khaloufam70043
/
Django
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10 Commits
1 Branch
Tree: 55c9032946
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '55c9032946'
${ noResults }
Django/venv/lib/python3.7/site-packages/django/views/csrf.py

csrf.py 6.1KB
Raw Normal View History

PraBlatt3
5 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154 
  1. from django.conf import settings

  2. from django.http import HttpResponseForbidden

  3. from django.template import Context, Engine, TemplateDoesNotExist, loader

  4. from django.utils.translation import gettext as _

  5. from django.utils.version import get_docs_version

  6. 

  7. # We include the template inline since we need to be able to reliably display

  8. # this error message, especially for the sake of developers, and there isn't any

  9. # other way of making it available independent of what is in the settings file.

  10. 

  11. # Only the text appearing with DEBUG=False is translated. Normal translation

  12. # tags cannot be used with this inline templates as makemessages would not be

  13. # able to discover the strings.

  14. 

  15. CSRF_FAILURE_TEMPLATE = """

  16. <!DOCTYPE html>

  17. <html lang="en">

  18. <head>

  19.   <meta http-equiv="content-type" content="text/html; charset=utf-8">

  20.   <meta name="robots" content="NONE,NOARCHIVE">

  21.   <title>403 Forbidden</title>

  22.   <style type="text/css">

  23.     html * { padding:0; margin:0; }

  24.     body * { padding:10px 20px; }

  25.     body * * { padding:0; }

  26.     body { font:small sans-serif; background:#eee; color:#000; }

  27.     body>div { border-bottom:1px solid #ddd; }

  28.     h1 { font-weight:normal; margin-bottom:.4em; }

  29.     h1 span { font-size:60%; color:#666; font-weight:normal; }

  30.     #info { background:#f6f6f6; }

  31.     #info ul { margin: 0.5em 4em; }

  32.     #info p, #summary p { padding-top:10px; }

  33.     #summary { background: #ffc; }

  34.     #explanation { background:#eee; border-bottom: 0px none; }

  35.   </style>

  36. </head>

  37. <body>

  38. <div id="summary">

  39.   <h1>{{ title }} <span>(403)</span></h1>

  40.   <p>{{ main }}</p>

  41. {% if no_referer %}

  42.   <p>{{ no_referer1 }}</p>

  43.   <p>{{ no_referer2 }}</p>

  44.   <p>{{ no_referer3 }}</p>

  45. {% endif %}

  46. {% if no_cookie %}

  47.   <p>{{ no_cookie1 }}</p>

  48.   <p>{{ no_cookie2 }}</p>

  49. {% endif %}

  50. </div>

  51. {% if DEBUG %}

  52. <div id="info">

  53.   <h2>Help</h2>

  54.     {% if reason %}

  55.     <p>Reason given for failure:</p>

  56.     <pre>

  57.     {{ reason }}

  58.     </pre>

  59.     {% endif %}

  60. 

  61.   <p>In general, this can occur when there is a genuine Cross Site Request Forgery, or when

  62.   <a

  63.   href="https://docs.djangoproject.com/en/{{ docs_version }}/ref/csrf/">Django's

  64.   CSRF mechanism</a> has not been used correctly.  For POST forms, you need to

  65.   ensure:</p>

  66. 

  67.   <ul>

  68.     <li>Your browser is accepting cookies.</li>

  69. 

  70.     <li>The view function passes a <code>request</code> to the template's <a

  71.     href="https://docs.djangoproject.com/en/dev/topics/templates/#django.template.backends.base.Template.render"><code>render</code></a>

  72.     method.</li>

  73. 

  74.     <li>In the template, there is a <code>{% templatetag openblock %} csrf_token

  75.     {% templatetag closeblock %}</code> template tag inside each POST form that

  76.     targets an internal URL.</li>

  77. 

  78.     <li>If you are not using <code>CsrfViewMiddleware</code>, then you must use

  79.     <code>csrf_protect</code> on any views that use the <code>csrf_token</code>

  80.     template tag, as well as those that accept the POST data.</li>

  81. 

  82.     <li>The form has a valid CSRF token. After logging in in another browser

  83.     tab or hitting the back button after a login, you may need to reload the

  84.     page with the form, because the token is rotated after a login.</li>

  85.   </ul>

  86. 

  87.   <p>You're seeing the help section of this page because you have <code>DEBUG =

  88.   True</code> in your Django settings file. Change that to <code>False</code>,

  89.   and only the initial error message will be displayed.  </p>

  90. 

  91.   <p>You can customize this page using the CSRF_FAILURE_VIEW setting.</p>

  92. </div>

  93. {% else %}

  94. <div id="explanation">

  95.   <p><small>{{ more }}</small></p>

  96. </div>

  97. {% endif %}

  98. </body>

  99. </html>

  100. """

  101. CSRF_FAILURE_TEMPLATE_NAME = "403_csrf.html"

  102. 

  103. 

  104. def csrf_failure(request, reason="", template_name=CSRF_FAILURE_TEMPLATE_NAME):

  105.     """

  106.     Default view used when request fails CSRF protection

  107.     """

  108.     from django.middleware.csrf import REASON_NO_REFERER, REASON_NO_CSRF_COOKIE

  109.     c = {

  110.         'title': _("Forbidden"),

  111.         'main': _("CSRF verification failed. Request aborted."),

  112.         'reason': reason,

  113.         'no_referer': reason == REASON_NO_REFERER,

  114.         'no_referer1': _(

  115.             "You are seeing this message because this HTTPS site requires a "

  116.             "'Referer header' to be sent by your Web browser, but none was "

  117.             "sent. This header is required for security reasons, to ensure "

  118.             "that your browser is not being hijacked by third parties."),

  119.         'no_referer2': _(

  120.             "If you have configured your browser to disable 'Referer' headers, "

  121.             "please re-enable them, at least for this site, or for HTTPS "

  122.             "connections, or for 'same-origin' requests."),

  123.         'no_referer3': _(

  124.             "If you are using the <meta name=\"referrer\" "

  125.             "content=\"no-referrer\"> tag or including the 'Referrer-Policy: "

  126.             "no-referrer' header, please remove them. The CSRF protection "

  127.             "requires the 'Referer' header to do strict referer checking. If "

  128.             "you're concerned about privacy, use alternatives like "

  129.             "<a rel=\"noreferrer\" ...> for links to third-party sites."),

  130.         'no_cookie': reason == REASON_NO_CSRF_COOKIE,

  131.         'no_cookie1': _(

  132.             "You are seeing this message because this site requires a CSRF "

  133.             "cookie when submitting forms. This cookie is required for "

  134.             "security reasons, to ensure that your browser is not being "

  135.             "hijacked by third parties."),

  136.         'no_cookie2': _(

  137.             "If you have configured your browser to disable cookies, please "

  138.             "re-enable them, at least for this site, or for 'same-origin' "

  139.             "requests."),

  140.         'DEBUG': settings.DEBUG,

  141.         'docs_version': get_docs_version(),

  142.         'more': _("More information is available with DEBUG=True."),

  143.     }

  144.     try:

  145.         t = loader.get_template(template_name)

  146.     except TemplateDoesNotExist:

  147.         if template_name == CSRF_FAILURE_TEMPLATE_NAME:

  148.             # If the default template doesn't exist, use the string template.

  149.             t = Engine().from_string(CSRF_FAILURE_TEMPLATE)

  150.             c = Context(c)

  151.         else:

  152.             # Raise if a developer-specified template doesn't exist.

  153.             raise

  154.     return HttpResponseForbidden(t.render(c), content_type='text/html')