Evg!LdZddlZddlZddlmZddlmZddlmZddl m Z m Z ddl m Z mZddlmZdd lmZdd lmZmZdd lmZdd lmZdd lmZddlmZddlmZej dZ!edZ"dZ#dZ$dZ%dZ&dZ'dZ(dZ)dZ*dZ+dZ,de,zZ-ej.ej/zZ0dZ1dZ2dZ3d Z4d!Z5d"Z6d#Z7d$Z8Gd%d&e9Z:d'Z;d(Z<Gd)d*e9Z=Gd+d,eZ>dS)-z Cross Site Request Forgery Middleware. This module provides a middleware that implements protection against request forgeries from other sites. N) defaultdicturlparse)settings)DisallowedHostImproperlyConfigured) HttpHeadersUnreadablePostError) get_callable)patch_vary_headers)constant_time_compareget_random_string)MiddlewareMixin)cached_propertyis_same_domain) log_response)_lazy_re_compilezdjango.security.csrfz [^a-zA-Z0-9]z?Origin checking failed - %s does not match any trusted origins.z%Referer checking failed - no Referer.z@Referer checking failed - %s does not match any trusted origins.zCSRF cookie not set.zCSRF token missing.z/Referer checking failed - Referer is malformed.zCReferer checking failed - Referer is insecure while host is secure.zhas incorrect lengthzhas invalid characters  _csrftokenc4ttjS)z/Return the view to be used for CSRF rejections.)r rCSRF_FAILURE_VIEWS/var/www/pixelcanvas.ch/venv/lib/python3.11/site-packages/django/middleware/csrf.py_get_failure_viewr2s 2 3 33rc8tttS)N) allowed_chars)rCSRF_SECRET_LENGTHCSRF_ALLOWED_CHARSrrr_get_new_csrf_stringr"7s /?Q R R RRrct}ttfd|Dfd|D}dfd|D}||zS)z Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a token by adding a mask and applying it to the secret. c3BK|]}|VdSNindex.0xcharss r z&_mask_cipher_secret..Bs-00AQ000000rc3BK|]}|VdSr%r&r(s rr,z&_mask_cipher_secret..Bs-2P2Pa5;;q>>2P2P2P2P2P2Prc3TK|]"\}}||ztzV#dSr%)lenr)r*yr+s rr,z&_mask_cipher_secret..Cs;CCTQUAESZZ/0CCCCCCr)r"r!zipjoin)secretmaskpairscipherr+s @r_mask_cipher_secretr9;s~ ! !D E 00000002P2P2P2P42P2P2P Q QE WWCCCCUCCC C CF &=rc|dt}|td}ttfd|Dfd|D}dfd|DS)z Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length CSRF_TOKEN_LENGTH, and that its first half is a mask), use it to decrypt the second half to produce the original secret. Nc3BK|]}|VdSr%r&r(s rr,z'_unmask_cipher_token..Ps-//AQ//////rc3BK|]}|VdSr%r&r(s rr,z'_unmask_cipher_token..Ps-1O1OQ%++a..1O1O1O1O1O1Orr.c34K|]\}}||z VdSr%rr1s rr,z'_unmask_cipher_token..Qs/22DAq5Q<222222r)r r!r3r4)tokenr6r7r+s @r_unmask_cipher_tokenr?Gs $$$ %D $%% &E E ///////1O1O1O1O$1O1O1O P PE 772222E222 2 22rc\t}|j|dd|S)zDGenerate a new random CSRF_COOKIE value, and add it to request.META.T) CSRF_COOKIECSRF_COOKIE_NEEDS_UPDATE)r"METAupdaterequest csrf_secrets r_add_new_csrf_cookierHTs?