o
    `Zh L                     @   s  d Z ddlZddlZddlmZ ddlmZ ddlmZ ddl	m
Z
mZ ddlmZmZ ddlmZ dd	lmZ dd
lmZmZ ddlmZ ddlmZ ddlmZ ddlmZ ddlmZ e dZ!edZ"dZ#dZ$dZ%dZ&dZ'dZ(dZ)dZ*dZ+dZ,de, Z-ej.ej/ Z0dZ1dd Z2d d! Z3d"d# Z4d$d% Z5d&d' Z6d(d) Z7d*d+ Z8G d,d- d-e9Z:d.d/ Z;d0d1 Z<G d2d3 d3e9Z=G d4d5 d5eZ>dS )6z
Cross Site Request Forgery Middleware.

This module provides a middleware that implements protection
against request forgeries from other sites.
    N)defaultdicturlparse)settings)DisallowedHostImproperlyConfigured)HttpHeadersUnreadablePostError)get_callable)patch_vary_headers)constant_time_compareget_random_string)MiddlewareMixin)cached_propertyis_same_domain)log_response)_lazy_re_compilezdjango.security.csrfz[^a-zA-Z0-9]z?Origin checking failed - %s does not match any trusted origins.z%Referer checking failed - no Referer.z@Referer checking failed - %s does not match any trusted origins.zCSRF cookie not set.zCSRF token missing.z/Referer checking failed - Referer is malformed.zCReferer checking failed - Referer is insecure while host is secure.zhas incorrect lengthzhas invalid characters       Z
_csrftokenc                   C   s
   t tjS )z/Return the view to be used for CSRF rejections.)r
   r   ZCSRF_FAILURE_VIEW r   r   M/var/www/html/lang_env/lib/python3.10/site-packages/django/middleware/csrf.py_get_failure_view1   s   
r   c                   C   s   t ttdS )N)allowed_chars)r   CSRF_SECRET_LENGTHCSRF_ALLOWED_CHARSr   r   r   r   _get_new_csrf_string6   s   r   c                    sP   t  }t t fdd| D  fdd|D }d fdd|D }|| S )z
    Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a
    token by adding a mask and applying it to the secret.
    c                 3       | ]}  |V  qd S Nindex.0xcharsr   r   	<genexpr>A       z&_mask_cipher_secret.<locals>.<genexpr> c                 3   s(    | ]\}} || t    V  qd S r   )lenr"   r#   yr$   r   r   r&   B   s   & )r   r   zipjoin)secretmaskpairscipherr   r$   r   _mask_cipher_secret:   s
   &r2   c                    sZ   | dt  }| t d } t t fdd| D  fdd|D }d fdd|D S )z
    Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length
    CSRF_TOKEN_LENGTH, and that its first half is a mask), use it to decrypt
    the second half to produce the original secret.
    Nc                 3   r   r   r   r!   r$   r   r   r&   O   r'   z'_unmask_cipher_token.<locals>.<genexpr>r(   c                 3   s     | ]\}} ||  V  qd S r   r   r*   r$   r   r   r&   P   s    )r   r   r,   r-   )tokenr/   r0   r   r$   r   _unmask_cipher_tokenF   s
   &r4   c                 C   s   t  }| j|dd |S )zDGenerate a new random CSRF_COOKIE value, and add it to request.META.T)CSRF_COOKIECSRF_COOKIE_NEEDS_UPDATE)r   METAupdaterequestcsrf_secretr   r   r   _add_new_csrf_cookieS   s   r<   c                 C   s6   d| j v r| j d }d| j d< t|S t| }t|S )a  
    Return the CSRF token required for a POST form. The token is an
    alphanumeric value. A new token is created if one is not already set.

    A side effect of calling this function is to make the csrf_protect
    decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie'
    header to the outgoing response.  For this reason, you may need to use this
    function lazily, as is done by the csrf context processor.
    r5   Tr6   )r7   r<   r2   r9   r   r   r   	get_token_   s   



r=   c                 C   s   t |  dS )zi
    Change the CSRF token in use for a request - should be done on login
    for security purposes.
    N)r<   )r:   r   r   r   rotate_tokent   s   r>   c                   @      e Zd Zdd ZdS )InvalidTokenFormatc                 C   
   || _ d S r   reasonselfrC   r   r   r   __init__}      
zInvalidTokenFormat.__init__N__name__
__module____qualname__rF   r   r   r   r   r@   |       r@   c                 C   s.   t | ttfvrttt| rttdS )z
    Raise an InvalidTokenFormat error if the token has an invalid length or
    characters that aren't allowed. The token argument can be a CSRF cookie
    secret or non-cookie CSRF token, and either masked or unmasked.
    N)r)   CSRF_TOKEN_LENGTHr   r@   REASON_INCORRECT_LENGTHinvalid_token_chars_researchREASON_INVALID_CHARACTERS)r3   r   r   r   _check_token_format   s
   
rR   c                 C   s.   t | tkr
t| } t | tksJ t| |S )a  
    Return whether the given CSRF token matches the given CSRF secret, after
    unmasking the token if necessary.

