def protect(self):
if request.method not in self._app.config['WTF_CSRF_METHODS']:
return
if not validate_csrf(self._get_csrf_token()):
reason = 'CSRF token missing or incorrect.'
return self._error_response(reason)
if request.is_secure and self._app.config['WTF_CSRF_SSL_STRICT']:
if not request.referrer:
reason = 'Referrer checking failed - no Referrer.'
return self._error_response(reason)
good_referrer = 'https://%s/' % request.host
if not same_origin(request.referrer, good_referrer):
reason = 'Referrer checking failed - origin does not match.'
return self._error_response(reason)
request.csrf_valid = True # mark this request is csrf valid
python类is_secure()的实例源码
def protect(self):
if request.method not in current_app.config['WTF_CSRF_METHODS']:
return
try:
validate_csrf(self._get_csrf_token())
except ValidationError as e:
logger.info(e.args[0])
self._error_response(e.args[0])
if request.is_secure and current_app.config['WTF_CSRF_SSL_STRICT']:
if not request.referrer:
self._error_response('The referrer header is missing.')
good_referrer = 'https://{0}/'.format(request.host)
if not same_origin(request.referrer, good_referrer):
self._error_response('The referrer does not match the host.')
g.csrf_valid = True # mark this request as CSRF valid
def protect(self):
if request.method not in current_app.config['WTF_CSRF_METHODS']:
return
try:
validate_csrf(self._get_csrf_token())
except ValidationError as e:
logger.info(e.args[0])
self._error_response(e.args[0])
if request.is_secure and current_app.config['WTF_CSRF_SSL_STRICT']:
if not request.referrer:
self._error_response('The referrer header is missing.')
good_referrer = 'https://{0}/'.format(request.host)
if not same_origin(request.referrer, good_referrer):
self._error_response('The referrer does not match the host.')
g.csrf_valid = True # mark this request as CSRF valid
def redirect_to_ssl(self):
"""Redirect incoming requests to HTTPS."""
# Should we redirect?
criteria = [
request.is_secure,
current_app.debug,
request.headers.get('X-Forwarded-Proto', 'http') == 'https'
]
if not any(criteria) and not self.skip:
if request.url.startswith('http://'):
url = request.url.replace('http://', 'https://', 1)
code = 302
if self.permanent:
code = 301
r = redirect(url, code=code)
return r
def protect(self):
if request.method not in self._app.config['WTF_CSRF_METHODS']:
return
if not validate_csrf(self._get_csrf_token()):
reason = 'CSRF token missing or incorrect.'
return self._error_response(reason)
if request.is_secure and self._app.config['WTF_CSRF_SSL_STRICT']:
if not request.referrer:
reason = 'Referrer checking failed - no Referrer.'
return self._error_response(reason)
good_referrer = 'https://%s/' % request.host
if not same_origin(request.referrer, good_referrer):
reason = 'Referrer checking failed - origin does not match.'
return self._error_response(reason)
request.csrf_valid = True # mark this request is csrf valid
def protect(self):
if request.method not in current_app.config['WTF_CSRF_METHODS']:
return
try:
validate_csrf(self._get_csrf_token())
except ValidationError as e:
logger.info(e.args[0])
self._error_response(e.args[0])
if request.is_secure and current_app.config['WTF_CSRF_SSL_STRICT']:
if not request.referrer:
self._error_response('The referrer header is missing.')
good_referrer = 'https://{0}/'.format(request.host)
if not same_origin(request.referrer, good_referrer):
self._error_response('The referrer does not match the host.')
g.csrf_valid = True # mark this request as CSRF valid
def protect(self):
if request.method not in current_app.config['WTF_CSRF_METHODS']:
return
try:
validate_csrf(self._get_csrf_token())
except ValidationError as e:
logger.info(e.args[0])
self._error_response(e.args[0])
if request.is_secure and current_app.config['WTF_CSRF_SSL_STRICT']:
if not request.referrer:
self._error_response('The referrer header is missing.')
good_referrer = 'https://{0}/'.format(request.host)
if not same_origin(request.referrer, good_referrer):
self._error_response('The referrer does not match the host.')
g.csrf_valid = True # mark this request as CSRF valid
def protect(self):
if request.method not in self._app.config['WTF_CSRF_METHODS']:
return
if not validate_csrf(self._get_csrf_token()):
reason = 'CSRF token missing or incorrect.'
return self._error_response(reason)
if request.is_secure and self._app.config['WTF_CSRF_SSL_STRICT']:
if not request.referrer:
reason = 'Referrer checking failed - no Referrer.'
