a QhM@sdZddlZddlZddlmZddlmZddlmZddl m Z m Z ddl m Z mZddlmZdd lmZdd lmZmZdd lmZdd lmZdd lmZddlmZddlmZe dZ!edZ"dZ#dZ$dZ%dZ&dZ'dZ(dZ)dZ*dZ+dZ,de,Z-ej.ej/Z0dZ1ddZ2d d!Z3d"d#Z4d$d%Z5d&d'Z6d(d)Z7d*d+Z8Gd,d-d-e9Z:d.d/Z;d0d1ZdS)6z Cross Site Request Forgery Middleware. This module provides a middleware that implements protection against request forgeries from other sites. N) defaultdicturlparse)settings)DisallowedHostImproperlyConfigured) HttpHeadersUnreadablePostError) get_callable)patch_vary_headers)constant_time_compareget_random_string)MiddlewareMixin)cached_propertyis_same_domain) log_response)_lazy_re_compilezdjango.security.csrfz [^a-zA-Z0-9]z?Origin checking failed - %s does not match any trusted origins.z%Referer checking failed - no Referer.z@Referer checking failed - %s does not match any trusted origins.zCSRF cookie not set.zCSRF token missing.z/Referer checking failed - Referer is malformed.zCReferer checking failed - Referer is insecure while host is secure.zhas incorrect lengthzhas invalid characters Z _csrftokencCs ttjS)z/Return the view to be used for CSRF rejections.)r rCSRF_FAILURE_VIEWrrO/var/www/sistema_ama/venv/lib/python3.9/site-packages/django/middleware/csrf.py_get_failure_view1srcCs tttdS)N) allowed_chars)r CSRF_SECRET_LENGTHCSRF_ALLOWED_CHARSrrrr_get_new_csrf_string6srcsPt}ttfdd|Dfdd|D}dfdd|D}||S)z Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a token by adding a mask and applying it to the secret. c3s|]}|VqdSNindex.0xcharsrr Az&_mask_cipher_secret..c3s&|]\}}||tVqdSr)lenr"r#yr$rrr&Br')rrzipjoin)secretmaskpairscipherrr$r_mask_cipher_secret:s &r2csZ|dt}|td}ttfdd|Dfdd|D}dfdd|DS)z Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length CSRF_TOKEN_LENGTH, and that its first half is a mask), use it to decrypt the second half to produce the original secret. Nc3s|]}|VqdSrrr!r$rrr&Or'z'_unmask_cipher_token..r(c3s|]\}}||VqdSrrr*r$rrr&Pr')rrr,r-)tokenr/r0rr$r_unmask_cipher_tokenFs   &r4cCs*t}|jtjrt|n|dd|S)zDGenerate a new random CSRF_COOKIE value, and add it to request.META.T) CSRF_COOKIECSRF_COOKIE_NEEDS_UPDATE)rMETAupdaterCSRF_COOKIE_MASKEDr2request csrf_secretrrr_add_new_csrf_cookieSs  r=cCs0d|jvr |jd}d|jd<nt|}t|S)a Return the CSRF token required for a POST form. The token is an alphanumeric value. A new token is created if one is not already set. A side effect of calling this function is to make the csrf_protect decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie' header to the outgoing response. For this reason, you may need to use this function lazily, as is done by the csrf context processor. r5Tr6)r7r=r2r:rrr get_tokenes   r>cCs t|dS)zi Change the CSRF token in use for a request - should be done on login for security purposes. N)r=)r;rrr rotate_tokenzsr?c@seZdZddZdS)InvalidTokenFormatcCs ||_dSrreasonselfrBrrr__init__szInvalidTokenFormat.