    This function assumes that the request_csrf_token argument has been
    validated to have the correct length (CSRF_SECRET_LENGTH or
    CSRF_TOKEN_LENGTH characters) and allowed characters, and that if it has
    length CSRF_TOKEN_LENGTH, it is a masked secret.
    )r)   rM   r4   r   r   )request_csrf_tokenr;   r   r   r   _does_token_match   s   
rT   c                   @   r?   )RejectRequestc                 C   rA   r   rB   rD   r   r   r   rF      rG   zRejectRequest.__init__NrH   r   r   r   r   rU      rL   rU   c                   @   s   e Zd ZdZedd Zedd Zedd Zdd	 Zd
d Z	dd Z
dd Zdd Zdd Zdd Zdd Zdd Zdd Zdd ZdS )CsrfViewMiddlewarez
    Require a present and correct csrfmiddlewaretoken for POST requests that
    have a CSRF cookie, and set an outgoing CSRF cookie.

    This middleware should be used in conjunction with the {% csrf_token %}
    template tag.
    c                 C      dd t jD S )Nc                 S   s   g | ]
}t |jd qS *)r   netloclstripr"   originr   r   r   
<listcomp>   s    zACsrfViewMiddleware.csrf_trusted_origins_hosts.<locals>.<listcomp>r   CSRF_TRUSTED_ORIGINSrE   r   r   r   csrf_trusted_origins_hosts   s   z-CsrfViewMiddleware.csrf_trusted_origins_hostsc                 C   rW   )Nc                 S   s   h | ]}d |vr|qS rX   r   r\   r   r   r   	<setcomp>   s    z;CsrfViewMiddleware.allowed_origins_exact.<locals>.<setcomp>r_   ra   r   r   r   allowed_origins_exact   s   z(CsrfViewMiddleware.allowed_origins_exactc                 C   s:   t t}dd tjD D ]}||j |jd q|S )z
        A mapping of allowed schemes to list of allowed netlocs, where all
        subdomains of the netloc are allowed.
        c                 s   s     | ]}d |v rt |V  qdS )rY   Nr   r\   r   r   r   r&      s    z?CsrfViewMiddleware.allowed_origin_subdomains.<locals>.<genexpr>rY   )r   listr   r`   schemeappendrZ   r[   )rE   allowed_origin_subdomainsparsedr   r   r   rh      s   
z,CsrfViewMiddleware.allowed_origin_subdomainsc                 C   s
   d|_ d S )NT)csrf_processing_done)rE   r:   r   r   r   _accept   s   zCsrfViewMiddleware._acceptc                 C   s(   t  ||d}td||j||td |S )NrB   zForbidden (%s): %s)responser:   logger)r   r   pathrm   )rE   r:   rC   rl   r   r   r   _reject   s   zCsrfViewMiddleware._rejectc                 C   s   t jrz|jt}W n# ty   tdw z|jt j }W n t	y*   d}Y nw t
| |du r5dS t|tkr?t|}|S )a  
        Return the CSRF secret originally associated with the request, or None
        if it didn't have one.

        If the CSRF_USE_SESSIONS setting is false, raises InvalidTokenFormat if
        the request's secret has invalid characters or an invalid length.
        zCSRF_USE_SESSIONS is enabled, but request.session is not set. SessionMiddleware must appear before CsrfViewMiddleware in MIDDLEWARE.N)r   CSRF_USE_SESSIONSsessiongetCSRF_SESSION_KEYAttributeErrorr   ZCOOKIESCSRF_COOKIE_NAMEKeyErrorrR   r)   rM   r4   rE   r:   r;   r   r   r   _get_secret   s&   zCsrfViewMiddleware._get_secretc              
   C   sp   t jr|jt|jd kr|jd |jt< d S d S |jt j|jd t jt j	t j
t jt jt jd t|d d S )Nr5   )Zmax_agedomainrn   securehttponlysamesite)Cookie)r   rp   rq   rr   rs   r7   
set_cookieru   ZCSRF_COOKIE_AGECSRF_COOKIE_DOMAINZCSRF_COOKIE_PATHZCSRF_COOKIE_SECUREZCSRF_COOKIE_HTTPONLYZCSRF_COOKIE_SAMESITEr   rE   r:   rl   r   r   r   _set_csrf_cookie   s   z#CsrfViewMiddleware._set_csrf_cookiec                    s   |j d }z| }W n	 ty   Y nw d| rdnd|f }||kr'dS || jv r.dS zt|}W n
 ty>   Y dS w |j}|j t	 fdd| j
|d	D S )
NHTTP_ORIGINz%s://%shttpshttpTFc                 3   s    | ]}t  |V  qd S r   r   r"   hostZrequest_netlocr   r   r&   #  s
    