return self._error_response(reason)
good_referrer = 'https://%s/' % request.host
if not same_origin(request.referrer, good_referrer):
reason = 'Referrer checking failed - origin does not match.'
return self._error_response(reason)
request.csrf_valid = True # mark this request is csrf valid
def protect(self):
if request.method not in self._app.config['WTF_CSRF_METHODS']:
return
if not validate_csrf(self._get_csrf_token()):
reason = 'CSRF token missing or incorrect.'
return self._error_response(reason)
if request.is_secure and self._app.config['WTF_CSRF_SSL_STRICT']:
if not request.referrer:
reason = 'Referrer checking failed - no Referrer.'
return self._error_response(reason)
good_referrer = 'https://%s/' % request.host
if not same_origin(request.referrer, good_referrer):
reason = 'Referrer checking failed - origin does not match.'
return self._error_response(reason)
request.csrf_valid = True # mark this request is csrf valid
def protect(self):
if request.method not in self._app.config['WTF_CSRF_METHODS']:
return
if not validate_csrf(self._get_csrf_token()):
reason = 'CSRF token missing or incorrect.'
return self._error_response(reason)
if request.is_secure and self._app.config['WTF_CSRF_SSL_STRICT']:
if not request.referrer:
reason = 'Referrer checking failed - no Referrer.'
return self._error_response(reason)
good_referrer = 'https://%s/' % request.host
if not same_origin(request.referrer, good_referrer):
reason = 'Referrer checking failed - origin does not match.'
return self._error_response(reason)
request.csrf_valid = True # mark this request is csrf valid
def redirect_to_ssl(self):
"""
Redirect incoming requests to HTTPS.
"""
criteria = [
request.is_secure,
current_app.debug,
current_app.testing,
request.headers.get('X-Forwarded-Proto', 'http') == 'https'
]
if request.headers.get('User-Agent', '').lower().startswith(self.exclude_user_agents):
return
if not any(criteria):
if request.url.startswith('http://'):
url = request.url.replace('http://', 'https://', 1)
r = redirect(url, code=301)
return r
def protect(self):
if request.method not in current_app.config['WTF_CSRF_METHODS']:
return
try:
validate_csrf(self._get_csrf_token())
except ValidationError as e:
logger.info(e.args[0])
self._error_response(e.args[0])
if request.is_secure and current_app.config['WTF_CSRF_SSL_STRICT']:
if not request.referrer:
self._error_response('The referrer header is missing.')
good_referrer = 'https://{0}/'.format(request.host)
if not same_origin(request.referrer, good_referrer):
self._error_response('The referrer does not match the host.')
g.csrf_valid = True # mark this request as CSRF valid
def include_moment(version = '2.3.1'):
if version is not None:
if request.is_secure:
protocol = 'https'
else:
protocol = 'http'
js = '<script src="%s://cdnjs.cloudflare.com/ajax/libs/moment.js/%s/moment-with-langs.min.js"></script>\n' % (protocol, version)
return Markup('''%s<script>
function flask_moment_render(elem) {
$(elem).text(eval('moment("' + $(elem).data('timestamp') + '").' + $(elem).data('format') + ';'));
$(elem).removeClass('flask-moment');
}
function flask_moment_render_all() {
$('.flask-moment').each(function() {
flask_moment_render(this);
if ($(this).data('refresh')) {
(function(elem, interval) { setInterval(function() { flask_moment_render(elem) }, interval); })(this, $(this).data('refresh'));
}
})
}
$(document).ready(function() {
flask_moment_render_all();
});
</script>''' % js)
def protect(self):
if request.method not in self._app.config['WTF_CSRF_METHODS']:
return
if not validate_csrf(self._get_csrf_token()):
reason = 'CSRF token missing or incorrect.'
return self._error_response(reason)
if request.is_secure and self._app.config['WTF_CSRF_SSL_STRICT']:
if not request.referrer:
reason = 'Referrer checking failed - no Referrer.'
return self._error_response(reason)
good_referrer = 'https://%s/' % request.host
if not same_origin(request.referrer, good_referrer):
reason = 'Referrer checking failed - origin does not match.'
return self._error_response(reason)
request.csrf_valid = True # mark this request is csrf valid
def protect(self):
if request.method not in current_app.config['WTF_CSRF_METHODS']:
return
try:
validate_csrf(self._get_csrf_token())
except ValidationError as e:
logger.info(e.args[0])
self._error_response(e.args[0])
if request.is_secure and current_app.config['WTF_CSRF_SSL_STRICT']:
if not request.referrer:
self._error_response('The referrer header is missing.')
