csrf的中间件
csrf的中间件
源码简略分析:
def process_request(self, request):
# 从cookies中获取csrf_token
csrf_token = self._get_token(request)
if csrf_token is not None:
# Use same token next time.
# 将csrf_token添加到request的头部信息中
request.META['CSRF_COOKIE'] = csrf_token
def process_view(self, request, callback, callback_args, callback_kwargs):
# csrf校验已经完成
if getattr(request, 'csrf_processing_done', False):
return None
# Wait until request.META["CSRF_COOKIE"] has been manipulated before
# bailing out, so that get_token still works
# 豁免
if getattr(callback, 'csrf_exempt', False):
return None
# Assume that anything not defined as 'safe' by RFC7231 needs protection
# 如果请求方式不在其中
if request.method not in ('GET', 'HEAD', 'OPTIONS', 'TRACE'):
# 如果不需要进行csrf校验
if getattr(request, '_dont_enforce_csrf_checks', False):
# Mechanism to turn off CSRF checks for test suite.
# It comes after the creation of CSRF cookies, so that
# everything else continues to work exactly the same
# (e.g. cookies are sent, etc.), but before any
# branches that call reject().
return self._accept(request)
# 如果请求方式是https
if request.is_secure():
# Suppose user visits http://example.com/
# An active network attacker (man-in-the-middle, MITM) sends a
# POST form that targets https://example.com/detonate-bomb/ and
# submits it via JavaScript.
#
# The attacker will need to provide a CSRF cookie and token, but
# that's no problem for a MITM and the session-independent
# secret we're using. So the MITM can circumvent the CSRF
# protection. This is true for any HTTP connection, but anyone
# using HTTPS expects better! For this reason, for
# https://example.com/ we need additional protection that treats
# http://example.com/ as completely untrusted. Under HTTPS,
# Barth et al. found that the Referer header is missing for
# same-domain requests in only about 0.2% of cases or less, so
# we can use strict Referer checking.
referer = force_text(
request.META.get('HTTP_REFERER'),
strings_only=True,
errors='replace'
)
if referer is None:
return self._reject(request, REASON_NO_REFERER)
referer = urlparse(referer)
# Make sure we have a valid URL for Referer.
if '' in (referer.scheme, referer.netloc):
return self._reject(request, REASON_MALFORMED_REFERER)
# Ensure that our Referer is also secure.
if referer.scheme != 'https':
return self._reject(request, REASON_INSECURE_REFERER)
# If there isn't a CSRF_COOKIE_DOMAIN, require an exact match
# match on host:port. If not, obey the cookie rules (or those
# for the session cookie, if CSRF_USE_SESSIONS).
good_referer = (
settings.SESSION_COOKIE_DOMAIN
if settings.CSRF_USE_SESSIONS
else settings.CSRF_COOKIE_DOMAIN
)
if good_referer is not None:
server_port = request.get_port()
if server_port not in ('443', '80'):
good_referer = '%s:%s' % (good_referer, server_port)
else:
# request.get_host() includes the port.
good_referer = request.get_host()
# Here we generate a list of all acceptable HTTP referers,
# including the current host since that has been validated
# upstream.
good_hosts = list(settings.CSRF_TRUSTED_ORIGINS)
good_hosts.append(good_referer)
if not any(is_same_domain(referer.netloc, host) for host in good_hosts):
reason = REASON_BAD_REFERER % referer.geturl()
return self._reject(request, reason)
# 从MATA中获取'CSRF_COOKIE'(在process_request中设置的)
csrf_token = request.META.get('CSRF_COOKIE')
# csrf_token是空,校验失败
if csrf_token is None:
# No CSRF cookie. For POST requests, we insist on a CSRF cookie,
# and in this way we can avoid all CSRF attacks, including login
# CSRF.
return self._reject(request, REASON_NO_CSRF_COOKIE)
# Check non-cookie token for match.
request_csrf_token = ""
if request.method == "POST":
try:
# 在POST提交的数据中获取'csrfmiddlewaretoken'
request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')
except IOError:
# Handle a broken connection before we've completed reading
# the POST data. process_view shouldn't raise any
# exceptions, so we'll ignore and serve the user a 403
# (assuming they're still listening, which they probably
# aren't because of the error).
pass
# 如果POST数据中没有,则尝试从MATA中获取'x-csrftoken'
if request_csrf_token == "":
# Fall back to X-CSRFToken, to make things easier for AJAX,
# and possible for PUT/DELETE.
request_csrf_token = request.META.get(settings.CSRF_HEADER_NAME, '')
request_csrf_token = _sanitize_token(request_csrf_token)
# 如果request_csrf_token和csrf_token不匹配,则校验失败
if not _compare_salted_tokens(request_csrf_token, csrf_token):
return self._reject(request, REASON_BAD_TOKEN)
return self._accept(request)
def process_response(self, request, response):
# 如果不需要需要重新设置csrftoken
if not getattr(request, 'csrf_cookie_needs_reset', False):
if getattr(response, 'csrf_cookie_set', False):
return response
if not request.META.get("CSRF_COOKIE_USED", False):
