wdf.\ddlZddlZddlZddlZddlmZddlmZmZm Z m Z m Z ddl m Z mZmZddlmZddlmZddlmZddlmZd d lmZmZmZd ZejeZdd Z dd Z! ddZ"GddeZ#Gdde$Z%Gdde%Z&GddeZ'dZ(dS)N)wraps) Blueprint current_appgrequestsession)BadDataSignatureExpiredURLSafeTimedSerializer) BadRequest) safe_str_cmp)ValidationError)CSRF)FlaskWTFDeprecationWarning string_typesurlparse) generate_csrf validate_csrf CSRFProtectct|dtjd}t|ddd}|tvrt |d}|t vr@t jtj d  t |< | t |}np#t$rct jtj d  t |<| t |}YnwxYwtt||tj|S) aGenerate a CSRF token. The token is cached for a request, so multiple calls to this function will generate the same token. During testing, it might be useful to access the signed token in ``g.csrf_token`` and the raw token in ``session['csrf_token']``. :param secret_key: Used to securely sign the token. Default is ``WTF_CSRF_SECRET_KEY`` or ``SECRET_KEY``. :param token_key: Key where token is stored in session for comparision. Default is ``WTF_CSRF_FIELD_NAME`` or ``'csrf_token'``. WTF_CSRF_SECRET_KEY%A secret key is required to use CSRF.messageWTF_CSRF_FIELD_NAME csrf_token%A field name is required to use CSRF.wtf-csrf-tokensalt@) _get_configr secret_keyrr rhashlibsha1osurandom hexdigestdumps TypeErrorsetattrget)r$ token_key field_namestokens S/var/www/book.euthymeo.com/html/venv/lib/python3.11/site-packages/flask_wtf/csrf.pyrrs8);+A7J(,7J  ":4D E E E W $ $"),rz"~~">">"H"H"J"JGJ  1GGGJ/00EE 1 1 1"),rz"~~">">"H"H"J"JGJ GGGJ/00EEE 1 :u%%% 5  s B77A*D$#D$ct|dtjd}t|ddd}t|ddd }|std |tvrtd t |d } |||}n5#t$rtdt$rtdwxYwtt||stddS)a Check if the given data is a valid CSRF token. This compares the given signed token to the one stored in the session. :param data: The signed CSRF token to be checked. :param secret_key: Used to securely sign the token. Default is ``WTF_CSRF_SECRET_KEY`` or ``SECRET_KEY``. :param time_limit: Number of seconds that the token is valid. Default is ``WTF_CSRF_TIME_LIMIT`` or 3600 seconds (60 minutes). :param token_key: Key where token is stored in session for comparision. Default is ``WTF_CSRF_FIELD_NAME`` or ``'csrf_token'``. :raises ValidationError: Contains the reason that validation failed. .. versionchanged:: 0.14 Raises ``ValidationError`` with a specific error message rather than returning ``True`` or ``False``. rrrrrrWTF_CSRF_TIME_LIMITF)requiredzThe CSRF token is missing.z"The CSRF session token is missing.rr )max_agezThe CSRF token has expired.zThe CSRF token is invalid.zThe CSRF tokens do not match.N) r#rr$rrr loadsr r r )datar$ time_limitr.r/r0r1s r2rr;sF&);+A7J(,7J)4%J <:;;;  BCCCz0@AAAA<j11 ===;<<< <<<:;;;<  +U 3 3?=>>>??s ?B2C TCSRF is not configured.cp| tj||}|r|t||S)aFind config value based on provided value, Flask config, and default value. :param value: already provided config value :param config_name: Flask ``config`` key :param default: default value if not provided or configured :param required: whether the value must not be ``None`` :param message: error message if required config is not found :raises KeyError: if required config is not found )rconfigr- RuntimeError)value config_namedefaultr6rs r2r#r#ms@ }"&&{G<<$EM7### Lc*eZdZfdZdZdZxZS)_FlaskFormCSRFcl|j|_tt||SN)metasuperrD setup_form)selfform __class__s r2rIz_FlaskFormCSRF.setup_forms*I ^T**55d;;;rBcLt|jj|jjS)N)r$r.)rrG csrf_secretcsrf_field_name)rJcsrf_token_fields r2generate_csrf_tokenz"_FlaskFormCSRF.generate_csrf_tokens)y,i/    rBctjddrdS t|j|jj|jj|jjdS#t$r+}t |j dd}~wwxYw)N csrf_validFr) rr-rr9rGrNcsrf_time_limitrOrloggerinfoargs)rJrKfieldes r2validate_csrf_tokenz"_FlaskFormCSRF.validate_csrf_tokens 5u % %  F    % ) )           KKq " " "  s5A B&BB)__name__ __module__ __qualname__rIrQrZ __classcell__rLs@r2rDrDsV<<<<<   rBrDc>eZdZdZd dZdZdZdZdZdZ d Z dS) ra[Enable CSRF protection globally for a Flask app. :: app = Flask(__name__) csrf = CSRFProtect(app) Checks the ``csrf_token`` field sent with forms, or the ``X-CSRFToken`` header sent with JavaScript requests. Render the token in templates using ``{{ csrf_token() }}``. See the :ref:`csrf` documentation. Nct|_t|_|r||dSdSrF)set _exempt_views_exempt_blueprintsinit_app)rJapps r2__init__zCSRFProtect.