HwgMdZddlZddlZddlmZddlmZddlmZddl m Z m Z ddl m Z mZddlmZdd lmZdd lmZmZdd lmZdd lmZdd lmZddlmZddlmZej@dZ!edZ"dZ#dZ$dZ%dZ&dZ'dZ(dZ)dZ*dZ+dZ,de,zZ-ej\ej^zZ0dZ1dZ2dZ3d Z4d!Z5d"Z6d#Z7d$Z8Gd%d&e9Z:d'Z;d(Z<Gd)d*e9Z=Gd+d,eZ>y)-z Cross Site Request Forgery Middleware. This module provides a middleware that implements protection against request forgeries from other sites. N) defaultdicturlparse)settings)DisallowedHostImproperlyConfigured) HttpHeadersUnreadablePostError) get_callable)patch_vary_headers)constant_time_compareget_random_string)MiddlewareMixin)cached_propertyis_same_domain) log_response)_lazy_re_compilezdjango.security.csrfz [^a-zA-Z0-9]z?Origin checking failed - %s does not match any trusted origins.z%Referer checking failed - no Referer.z@Referer checking failed - %s does not match any trusted origins.zCSRF cookie not set.zCSRF token missing.z/Referer checking failed - Referer is malformed.zCReferer checking failed - Referer is insecure while host is secure.zhas incorrect lengthzhas invalid characters  _csrftokenc4ttjS)z/Return the view to be used for CSRF rejections.)r rCSRF_FAILURE_VIEWM/var/www/horilla/myenv/lib/python3.12/site-packages/django/middleware/csrf.py_get_failure_viewr1s 22 33rc,tttS)N) allowed_chars)rCSRF_SECRET_LENGTHCSRF_ALLOWED_CHARSrrr_get_new_csrf_stringr"6s /?Q RRrct}ttfd|Dfd|D}djfd|D}||zS)z Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a token by adding a mask and applying it to the secret. c3@K|]}j|ywNindex.0xcharss r z&_mask_cipher_secret..As0AQ0c3@K|]}j|ywr%r&r(s rr,z&_mask_cipher_secret..As2Pa5;;q>2Pr-c3LK|]\}}||ztzywr%)lenr)r*yr+s rr,z&_mask_cipher_secret..Bs'CTQUAESZ/0Cs!$)r"r!zipjoin)secretmaskpairscipherr+s @r_mask_cipher_secretr::sH !D E 002P42P QE WWCUC CF &=rc|dt}|td}ttfd|Dfd|D}djfd|DS)z Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length CSRF_TOKEN_LENGTH, and that its first half is a mask), use it to decrypt the second half to produce the original secret. Nc3@K|]}j|ywr%r&r(s rr,z'_unmask_cipher_token..Os/AQ/r-c3@K|]}j|ywr%r&r(s rr,z'_unmask_cipher_token..Os1OQ%++a.1Or-r/c34K|]\}}||z ywr%rr2s rr,z'_unmask_cipher_token..Ps2DAq5Q<2s)r r!r4r5)tokenr7r8r+s @r_unmask_cipher_tokenr@FsS $$ %D $% &E E //1O$1O PE 772E2 22rct}|jjtjr t |n|dd|S)zDGenerate a new random CSRF_COOKIE value, and add it to request.META.T) CSRF_COOKIECSRF_COOKIE_NEEDS_UPDATE)r"METAupdaterCSRF_COOKIE_MASKEDr:request csrf_secrets r_add_new_csrf_cookierJSsD&(K LL ..$K0 (,   rcd|jvr)|jd}d|jd<t|St|}t|S)a Return the CSRF token required for a POST form. The token is an alphanumeric value. A new token is created if one is not already set. A side effect of calling this function is to make the csrf_protect decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie' header to the outgoing response. For this reason, you may need to use this function lazily, as is done by the csrf context processor. rBTrC)rDrJr:rGs r get_tokenrLesS $ll=1 48 /0 { +++73 { ++rct|y)zi Change the CSRF token in use for a request - should be done on login for security purposes. N)rJ)rHs r rotate_tokenrNzs !rceZdZdZy)InvalidTokenFormatc||_yr%reasonselfrSs r__init__zInvalidTokenFormat.