^Q\n5@sdZddlmZddlZddlZddlZddlmZddlm Z ddl m Z ddl m Z ddlmZmZdd lmZdd lmZdd lmZdd lmZdd lmZejdZdZdZdZdZ dZ!dZ"dZ#de#Z$ej%ej&Z'dZ(ddZ)ddZ*ddZ+ddZ,d d!Z-d"d#Z.d$d%Z/d&d'Z0d(d)Z1Gd*d+d+eZ2dS),z Cross Site Request Forgery Middleware. This module provides a middleware that implements protection against request forgeries from other sites. )unicode_literalsN)settings)ImproperlyConfigured) get_callable)patch_vary_headers)constant_time_compareget_random_string)MiddlewareMixin) force_text)is_same_domain)zip)urlparsezdjango.security.csrfz%Referer checking failed - no Referer.z@Referer checking failed - %s does not match any trusted origins.zCSRF cookie not set.z CSRF token missing or incorrect.z/Referer checking failed - Referer is malformed.zCReferer checking failed - Referer is insecure while host is secure. Z _csrftokencCs ttjS)z9 Returns the view to be used for CSRF rejections )rrZCSRF_FAILURE_VIEWrr9sz&_salt_cipher_secret..c3s-|]#\}}||tVqdS)N)len)rry)rrrr:s)rrr join)secretsaltpairscipherr)rr_salt_cipher_secret2s  5"r$cs|dt}|td}ttfdd|Dfdd|D}djfdd|D}|S)z Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length CSRF_TOKEN_LENGTH, and that its first half is a salt), use it to decrypt the second half to produce the original secret. Nc3s|]}j|VqdS)N)r)rr)rrrrGsz'_unsalt_cipher_token..rc3s#|]\}}||VqdS)Nr)rrr)rrrrHs)rrr r)tokenr!r"r r)rr_unsalt_cipher_token>s 5"r&cCs ttS)N)r$rrrrr_get_new_csrf_tokenLsr'cCsXd|jkr.t}t||jd.r(POSTZcsrfmiddlewaretoken)zGETzHEADzOPTIONSrV)r[z80)!getattrmethodr:Z is_securer r*rDrAREASON_NO_REFERERr schemer]REASON_MALFORMED_REFERERREASON_INSECURE_REFERERrrBZSESSION_COOKIE_DOMAINrOZget_portget_hostlistZCSRF_TRUSTED_ORIGINSappendanyREASON_BAD_REFERERgeturlREASON_NO_CSRF_COOKIEr`IOErrorZCSRF_HEADER_NAMEr3r6REASON_BAD_TOKEN) r9r+callback callback_argscallback_kwargsZ good_referer server_portZ good_hostsr=r5r4r)r_r process_views\               zCsrfViewMiddleware.process_viewcCsat|dds+t|ddr+|Sn|jjddsD|S|j||d|_|S)Nr.Fcsrf_cookie_setr)T)rar*rDrQru)r9r+rPrrrprocess_response@s z#CsrfViewMiddleware.process_responseN) __name__ __module__ __qualname____doc__r:rArIrQrRrtrvrrrrr7s      nr7)3rz __future__rloggingr0stringZ django.confrZdjango.core.exceptionsrZ django.urlsrZdjango.utils.cacherZdjango.utils.cryptorrZdjango.utils.deprecationr Zdjango.utils.encodingr Zdjango.utils.httpr Zdjango.utils.six.movesr Z#django.utils.six.moves.urllib.parser getLoggerr>rcrkrmrorerfrr2 ascii_lettersdigitsrrErrr$r&r'r,r/r3r6r7rrrrsF