__init__sD UU"%%%   MM#       rBcDjd<jddjddtjdgdjd<jddjd d d gjd d jddt jjd<dj fd}dS)NcsrfWTF_CSRF_ENABLEDTWTF_CSRF_CHECK_DEFAULTWTF_CSRF_METHODS)POSTPUTPATCHDELETErrWTF_CSRF_HEADERSz X-CSRFTokenz X-CSRF-Tokenr4r5WTF_CSRF_SSL_STRICTcdtiS)Nr)rrBr2z&CSRFProtect.init_app..s |]&CrBcjdsdSjdsdStjjdvrdStjsdStjjvrdSjtj}d|j |j }|j vrdS dS)Nrjrkrlz{0}.{1}) r=rmethodendpoint blueprintrdview_functionsr-formatr\r[rcprotect)viewdestrfrJs r2 csrf_protectz*CSRFProtect.init_app..csrf_protects:01 :67 ~SZ0B%CCC#  D$;;;%))'*:;;D##DOT]CCDt))) LLNNNNNrB) extensionsr= setdefaultrbr-r jinja_envglobalscontext_processorbefore_request)rJrfrs`` r2rezCSRFProtect.init_appsG!%v 0$777 6===),SZ^^  B B B. . * *  %& 3\BBB   ?    3T::: 3T:::.; l+ CCDDD           rBc\tjd}tj|}|r|StjD]/}||rtj|}|r|cS0tjdD]'}tj|}|r|cS(dS)Nrrq)rr=rrKr-endswithheaders)rJr/ base_tokenkeyr header_names r2_get_csrf_tokenzCSRFProtect._get_csrf_tokens '(=> \%%j11   < & &C||J'' &$\#. &%%%%'-.@A " "K ,,[99J "!!!! "trBcvtjtjdvrdS t |n\#t $rO}t|j d| |j dYd}~nd}~wwxYwtj rtjdrotj s| dd tj}ttj |s| ddt _dS)NrlrrrzThe referrer header is missing.z https://{0}/z%The referrer does not match the host.T)rrwrr=rrrrUrVrW_error_response is_securereferrerr{host same_originrrS)rJrY good_referrers r2r|zCSRFProtect.protects* >!34F!G G G F , $..00 1 1 1 1 , , , KKq " " "   + + + + + + + + ,   N!34I!J N# H$$%FGGG*11',??Mw/?? N$$%LMMM s!A BABBct|tr!|j|j|St|t r|}n!d|j|jf}|j ||S)aMark a view or blueprint to be excluded from CSRF protection. :: @app.route('/some-view', methods=['POST']) @csrf.exempt def some_view(): ... :: bp = Blueprint(...) csrf.exempt(bp) .) isinstancerrdaddnamerjoinr\r[rc)rJr} view_locations r2exemptzCSRFProtect.exempts" dI & &   # ' ' 2 2 2K dL ) ) G MMHHdot}%EFFM }--- rBc t|rF) CSRFError)rJreasons r2rzCSRFProtect._error_response-srBctjtddtfd}||_S)aRegister a function that will generate the response for CSRF errors. .. deprecated:: 0.14 Use the standard Flask error system with ``@app.errorhandler(CSRFError)`` instead. This will be removed in version 1.0. The function will be passed one argument, ``reason``. By default it will raise a :class:`~flask_wtf.csrf.CSRFError`. :: @csrf.error_handler def csrf_error(reason): return render_template('error.html', reason=reason) Due to historical reasons, the function may either return a response or raise an exception with :func:`flask.abort`. z"@csrf.error_handler" is deprecated. Use the standard Flask error system with "@app.errorhandler(CSRFError)" instead. This will be removed in 1.0. stacklevelc^tj|}t|)N)response)r make_responser)rrr}s r2handlerz*CSRFProtect.error_handler..handlerIs,"0f>>HX... .rB)warningswarnrrr)rJr}rs ` r2 error_handlerzCSRFProtect.error_handler0so&  0 &        t / / / /  / ' rBrF) r[r\r]__doc__rgrerr|rrrrtrBr2rrs  )))V2*:   rBrc$eZdZdZdfd ZxZS) CsrfProtectzW .. deprecated:: 0.14 Renamed to :class:`~flask_wtf.csrf.CSRFProtect`. Nctjtddtt||dS)NzU"flask_wtf.CsrfProtect" has been renamed to "CSRFProtect" and will be removed in 1.0.rr)rf)rrrrHrrg)rJrfrLs r2rgzCsrfProtect.__init__Xs\ 0 *       k4  ))c)22222rBrF)r[r\r]rrgr^r_s@r2rrRsG 3333333333rBrceZdZdZdZdS)rzRaise if the client sends invalid CSRF data with the request. Generates a 400 Bad Request response with the failure reason by default. Customize the response by registering a handler with :meth:`flask.Flask.errorhandler`. zCSRF validation failed.N)r[r\r]r descriptionrtrBr2rr`s,KKKrBrct|}t|}|j|jko|j|jko|j|jkSrF)rschemehostnameport) current_uri compare_uricurrentcompares r2rrksS{##G{##G '.( )   0 0 ) LGL (rB)NN)NNN)NTr;))r%loggingr'r functoolsrflaskrrrrr itsdangerousr r r werkzeug.exceptionsr werkzeug.securityr wtformsrwtforms.csrf.corer_compatrrr__all__ getLoggerr[rUrrr#rDobjectrrrrrtrBr2rs ==============JJJJJJJJJJ************######""""""GGGGGGGGGG ;  8 $ $$$$$N/?/?/?/?f!%40T8nnnnn&nnnb 3 3 3 3 3+ 3 3 3,,,,, ,,,rB