__init__  rN__name__ __module__ __qualname__rVrrrrPrPrrPct|ttfvrttt j |rtty)z Raise an InvalidTokenFormat error if the token has an invalid length or characters that aren't allowed. The token argument can be a CSRF cookie secret or non-cookie CSRF token, and either masked or unmasked. N)r1CSRF_TOKEN_LENGTHr rPREASON_INCORRECT_LENGTHinvalid_token_chars_researchREASON_INVALID_CHARACTERS)r?s r_check_token_formatrcsB  5z+-?@@ !899$$U+ !:;;,rc|t|tk(r t|}t|tk(sJt ||S)a Return whether the given CSRF token matches the given CSRF secret, after unmasking the token if necessary. This function assumes that the request_csrf_token argument has been validated to have the correct length (CSRF_SECRET_LENGTH or CSRF_TOKEN_LENGTH characters) and allowed characters, and that if it has length CSRF_TOKEN_LENGTH, it is a masked secret. )r1r^r@r r )request_csrf_tokenrIs r_does_token_matchrfsB "3312DE ! "&8 88 8 !3[ AArceZdZdZy) RejectRequestc||_yr%rRrTs rrVzRejectRequest.__init__rWrNrXrrrrhrhr\rrhceZdZdZedZedZedZdZdZ dZ dZ d Z d Z d Zd Zd ZdZdZy)CsrfViewMiddlewarez Require a present and correct csrfmiddlewaretoken for POST requests that have a CSRF cookie, and set an outgoing CSRF cookie. This middleware should be used in conjunction with the {% csrf_token %} template tag. ctjDcgc]&}t|jj d(c}Scc}wN*)rCSRF_TRUSTED_ORIGINSrnetloclstriprUorigins rcsrf_trusted_origins_hostsz-CsrfViewMiddleware.csrf_trusted_origins_hostss@#77  V  # # * *3 /   s+AcRtjDchc] }d|vs| c}Scc}wrm)rrorrs rallowed_origins_exactz(CsrfViewMiddleware.allowed_origins_exacts$%-%B%BX6cQWFWXXXs $$ctt}dtjDD]9}||jj |j jd;|S)z A mapping of allowed schemes to list of allowed netlocs, where all subdomains of the netloc are allowed. c3:K|]}d|vr t|yw)rnNr)r)rss rr,z?CsrfViewMiddleware.allowed_origin_subdomains..s$ f} V  srn)rlistrroschemeappendrprq)rUallowed_origin_subdomainsparseds rr|z,CsrfViewMiddleware.allowed_origin_subdomainssa %0$5! "77  WF &fmm 4 ; ;FMM  LL  rcLtjr! |jjt}n) |jtj}t||yt|tk(r t|}|S#t $r t dwxYw#t$rd}YGwxYw)a Return the CSRF secret originally associated with the request, or None if it didn't have one. If the CSRF_USE_SESSIONS setting is false, raises InvalidTokenFormat if the request's secret has invalid characters or an invalid length. zCSRF_USE_SESSIONS is enabled, but request.session is not set. SessionMiddleware must appear before CsrfViewMiddleware in MIDDLEWARE.N)rCSRF_USE_SESSIONSsessiongetCSRF_SESSION_KEYAttributeErrorrCOOKIESCSRF_COOKIE_NAMErcKeyErrorr1r^r@rUrHrIs r _get_secretzCsrfViewMiddleware._get_secrets  % % %oo112BC  1%ooh.G.GH $K0   { 0 0.