__init__N__name__ __module__ __qualname__rErrrrr@sr@cCs.t|ttfvrttt|r*ttdS)z Raise an InvalidTokenFormat error if the token has an invalid length or characters that aren't allowed. The token argument can be a CSRF cookie secret or non-cookie CSRF token, and either masked or unmasked. N)r)CSRF_TOKEN_LENGTHrr@REASON_INCORRECT_LENGTHinvalid_token_chars_researchREASON_INVALID_CHARACTERS)r3rrr_check_token_formats rOcCs.t|tkrt|}t|tks$Jt||S)a Return whether the given CSRF token matches the given CSRF secret, after unmasking the token if necessary. This function assumes that the request_csrf_token argument has been validated to have the correct length (CSRF_SECRET_LENGTH or CSRF_TOKEN_LENGTH characters) and allowed characters, and that if it has length CSRF_TOKEN_LENGTH, it is a masked secret. )r)rJr4rr )request_csrf_tokenr<rrr_does_token_matchs rQc@seZdZddZdS) RejectRequestcCs ||_dSrrArCrrrrEszRejectRequest.__init__NrFrrrrrRsrRc@seZdZdZeddZeddZeddZdd Zd d Z d d Z ddZ ddZ ddZ ddZddZddZddZddZdS)CsrfViewMiddlewarez Require a present and correct csrfmiddlewaretoken for POST requests that have a CSRF cookie, and set an outgoing CSRF cookie. This middleware should be used in conjunction with the {% csrf_token %} template tag. cCsddtjDS)NcSsg|]}t|jdqS*)rnetloclstripr"originrrr szACsrfViewMiddleware.csrf_trusted_origins_hosts..rCSRF_TRUSTED_ORIGINSrDrrrcsrf_trusted_origins_hostssz-CsrfViewMiddleware.csrf_trusted_origins_hostscCsddtjDS)NcSsh|]}d|vr|qSrTrrXrrr r'z;CsrfViewMiddleware.allowed_origins_exact..r[r]rrrallowed_origins_exactsz(CsrfViewMiddleware.allowed_origins_exactcCs:tt}ddtjDD]}||j|jdq|S)z A mapping of allowed schemes to list of allowed netlocs, where all subdomains of the netloc are allowed. css|]}d|vrt|VqdS)rUNrrXrrrr&sz?CsrfViewMiddleware.allowed_origin_subdomains..rU)rlistrr\schemeappendrVrW)rDallowed_origin_subdomainsparsedrrrrds  z,CsrfViewMiddleware.allowed_origin_subdomainscCs d|_dS)NT)csrf_processing_done)rDr;rrr_acceptszCsrfViewMiddleware._acceptcCs(t||d}td||j||td|S)NrAzForbidden (%s): %s)responser;logger)rrpathri)rDr;rBrhrrr_rejectszCsrfViewMiddleware._rejectcCstjr4z|jt}Wqdty0tdYqd0n0z|jtj}Wnt yZd}Yn 0t ||durpdSt |t krt |}|S)a Return the CSRF secret originally associated with the request, or None if it didn't have one. If the CSRF_USE_SESSIONS setting is false, raises InvalidTokenFormat if the request's secret has invalid characters or an invalid length. zCSRF_USE_SESSIONS is enabled, but request.session is not set. SessionMiddleware must appear before CsrfViewMiddleware in MIDDLEWARE.N)rCSRF_USE_SESSIONSsessiongetCSRF_SESSION_KEYAttributeErrorrCOOKIESCSRF_COOKIE_NAMEKeyErrorrOr)rJr4rDr;r<rrr _get_secrets"     zCsrfViewMiddleware._get_secretc Csjtjr.