MCPcopy
hub / github.com/tornadoweb/tornado / check_xsrf_cookie

Method check_xsrf_cookie

tornado/web.py:1657–1693  ·  view source on GitHub ↗

Verifies that the ``_xsrf`` cookie matches the ``_xsrf`` argument. To prevent cross-site request forgery, we set an ``_xsrf`` cookie and include the same value as a non-cookie field with all ``POST`` requests. If the two do not match, we reject the form submission as

(self)

Source from the content-addressed store, hash-verified

1655 return None, None, None
1656
1657 def check_xsrf_cookie(self) -> None:
1658 """Verifies that the ``_xsrf`` cookie matches the ``_xsrf`` argument.
1659
1660 To prevent cross-site request forgery, we set an ``_xsrf``
1661 cookie and include the same value as a non-cookie
1662 field with all ``POST`` requests. If the two do not match, we
1663 reject the form submission as a potential forgery.
1664
1665 The ``_xsrf`` value may be set as either a form field named ``_xsrf``
1666 or in a custom HTTP header named ``X-XSRFToken`` or ``X-CSRFToken``
1667 (the latter is accepted for compatibility with Django).
1668
1669 See http://en.wikipedia.org/wiki/Cross-site_request_forgery
1670
1671 .. versionchanged:: 3.2.2
1672 Added support for cookie version 2. Both versions 1 and 2 are
1673 supported.
1674 """
1675 # Prior to release 1.1.1, this check was ignored if the HTTP header
1676 # ``X-Requested-With: XMLHTTPRequest`` was present. This exception
1677 # has been shown to be insecure and has been removed. For more
1678 # information please see
1679 # http://www.djangoproject.com/weblog/2011/feb/08/security/
1680 # http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
1681 input_token = (
1682 self.get_argument("_xsrf", None)
1683 or self.request.headers.get("X-Xsrftoken")
1684 or self.request.headers.get("X-Csrftoken")
1685 )
1686 if not input_token:
1687 raise HTTPError(403, "'_xsrf' argument missing from POST")
1688 _, token, _ = self._decode_xsrf_token(input_token)
1689 _, expected_token, _ = self._get_raw_xsrf_token()
1690 if not token:
1691 raise HTTPError(403, "'_xsrf' argument has invalid format")
1692 if not hmac.compare_digest(utf8(token), utf8(expected_token)):
1693 raise HTTPError(403, "XSRF cookie does not match POST argument")
1694
1695 def xsrf_form_html(self) -> str:
1696 """An HTML ``<input/>`` element to be included with all POST forms.

Callers 1

_executeMethod · 0.95

Calls 6

get_argumentMethod · 0.95
_decode_xsrf_tokenMethod · 0.95
_get_raw_xsrf_tokenMethod · 0.95
utf8Function · 0.90
HTTPErrorClass · 0.85
getMethod · 0.45

Tested by

no test coverage detected