{;K'" *%  #"  #sA=B=B B#"B#c tjrQ|jjt|j dk7r!|j d|jt<yy|j tj|j dtjtjtjtjtjtjt|dy)NrB)max_agedomainrsecurehttponlysamesite)Cookie)rrrrrrD set_cookierCSRF_COOKIE_AGECSRF_COOKIE_DOMAINCSRF_COOKIE_PATHCSRF_COOKIE_SECURECSRF_COOKIE_HTTPONLYCSRF_COOKIE_SAMESITEr rUrHrs r_set_csrf_cookiez#CsrfViewMiddleware._set_csrf_cookies  % %""#34 ]8SS4;LL4O 01T   )) ]+ 0022..22!66!66  x 5rc|jd} |j}|jrdndd|}||k(ry||jvry t |}|j}|jtfd|jj|dDS#t$rYlwxYw#t $rYywxYw) N HTTP_ORIGINhttpshttpz://TFc36K|]}t|ywr%r)r)hostrequest_netlocs rr,z6CsrfViewMiddleware._origin_verified..)s   >4 0 sr) rDget_host is_securerrvr ValueErrorrzrpanyr|r)rUrHrequest_origin good_host good_origin parsed_originrequest_schemers @r_origin_verifiedz#CsrfViewMiddleware._origin_verifieds m4 ((*I #,,.F:K, T77 7 $^4M'--&-- 66::>2N   #     s#B" B1" B.-B.1 B=<B=c|jjdtt t djjfvrtt jdk7rtttfd|jDrytjrtjntj}| |j!}n|j)}|dvr|d|}t+j|s tt$j'zy#t $rtt wxYw#t"$r!tt$j'zwxYw)N HTTP_REFERERr/rc3JK|]}tj|ywr%)rrp)r)rreferers rr,z4CsrfViewMiddleware._check_referer..@s$  7>>4 0 s #)44380:)rDrrhREASON_NO_REFERERrrREASON_MALFORMED_REFERERrzrpREASON_INSECURE_REFERERrrtrrSESSION_COOKIE_DOMAINrrrREASON_BAD_REFERERgeturlget_portr)rUrH good_referer server_portrs @r_check_refererz!CsrfViewMiddleware._check_referer.si,,"">2 ? 12 2 :w'G '..'..1 1 89 9 >>W $ 78 8  77   ))  * *,,    K&//1 "**,K-/*6 D gnnl; 2W^^5E EF F**73K   56 6  >>V # %,\\%5%56KR%P"  # ? &-\\(2K2K%L"$44L!L (  2 3 !!3[A,,[,GF' 'BU" >,szzl! <= = >'      ?#$=>> ?" (,,SZZFF' ' (sLB>C(C7 D> C%C  C%( C43C47D E'EEc |j|}|||jd<yy#t$rt|YywxYw)NrB)rrDrPrJrs rprocess_requestz"CsrfViewMiddleware.process_requestsM :**73K& /: ]+ '" *  ) *s &==ct|ddryt|ddry|jdvr|j|St|ddr|j|Sd|jvr7|j |sH|j |t |jdzS|jr |j| |j||j|S#t$r&}|j ||jcYd}~Sd}~wwxYw#t$r&}|j ||jcYd}~Sd}~wwxYw)NrF csrf_exempt)GETHEADOPTIONSTRACE_dont_enforce_csrf_checksr) getattrrrrDrrREASON_BAD_ORIGINrrrhrSr)rUrHcallback callback_argscallback_kwargsrs r process_viewzCsrfViewMiddleware.process_views2 72E : 8]E 2 >>@ @<<( ( 77 ? <<( ( GLL (((1||.m1LL   $ 9##G, 5   g &||G$$! 9||GSZZ88 9  5<<4 4 5s<0C$D$ D-DDD EE:EEc~|jjdr!|j||d|jd<|S)NrCF)rDrrrs rprocess_responsez#CsrfViewMiddleware.process_responses; <<  6 7  ! !'8 48=GLL3 4rN)rYrZr[__doc__rrtrvr|rrrrrrrrrrrrrrrkrks  YY ) )  @6$ 4+GZ;2(h :7%r rrk)?rloggingstring collectionsr urllib.parser django.confrdjango.core.exceptionsrr django.httpr r django.urlsr django.utils.cacher django.utils.cryptor rdjango.utils.deprecationrdjango.utils.functionalrdjango.utils.httprdjango.utils.logrdjango.utils.regex_helperr getLoggerrr`rrrrrrrr_rbr r^ ascii_lettersdigitsr!rrr"r:r@rJrLrN ExceptionrPrcrfrhrkrrrrs  #! G8$1H43,)6   1 2).9U;W.1LI 14**))FMM94 S  3$,*" <B"I ~~r