|jt|jdkrf|jd|jt<n8|jtj|jdtjtj tj tj tj tj dt|ddS)Nr5)max_agedomainrjsecurehttponlysamesite)Cookie)rrlrmrnror7 set_cookierrCSRF_COOKIE_AGECSRF_COOKIE_DOMAINCSRF_COOKIE_PATHCSRF_COOKIE_SECURECSRF_COOKIE_HTTPONLYCSRF_COOKIE_SAMESITEr rDr;rhrrr_set_csrf_cookies z#CsrfViewMiddleware._set_csrf_cookiecs|jd}z |}Wnty(Yn&0d|r8dnd|f}||krNdS||jvr\dSz t|}Wnty|YdS0|j}|jt fdd|j |d DS) N HTTP_ORIGINz%s://%shttpshttpTFc3s|]}t|VqdSrrr"hostZrequest_netlocrrr&)sz6CsrfViewMiddleware._origin_verified..r) r7get_hostr is_securer`r ValueErrorrbrVanyrdrn)rDr;Zrequest_originZ good_hostZ good_originZ parsed_originZrequest_schemerrr_origin_verifieds,        z#CsrfViewMiddleware._origin_verifiedcs|jddurttz tWntyBttYn0djjfvr\ttjdkrntt t fdd|j DrdSt j rt jnt j}|durz |}WqtyttYq0n|}|dvrd||f}tj|sttdS)NZ HTTP_REFERERr(rc3s|]}tj|VqdSr)rrVrZrefererrrr&@sz4CsrfViewMiddleware._check_referer..)44380z%s:%s)r7rnrRREASON_NO_REFERERrrREASON_MALFORMED_REFERERrbrVREASON_INSECURE_REFERERrr^rrlSESSION_COOKIE_DOMAINr~rrREASON_BAD_REFERERgeturlget_portr)rDr;Z good_referer server_portrrr_check_referer.s:        z!CsrfViewMiddleware._check_referercCs0|dkrt|}d|d}d|d|dS)NPOSTzthe z HTTP headerzCSRF token from  .)rparse_header_name)rDrB token_source header_namerrr_bad_token_message[s  z%CsrfViewMiddleware._bad_token_messagec Cs8z||}Wn6tyD}ztd|jdWYd}~n d}~00|durVttd}|jdkrz|jdd}WntyYn0|dkrz|j t j }Wnt ytt Yn0t j }nd}z t|Wn<ty}z"||j|}t|WYd}~n d}~00t||s4|d|}t|dS)Nz CSRF cookie rr(rZcsrfmiddlewaretokenZ incorrect)rur@rRrBREASON_NO_CSRF_COOKIEmethodrrnr r7rCSRF_HEADER_NAMErsREASON_CSRF_TOKEN_MISSINGrOrrQ)rDr;r<excrPrrBrrr _check_tokenbs6(      zCsrfViewMiddleware._check_tokencCs@z||}Wnty(t|Yn0|dur<||jd<dS)Nr5)rur@r=r7rtrrrprocess_requests  z"CsrfViewMiddleware.process_requestc Cst|ddrdSt|ddr dS|jdvr4||St|ddrJ||Sd|jvrv||s||t|jdSnJ|rz||Wn2t y}z|||j WYd}~Sd}~00z| |Wn4t y}z|||j WYd}~Sd}~00||S)NrfFZ csrf_exempt)GETHEADOPTIONSZTRACEZ_dont_enforce_csrf_checksr) getattrrrgr7rrkREASON_BAD_ORIGINrrrRrBr)rDr;callbackZ callback_argsZcallback_kwargsrrrr process_views.        $$zCsrfViewMiddleware.process_viewcCs&|jdr"|||d|jd<|S)Nr6F)r7rnrrrrrprocess_responses   z#CsrfViewMiddleware.process_responseN)rGrHrI__doc__rr^r`rdrgrkrurrrrrrrrrrrrrSs$     -4 9rS)?rloggingstring collectionsr urllib.parser django.confrdjango.core.exceptionsrr django.httprr django.urlsr Zdjango.utils.cacher django.utils.cryptor r django.utils.deprecationrdjango.utils.functionalrdjango.utils.httprdjango.utils.logrdjango.utils.regex_helperr getLoggerrirLrrrrrrrrKrNrrJ ascii_lettersdigitsrrorrr2r4r=r>r? Exceptionr@rOrQrRrSrrrrsV