return response
# Set the CSRF cookie even if it's already set, so we renew
# the expiry timer.
# 依据META中的'CSRF_COOKIE'的值来设置csrftoken
self._set_token(request, response)
response.csrf_cookie_set = True
return response
csrf相关的装饰器:
from django.views.decorators.csrf import csrf_exempt, csrf_protect
# csrf_exempt 豁免csrf校验
# csrf_protect 强制进行csrf校验
from django.utils.decorators import method_decorator
@method_decorator(csrf_exempt, name='dispatch')
# csrf_exempt要加在CBV上,只能加dispatch上
csrf校验:
/1.想要能通过csrf校验的前提条件: 必须要有 csrftoken
的 cookie
{% csrf_token %}
,在POST请求数据中添加csrfmiddlewaretoken
from django.views.decorators.csrf import ensure_csrf_cookie
/2.从cookie
获取csrftoken
的值 与 POST提交的数据中的csrfmiddlewaretoken
的值做对比(如果从request.POST中获取不到csrfmiddlewaretoken
的值,会尝试从请求头META中获取x-csrftoken
的值)拿这个值与csrftoken的值做对比,对比成功通过校验。
csrf的中间件的更多相关文章
- Django(六)Session、CSRF、中间件
大纲 二.session 1.session与cookie对比 2.session基本原理及流程 3.session服务器操作(获取值.设置值.清空值) 4.session通用配置(在配置文件中) 5 ...
- Python之路-(Django(csrf,中间件,缓存,信号,Model操作,Form操作))
csrf 中间件 缓存 信号 Model操作 Form操作 csrf: 用 django 有多久,我跟 csrf 这个概念打交道就有久了. 每次初始化一个项目时都能看到 django.middlewa ...
- Django(5) session登录注销、csrf及中间件自定义、django Form表单验证(非常好用)
一.Django中默认支持Session,其内部提供了5种类型的Session供开发者使用: 数据库(默认) 缓存 文件 缓存+数据库 加密cookie 1.数据库Session 1 2 3 4 5 ...
- django学习之- CSRF及中间件
CSRF # 表示django全局发送post请求均需要字符串验证功能:防止跨站请求伪造的功能工作原理:客户端访问服务器端,在服务器端正常返回给客户端数据的时候,而外返回给客户端一段字符串,等到客户端 ...
- [Python自学] day-22 (1) (Session、CSRF、中间件)
一.响应函数补充 三种返回响应的方式: return HttpResponse() return render() return redirect() HttpResponse: 除了能够返回字符串, ...
- python 全栈开发,Day87(ajax登录示例,CSRF跨站请求伪造,Django的中间件,自定义分页)
一.ajax登录示例 新建项目login_ajax 修改urls.py,增加路径 from app01 import views urlpatterns = [ path('admin/', admi ...
- django-cbv模式-csrf中间件
1. django模式 def users(request): user_list = ['alex','oldboy'] return HttpResponse(json.dumps((user_l ...
- Django-中间件-csrf扩展请求伪造拦截中间件-Django Auth模块使用-效仿 django 中间件配置实现功能插拔式效果-09
目录 昨日补充:将自己写的 login_auth 装饰装在 CBV 上 django 中间件 django 请求生命周期 ***** 默认中间件及其大概方法组成 中间件的执行顺序 自定义中间件探究不同 ...
- django csrf 中间件
CSRF和中间件 CSRF使用 说明csrf存在cookie中 全局使用 MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', ...
随机推荐
- NOIP2016 D2T1 组合数问题
洛谷P2822 数学真重要啊…… 其实解这一题的关键就是组合恒等式:C(n,m)=C(n-1,m)+C(n-1,m-1),然后再知道组合数的矩阵(杨辉三角)和题中n,m的关系就很容易解决了(然而做这题 ...
- unigui ios微信界面错位和点击失灵问题
IOS微信下会出现二个严重问题: 1.输入框失去焦点导致控件错位,造成无点正常点击. 此问题是微信自带浏览器,一直遗留问题, 尝试了多种方法始终无解.因此要用来开发公众号的一定要注意. 2.界面下移 ...
- JavaScript正则表达式简介(一)
一.正则表达式 正则表达式Regular Expression,可以简写为regexp.regex或是RE. 正则表达式使用单个字符串来描述或是匹配一系列符合某个句法规则的字符串模型. 按照某种规则去 ...
- SQL server 字段合并CAST(org_no AS VARCHAR(20))+CAST(page_no AS VARCHAR(20))+CAST(djlb_no AS VARCHAR(20)))
sql server 字段合并(CAST) ---------------------- select (CAST(org_no AS VARCHAR(20))+CAST(page_no AS VAR ...
- 【bzoj1975】[Sdoi2010]魔法猪学院
*题目描述: iPig在假期来到了传说中的魔法猪学院,开始为期两个月的魔法猪训练.经过了一周理论知识和一周基本魔法的学习之后,iPig对猪世界的世界本原有了很多的了解:众所周知,世界是由元素构成的:元 ...
- IOC和AOP使用扩展之AOP详解实现类
摘要: “Depend on yourself” is what nature says to every man. Parents can help you. Teachers can hel ...
- Codeforce |Educational Codeforces Round 77 (Rated for Div. 2) B. Obtain Two Zeroes
B. Obtain Two Zeroes time limit per test 1 second memory limit per test 256 megabytes input standard ...
- [CSP-S模拟测试]:小P的2048(模拟)
题目描述 最近,小$P$迷上了一款叫做$2048$的游戏.这块游戏在一个$n\times n$的棋盘中进行,棋盘的每个格子中可能有一个形如$2^k(k\in N^*)$的数,也可能是空的.游戏规则介绍 ...
- 北风设计模式课程---依赖倒置原则(Dependency Inversion Principle)
北风设计模式课程---依赖倒置原则(Dependency Inversion Principle) 一.总结 一句话总结: 面向对象技术的根基:依赖倒置原则(Dependency Inversion ...
- docker-dnsmasq使用
docker-dnsmasq支持通过web页面配置域名映射,镜像地址:https://hub.docker.com/r/jpillora/dnsmasq 使用步骤如下: 1.在Docker宿主上创建 ...