good_referrer = 'https://{0}/'.format(request.host)
if not same_origin(request.referrer, good_referrer):
self._error_response('The referrer does not match the host.')
g.csrf_valid = True # mark this request as CSRF valid
def index():
nonce = ''.join(random.sample(
string.lowercase+string.digits, 16
))
r = Response(render_template("otm.jinja",
nonce=nonce
))
r.headers['Content-Security-Policy'] = ';'.join((
"default-src 'none'",
"style-src 'nonce-%s'" % nonce,
"script-src 'nonce-%s'" % nonce,
"connect-src %s://%s/ws" % (
"wss" if request.is_secure else "ws",
request.host,
),
))
r.headers['X-Frame-Options'] = 'DENY'
return r
def protect(self):
if request.method not in self._app.config['WTF_CSRF_METHODS']:
return
if not validate_csrf(self._get_csrf_token()):
reason = 'CSRF token missing or incorrect.'
return self._error_response(reason)
if request.is_secure and self._app.config['WTF_CSRF_SSL_STRICT']:
if not request.referrer:
reason = 'Referrer checking failed - no Referrer.'
return self._error_response(reason)
good_referrer = 'https://%s/' % request.host
if not same_origin(request.referrer, good_referrer):
reason = 'Referrer checking failed - origin does not match.'
return self._error_response(reason)
request.csrf_valid = True # mark this request is csrf valid
def protect(self):
if request.method not in self._app.config['WTF_CSRF_METHODS']:
return
if not validate_csrf(self._get_csrf_token()):
reason = 'CSRF token missing or incorrect.'
return self._error_response(reason)
if request.is_secure and self._app.config['WTF_CSRF_SSL_STRICT']:
if not request.referrer:
reason = 'Referrer checking failed - no Referrer.'
return self._error_response(reason)
good_referrer = 'https://%s/' % request.host
if not same_origin(request.referrer, good_referrer):
reason = 'Referrer checking failed - origin does not match.'
return self._error_response(reason)
request.csrf_valid = True # mark this request is csrf valid
def protect(self):
if request.method not in current_app.config['WTF_CSRF_METHODS']:
return
try:
validate_csrf(self._get_csrf_token())
except ValidationError as e:
logger.info(e.args[0])
self._error_response(e.args[0])
if request.is_secure and current_app.config['WTF_CSRF_SSL_STRICT']:
if not request.referrer:
self._error_response('The referrer header is missing.')
good_referrer = 'https://{0}/'.format(request.host)
if not same_origin(request.referrer, good_referrer):
self._error_response('The referrer does not match the host.')
g.csrf_valid = True # mark this request as CSRF valid
def protect(self):
if request.method not in self._app.config['WTF_CSRF_METHODS']:
return
if not validate_csrf(self._get_csrf_token()):
reason = 'CSRF token missing or incorrect.'
return self._error_response(reason)
if request.is_secure and self._app.config['WTF_CSRF_SSL_STRICT']:
if not request.referrer:
reason = 'Referrer checking failed - no Referrer.'
return self._error_response(reason)
good_referrer = 'https://%s/' % request.host
if not same_origin(request.referrer, good_referrer):
reason = 'Referrer checking failed - origin does not match.'
return self._error_response(reason)
request.csrf_valid = True # mark this request is csrf valid
def init_app(self, app):
delivery_method = app.config.get("ASSETS_DELIVERY_METHOD")
if delivery_method and delivery_method.upper() in ["S3", "CDN"]:
#with app.app_context():
is_secure = False #request.is_secure
if delivery_method.upper() == "CDN":
domain = app.config.get("ASSETS_DELIVERY_DOMAIN")
if "://" in domain:
domain_parsed = utils.urlparse(domain)
is_secure = domain_parsed.scheme == "https"
domain = domain_parsed.netloc
app.config.setdefault("S3_CDN_DOMAIN", domain)
app.config["FLASK_ASSETS_USE_S3"] = True
app.config["FLASKS3_ACTIVE"] = True
app.config["FLASKS3_URL_STYLE"] = "path"
app.config.setdefault("FLASKS3_USE_HTTPS", is_secure)
app.config.setdefault("FLASKS3_ONLY_MODIFIED", True)
app.config.setdefault("FLASKS3_GZIP", True)
app.config.setdefault("FLASKS3_BUCKET_NAME", app.config.get("AWS_S3_BUCKET_NAME"))
super(self.__class__, self).init_app(app)
def protect(self):
if request.method not in self._app.config['WTF_CSRF_METHODS']:
return
if not validate_csrf(self._get_csrf_token()):
reason = 'CSRF token missing or incorrect.'