&((K L&(,   rcd|jvr|jd}d|jd<nt|}t|S)a Return the CSRF token required for a POST form. The token is an alphanumeric value. A new token is created if one is not already set. A side effect of calling this function is to make the csrf_protect decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie' header to the outgoing response. For this reason, you may need to use this function lazily, as is done by the csrf context processor. rATrB)rCrHr9rEs r get_tokenrJ`sJ $$l=1 48 /00*733 { + ++rc$t|dS)zi Change the CSRF token in use for a request - should be done on login for security purposes. N)rH)rFs r rotate_tokenrLus !!!!!rceZdZdZdS)InvalidTokenFormatc||_dSr%reasonselfrQs r__init__zInvalidTokenFormat.__init__~  rN__name__ __module__ __qualname__rTrrrrNrN}#rrNct|ttfvrttt |rttdS)z Raise an InvalidTokenFormat error if the token has an invalid length or characters that aren't allowed. The token argument can be a CSRF cookie secret or non-cookie CSRF token, and either masked or unmasked. N)r0CSRF_TOKEN_LENGTHr rNREASON_INCORRECT_LENGTHinvalid_token_chars_researchREASON_INVALID_CHARACTERS)r>s r_check_token_formatrasZ  5zz+-?@@@ !8999$$U++< !:;;;<zACsrfViewMiddleware.csrf_trusted_origins_hosts..sA    V   # * *3 / /   rrCSRF_TRUSTED_ORIGINSrSs rcsrf_trusted_origins_hostsz-CsrfViewMiddleware.csrf_trusted_origins_hostss&  "7    rc.dtjDS)Nch|]}d|v| Srlrrps r z;CsrfViewMiddleware.allowed_origins_exact..s#XXX6cQWFWFWFWFWFWrrsrus rallowed_origins_exactz(CsrfViewMiddleware.allowed_origins_exactsXXX%BXXXXrctt}dtjDD]:}||j|jd;|S)z A mapping of allowed schemes to list of allowed netlocs, where all subdomains of the netloc are allowed. c3<K|]}d|vt|VdS)rmNrrps rr,z?CsrfViewMiddleware.allowed_origin_subdomains..s<  f}} V  }}}  rrm)rlistrrtschemeappendrnro)rSallowed_origin_subdomainsparseds rrz,CsrfViewMiddleware.allowed_origin_subdomainssv %0$5$5!  "7    W WF &fm 4 ; ;FM>>  L     rcdtjr> |jt}nW#t $rt dwxYw |jtj}t|n#t$rd}YnwxYw|dSt|tkrt|}|S)a Return the CSRF secret originally associated with the request, or None if it didn't have one. If the CSRF_USE_SESSIONS setting is false, raises InvalidTokenFormat if the request's secret has invalid characters or an invalid length. zCSRF_USE_SESSIONS is enabled, but request.session is not set. SessionMiddleware must appear before CsrfViewMiddleware in MIDDLEWARE.N)rCSRF_USE_SESSIONSsessiongetCSRF_SESSION_KEYAttributeErrorrCOOKIESCSRF_COOKIE_NAMEraKeyErrorr0r\r?rSrFrGs r _get_secretzCsrfViewMiddleware._get_secrets  % 1 %o112BCC !   *%  1%oh.GH $K0000  # # #"  #  4 {  0 0 0.{;;Ks.A A33 BBc tjrL|jt|jdkr|jd|jt<dSdS|tj|jdtjtj tj tj tj tj t|ddS)NrA)max_agedomainrsecurehttponlysamesite)Cookie)rrrrrrC set_cookierCSRF_COOKIE_AGECSRF_COOKIE_DOMAINCSRF_COOKIE_PATHCSRF_COOKIE_SECURECSRF_COOKIE_HTTPONLYCSRF_COOKIE_SAMESITEr rSrFrs r_set_csrf_cookiez#CsrfViewMiddleware._set_csrf_cookies  % 6""#344 ]8SSS4;L4O 0111TS   ) ]+ 02.2!6!6    x 5 5 5 5 5rc|jd} |}|rdndd|}||krdSn#t$rYnwxYw||jvrdS t |}n#t $rYdSwxYw|j}|jtfd|j |dDS) N HTTP_ORIGINhttpshttpz://TFc38K|]}t|VdSr%r)r)hostrequest_netlocs rr,z6CsrfViewMiddleware._origin_verified..