z6CsrfViewMiddleware._origin_verified.<locals>.<genexpr>r   )r7   get_hostr   	is_securerd   r   
ValueErrorrf   rZ   anyrh   rr   )rE   r:   Zrequest_originZ	good_hostZgood_originZparsed_originZrequest_schemer   r   r   _origin_verified  s0   

z#CsrfViewMiddleware._origin_verifiedc                    s  |j d  d u rttzt  W n ty   ttw d j jfv r,tt jdkr5tt	t
 fdd| jD rCd S tjrItjntj}|d u rfz| }W n tye   tt   w | }|dvrtd||f }t j|stt   d S )NZHTTP_REFERERr(   r   c                 3   s    | ]	}t  j|V  qd S r   )r   rZ   r   Zrefererr   r   r&   :  s
    

z4CsrfViewMiddleware._check_referer.<locals>.<genexpr>)44380z%s:%s)r7   rr   rU   REASON_NO_REFERERr   r   REASON_MALFORMED_REFERERrf   rZ   REASON_INSECURE_REFERERr   rb   r   rp   ZSESSION_COOKIE_DOMAINr   r   r   REASON_BAD_REFERERgeturlZget_portr   )rE   r:   Zgood_refererZserver_portr   r   r   _check_referer(  s@   
z!CsrfViewMiddleware._check_refererc                 C   s0   |dkrt |}d|d}d| d| dS )NPOSTzthe z HTTP headerzCSRF token from  .)r   Zparse_header_name)rE   rC   token_sourceheader_namer   r   r   _bad_token_messageU  s   
z%CsrfViewMiddleware._bad_token_messagec              
   C   s  z|  |}W n ty } z	td|j dd }~ww |d u r%ttd}|jdkr?z	|jdd}W n	 ty>   Y nw |dkr[z|j	t
j }W n tyV   ttw t
j}nd}zt| W n tyz } z| |j|}t|d }~ww t||s| d|}t|d S )NzCSRF cookie r   r(   r   ZcsrfmiddlewaretokenZ	incorrect)rx   r@   rU   rC   REASON_NO_CSRF_COOKIEmethodr   rr   r	   r7   r   ZCSRF_HEADER_NAMErv   REASON_CSRF_TOKEN_MISSINGrR   r   rT   )rE   r:   r;   excrS   r   rC   r   r   r   _check_token\  sD   

zCsrfViewMiddleware._check_tokenc                 C   sF   z|  |}W n ty   t| Y d S w |d ur!||jd< d S d S )Nr5   )rx   r@   r<   r7   rw   r   r   r   process_request  s   z"CsrfViewMiddleware.process_requestc              
   C   s  t |ddrd S t |ddrd S |jdv r| |S t |ddr%| |S d|jv r;| |s:| |t|jd  S n%| r`z| | W n t	y_ } z| ||j
W  Y d }~S d }~ww z| | W n t	y } z| ||j
W  Y d }~S d }~ww | |S )Nrj   FZcsrf_exempt)GETHEADOPTIONSTRACEZ_dont_enforce_csrf_checksr   )getattrr   rk   r7   r   ro   REASON_BAD_ORIGINr   r   rU   rC   r   )rE   r:   callbackcallback_argscallback_kwargsr   r   r   r   process_view  s8   





zCsrfViewMiddleware.process_viewc                 C   s&   |j dr| || d|j d< |S )Nr6   F)r7   rr   r   r   r   r   r   process_response  s   
z#CsrfViewMiddleware.process_responseN)rI   rJ   rK   __doc__r   rb   rd   rh   rk   ro   rx   r   r   r   r   r   r   r   r   r   r   r   r   rV      s&    


 -49rV   )?r   loggingstringcollectionsr   urllib.parser   Zdjango.confr   Zdjango.core.exceptionsr   r   Zdjango.httpr   r	   Zdjango.urlsr
   Zdjango.utils.cacher   Zdjango.utils.cryptor   r   Zdjango.utils.deprecationr   Zdjango.utils.functionalr   Zdjango.utils.httpr   Zdjango.utils.logr   Zdjango.utils.regex_helperr   	getLoggerrm   rO   r   r   r   r   r   r   r   rN   rQ   r   rM   ascii_lettersdigitsr   rs   r   r   r2   r4   r<   r=   r>   	Exceptionr@   rR   rT   rU   rV   r   r   r   r   <module>   sX    