return self._error_response(reason)
if request.is_secure and self._app.config['WTF_CSRF_SSL_STRICT']:
if not request.referrer:
reason = 'Referrer checking failed - no Referrer.'
return self._error_response(reason)
good_referrer = 'https://%s/' % request.host
if not same_origin(request.referrer, good_referrer):
reason = 'Referrer checking failed - origin does not match.'
return self._error_response(reason)
request.csrf_valid = True # mark this request is csrf valid
def gravatar(self, size=100, default='identicon', rating='g'):
if request.is_secure:
url = 'https://secure.gravatar.com/avatar'
else:
url = 'http://www.gravatar.com/avatar'
hash = self.avatar_hash or hashlib.md5(
self.email.encode('utf-8')).hexdigest()
return '{url}/{hash}?s={size}&d={default}&r={rating}'.format(
url=url, hash=hash, size=size, default=default, rating=rating)
def gravatar(self, size=100, default='identicon', rating='g'):
if request.is_secure:
url = 'https://secure.gravatar.com/avatar'
else:
url = 'http://www.gravatar.com/avatar'
hash = self.avatar_hash or hashlib.md5(
self.email.encode('utf-8')).hexdigest()
return '{url}/{hash}?s={size}&d={default}&r={rating}'.format(
url=url, hash=hash, size=size, default=default, rating=rating)
def include_pagedown(self):
if request.is_secure:
protocol = 'https'
else:
protocol = 'http'
return Markup('''
<script type="text/javascript" src="{0}://cdnjs.cloudflare.com/ajax/libs/pagedown/1.0/Markdown.Converter.min.js"></script>
<script type="text/javascript" src="{0}://cdnjs.cloudflare.com/ajax/libs/pagedown/1.0/Markdown.Sanitizer.min.js"></script>
'''.format(protocol))
def set_hsts_header(self, response):
"""Adds HSTS header to each response."""
# Should we add STS header?
if request.is_secure and not self.skip:
response.headers.setdefault('Strict-Transport-Security', self.hsts_header)
return response
def include_jquery(version = '1.10.1'):
if request.is_secure:
protocol = 'https'
else:
protocol = 'http'
return Markup('<script src="%s://code.jquery.com/jquery-%s.min.js"></script>' % (protocol, version))
def test_is_testing(self):
self.assertTrue(current_app.config['TESTING'])
self.assertFalse(current_app.config['SSL_DISABLE'])
self.assertFalse(request.is_secure)
def test_user_gravatar(self):
user_role = Role.query.filter_by(name='User').first()
user = User(email=forgery_py.internet.email_address(),
username=forgery_py.internet.user_name(),
password='old_password',
avatar_hash=None,
role=user_role,
confirmed=True)
db.session.add(user)
db.session.commit()
https_url = 'https://secure.gravatar.com/avatar'
http_url = 'http://www.gravatar.com/avatar'
size = 150
default = 'identicon'
rating = 'g'
hash = hashlib.md5(user.email.encode('utf-8')).hexdigest()
http_gravatar = user.gravatar(size=size, default=default, rating=rating)
self.assertEqual(http_gravatar,
'{url}/{hash}?s={size}&d={default}&r={rating}'.
format(url=http_url, hash=hash, size=size, default=default,
rating=rating))
self.assertNotEqual(http_gravatar,
'{url}/{hash}?s={size}&d={default}&r={rating}'.
format(url=https_url, hash=hash, size=size, default=default,
rating=rating))
# 'PilosusBot.models.request' cannot be patched like this:
# with patch('PilosusBot.models.request.is_secure', new_callable=PropertyMock) as mock_sec:
# mock_sec.return_value = True
# request.is_secure # returns True now
#
# so there's no way to test HTTPS gravatar url other than
# having fun with HTTP headers probably (?)
def gravatar(self, size=100, default='identicon', rating='g'):
if request.is_secure:
url = 'https://secure.gravatar.com/avatar'
else:
url = 'http://www.gravatar.com/avatar'
hash = self.avatar_hash or hashlib.md5(
self.email.encode('utf-8')).hexdigest()
return '{url}/{hash}?s={size}&d={default}&r={rating}'.format(
url=url, hash=hash, size=size, default=default, rating=rating)