$sA   >4 0 0      rr) rCget_host is_securerrzr ValueErrorr~rnanyrr)rSrFrequest_origin good_host good_origin parsed_originrequest_schemers @r_origin_verifiedz#CsrfViewMiddleware._origin_verifieds0 m4 ((**I #,,..:F:: K,,t-    D  T7 7 74 $^44MM   55 &-&-    6::>2NN      s#A AA&A66 BBc8|jdtt t n"#t $rtt wxYwdjjfvrtt jdkrtttfd|j DrdStj r tjn tj}|M |}nV#t"$r*tt$zwxYw|}|dvr|d|}t+j|s)tt$zdS)N HTTP_REFERERr.rc3BK|]}tj|VdSr%)rrn)r)rreferers rr,z4CsrfViewMiddleware._check_referer..;sC   7>4 0 0      r)44380:)rCrrfREASON_NO_REFERERrrREASON_MALFORMED_REFERERr~rnREASON_INSECURE_REFERERrrvrrSESSION_COOKIE_DOMAINrrrREASON_BAD_REFERERgeturlget_portr)rSrF good_referer server_portrs @r_check_refererz!CsrfViewMiddleware._check_referer)s,"">22 ? 122 2 :w''GG : : : 899 9 : '.'.1 1 1 899 9 >W $ $ 788 8     7       F) -H * *,    K&//11 ! K K K#$69I9I$IJJJ K"**,,K-//*6,, D gnl;; G 2W^^5E5E EFF F G GsAA"1D4D:cT|dkrtj|}d|d}d|d|dS)NPOSTzthe z HTTP headerzCSRF token from  .)r parse_header_name)rSrQ token_source header_names r_bad_token_messagez%CsrfViewMiddleware._bad_token_messageVsF 6 ! !%7 EEK=+===L:,::::::rc ||}n*#t$r}td|jdd}~wwxYw|ttd}|jdkr- |jdd}n#t$rYnwxYw|dkrH |j tj }n"#t$rttwxYwtj }nd} t|n<#t$r/}||j|}t|d}~wwxYwt!||s%|d|}t|dS)Nz CSRF cookie rr.rcsrfmiddlewaretoken incorrect)rrNrfrQREASON_NO_CSRF_COOKIEmethodrrr rCrCSRF_HEADER_NAMErREASON_CSRF_TOKEN_MISSINGrarrd)rSrFrGexcrcrrQs r _check_tokenzCsrfViewMiddleware._check_token]s >**733KK! > > >    566 6  >V # # %,\%5%56KR%P%P""&        # # ? &-\(2K%L"" ? ? ?#$=>>> ?#4LL!L (  2 3 3 3 3! ( ( (,,SZFFF'' ' (!!3[AA (,,[,GGF'' ' ( (sF ?:?&B BBB11C#C33 D,=*D''D,c ||}| ||jd<dSdS#t$rt|YdSwxYw)NrA)rrCrNrHrs rprocess_requestz"CsrfViewMiddleware.process_requestsr :**733K& /: ]+++ '&" * * *  ) ) ) ) ) ) *s'AAct|ddrdSt|ddrdS|jdvr||St|ddr||Sd|jvr?||s)||t |jdzSn]|rI ||n2#t$r%}|||j cYd}~Sd}~wwxYw | |n2#t$r%}|||j cYd}~Sd}~wwxYw||S)NrF csrf_exempt)GETHEADOPTIONSTRACE_dont_enforce_csrf_checksr) getattrrrrCrrREASON_BAD_ORIGINrrrfrQr)rSrFcallback callback_argscallback_kwargsrs r process_viewzCsrfViewMiddleware.process_views 72E : : 4 8]E 2 2 4 >@ @ @<<(( ( 77 ? ? ) <<(( ( GL ( (((11 ||.m1LL     9$ 9##G,,,,  9 9 9||GSZ88888888 9 5   g & & & & 5 5 5<<44 4 4 4 4 4 4 5||G$$$s<C D (DD D D'' E1E EEcz|jdr |||d|jd<|S)NrBF)rCrrrs rprocess_responsez#CsrfViewMiddleware.process_responsesE <  6 7 7 =  ! !'8 4 4 48=GL3 4rN)rWrXrY__doc__rrvrzrrrrrrrrrrrrrrrriris  _ YY_Y ) )_ )    @666$   4+G+G+GZ;;;2(2(2(h : : :7%7%7%r     rri)?rloggingstring collectionsr urllib.parser django.confrdjango.core.exceptionsrr django.httpr r django.urlsr django.utils.cacher django.utils.cryptor rdjango.utils.deprecationrdjango.utils.functionalrdjango.utils.httprdjango.utils.logrdjango.utils.regex_helperr getLoggerrr^rrrrrrrr]r`r r\ ascii_lettersdigitsr!rrr"r9r?rHrJrL ExceptionrNrardrfrirrrrs ######!!!!!! GGGGGGGG88888888$$$$$$111111HHHHHHHH444444333333,,,,,,))))))666666  1 2 2)).99U;W.1LI 14**)FM9444 SSS    3 3 3   ,,,*""" < < <BBB"I ~~~~~~~~~~r