea063990844263b9fec53dc6c4f1d15d17
Author: Richard Hughes <richard hughsie com>
Date: Thu Jul 25 14:39:20 2019 +0200
Protect all forms against CSRF
app_data/odrs/__init__.py | 10 +++++++++-
app_data/odrs/templates/components.html | 1 +
app_data/odrs/templates/login.html | 1 +
app_data/odrs/templates/modadmin.html | 2 ++
app_data/odrs/templates/mods.html | 1 +
app_data/odrs/templates/search.html | 1 +
app_data/odrs/templates/show.html | 1 +
app_data/odrs/templates/taboos.html | 1 +
app_data/odrs/tests/odrs_test.py | 1 +
9 files changed, 18 insertions(+), 1 deletion(-)
---
diff --git a/app_data/odrs/__init__.py b/app_data/odrs/__init__.py
index 9d8729f..2bd88f3 100644
--- a/app_data/odrs/__init__.py
+++ b/app_data/odrs/__init__.py
@@ -9,10 +9,11 @@
import os
-from flask import Flask, flash, render_template, g
+from flask import Flask, flash, render_template, g, redirect, url_for
from flask_login import LoginManager
from flask_migrate import Migrate
from flask_sqlalchemy import SQLAlchemy
+from flask_wtf.csrf import CSRFProtect, CSRFError
from werkzeug.local import LocalProxy
from .dbutils import drop_db, init_db
@@ -32,6 +33,8 @@ db = SQLAlchemy(app)
migrate = Migrate(app, db)
+csrf = CSRFProtect(app)
+
@app.cli.command('initdb')
def initdb_command():
init_db(db)
@@ -59,6 +62,11 @@ def error_page_not_found(msg=None):
flash(msg)
return render_template('error.html'), 404
+@app.errorhandler(CSRFError)
+def error_csrf(e):
+ flash(str(e), 'danger')
+ return redirect(url_for('.odrs_index'))
+
from odrs import views
from odrs import views_api
from odrs import views_admin
diff --git a/app_data/odrs/templates/components.html b/app_data/odrs/templates/components.html
index 27171d9..7967a0c 100644
--- a/app_data/odrs/templates/components.html
+++ b/app_data/odrs/templates/components.html
@@ -11,6 +11,7 @@
</p>
{% else %}
<form method="post" action="{{url_for('admin_component_join2')}}">
+<input type="hidden" name="csrf_token" value="{{csrf_token()}}"/>
<table class="table table-hover table-responsive">
<tr class="row">
<th class="col-sm-4">AppStream ID</th>
diff --git a/app_data/odrs/templates/login.html b/app_data/odrs/templates/login.html
index 41af145..4a6b9d6 100644
--- a/app_data/odrs/templates/login.html
+++ b/app_data/odrs/templates/login.html
@@ -5,6 +5,7 @@
<div class="col-sm-8 col-md-6 col-centered">
<form class="form" method="POST" action="">
+ <input type="hidden" name="csrf_token" value="{{csrf_token()}}"/>
<h1>User Login</h1>
<div class="form-group">
<label for="username" class="control-label">Username:</label>
diff --git a/app_data/odrs/templates/modadmin.html b/app_data/odrs/templates/modadmin.html
index eec9aea..3c75d5f 100644
--- a/app_data/odrs/templates/modadmin.html
+++ b/app_data/odrs/templates/modadmin.html
@@ -6,6 +6,7 @@
<h1>Details of user ‘{{u.username}}’</h1>
<form method="post" action="{{url_for('admin_user_modify_by_admin', moderator_id=u.moderator_id)}}">
+ <input type="hidden" name="csrf_token" value="{{csrf_token()}}"/>
<table>
<tr>
<td>Display Name:</td>
@@ -38,6 +39,7 @@
<button type="submit" class="btn btn-primary btn-large" class="submit">Modify</button>
{% if u.username != 'admin' and current_user.is_admin %}
<form method="get" action="{{url_for('admin_moderate_delete', moderator_id=u.moderator_id)}}">
+ <input type="hidden" name="csrf_token" value="{{csrf_token()}}"/>
{% endif %}
<button class="btn btn-danger btn-large">Delete</button>
</form>
diff --git a/app_data/odrs/templates/mods.html b/app_data/odrs/templates/mods.html
index 3df4ab8..c520fa8 100644
--- a/app_data/odrs/templates/mods.html
+++ b/app_data/odrs/templates/mods.html
@@ -27,6 +27,7 @@
<h3>Create new</h3>
<form method="post" action="{{url_for('admin_moderator_add')}}" class="form">
+<input type="hidden" name="csrf_token" value="{{csrf_token()}}"/>
<table>
<tr>
<th>Username:</th>
diff --git a/app_data/odrs/templates/search.html b/app_data/odrs/templates/search.html
index 0b4c231..34a2491 100644
--- a/app_data/odrs/templates/search.html
+++ b/app_data/odrs/templates/search.html
@@ -4,6 +4,7 @@
{% block content %}
<form method="get" class="" action="{{url_for('.admin_search')}}">
+ <input type="hidden" name="csrf_token" value="{{csrf_token()}}"/>
<input type="text" class="" aria-label="search" name="value" required>
<button class="input-group-text" type="submit">Search</button>
</form>
diff --git a/app_data/odrs/templates/show.html b/app_data/odrs/templates/show.html
index 54af798..f6f1b7c 100644
--- a/app_data/odrs/templates/show.html
+++ b/app_data/odrs/templates/show.html
@@ -4,6 +4,7 @@
{% block content %}
<form class="form" name="myform" action="{{url_for('admin_modify', review_id=r.review_id)}}" method="POST">
+<input type="hidden" name="csrf_token" value="{{csrf_token()}}"/>
<div class="card">
<div class="card-body">
diff --git a/app_data/odrs/templates/taboos.html b/app_data/odrs/templates/taboos.html
index 32dd533..a7309ac 100644
--- a/app_data/odrs/templates/taboos.html
+++ b/app_data/odrs/templates/taboos.html
@@ -11,6 +11,7 @@
</p>
{% else %}
<form method="post" action="{{url_for('admin_taboo_add')}}" class="form">
+<input type="hidden" name="csrf_token" value="{{csrf_token()}}"/>
<table class="table table-hover table-responsive">
<tr class="row">
<th class="col-sm-1">Locale</th>
diff --git a/app_data/odrs/tests/odrs_test.py b/app_data/odrs/tests/odrs_test.py
index 1663d80..15b2cdf 100644
--- a/app_data/odrs/tests/odrs_test.py
+++ b/app_data/odrs/tests/odrs_test.py
@@ -36,6 +36,7 @@ class OdrsTest(unittest.TestCase):
"SQLALCHEMY_TRACK_MODIFICATIONS = False",
"SECRET_KEY = 'not-secret4'",
"ODRS_REVIEWS_SECRET = '1'",
+ "WTF_CSRF_CHECK_DEFAULT = False",
"DEBUG = True",
]))
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
