Verifies that the ``_xsrf`` cookie matches the ``_xsrf`` argument. To prevent cross-site request forgery, we set an ``_xsrf`` cookie and include the same value as a non-cookie field with all ``POST`` requests. If the two do not match, we reject the form submission as
(self)
| 1655 | return None, None, None |
| 1656 | |
| 1657 | def check_xsrf_cookie(self) -> None: |
| 1658 | """Verifies that the ``_xsrf`` cookie matches the ``_xsrf`` argument. |
| 1659 | |
| 1660 | To prevent cross-site request forgery, we set an ``_xsrf`` |
| 1661 | cookie and include the same value as a non-cookie |
| 1662 | field with all ``POST`` requests. If the two do not match, we |
| 1663 | reject the form submission as a potential forgery. |
| 1664 | |
| 1665 | The ``_xsrf`` value may be set as either a form field named ``_xsrf`` |
| 1666 | or in a custom HTTP header named ``X-XSRFToken`` or ``X-CSRFToken`` |
| 1667 | (the latter is accepted for compatibility with Django). |
| 1668 | |
| 1669 | See http://en.wikipedia.org/wiki/Cross-site_request_forgery |
| 1670 | |
| 1671 | .. versionchanged:: 3.2.2 |
| 1672 | Added support for cookie version 2. Both versions 1 and 2 are |
| 1673 | supported. |
| 1674 | """ |
| 1675 | # Prior to release 1.1.1, this check was ignored if the HTTP header |
| 1676 | # ``X-Requested-With: XMLHTTPRequest`` was present. This exception |
| 1677 | # has been shown to be insecure and has been removed. For more |
| 1678 | # information please see |
| 1679 | # http://www.djangoproject.com/weblog/2011/feb/08/security/ |
| 1680 | # http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails |
| 1681 | input_token = ( |
| 1682 | self.get_argument("_xsrf", None) |
| 1683 | or self.request.headers.get("X-Xsrftoken") |
| 1684 | or self.request.headers.get("X-Csrftoken") |
| 1685 | ) |
| 1686 | if not input_token: |
| 1687 | raise HTTPError(403, "'_xsrf' argument missing from POST") |
| 1688 | _, token, _ = self._decode_xsrf_token(input_token) |
| 1689 | _, expected_token, _ = self._get_raw_xsrf_token() |
| 1690 | if not token: |
| 1691 | raise HTTPError(403, "'_xsrf' argument has invalid format") |
| 1692 | if not hmac.compare_digest(utf8(token), utf8(expected_token)): |
| 1693 | raise HTTPError(403, "XSRF cookie does not match POST argument") |
| 1694 | |
| 1695 | def xsrf_form_html(self) -> str: |
| 1696 | """An HTML ``<input/>`` element to be included with all POST forms. |
no test coverage detected