hardened the token and fixed the signature

This commit is contained in:
b3yond 2019-01-27 16:31:59 +01:00
parent 164f0eae08
commit 194d271cbc
2 changed files with 5 additions and 4 deletions

View file

@ -22,7 +22,8 @@ class SessionPlugin(object):
return redirect(self.loginpage)
kwargs[self.keyword] = User(uid)
if request.method == 'POST':
if request.forms['csrf'] != request.get_cookie('csrf'):
if request.forms['csrf'] != request.get_cookie('csrf',
secret=db.get_secret()):
abort(400)
return callback(*args, **kwargs)

View file

@ -15,10 +15,10 @@ class User(object):
response.set_cookie('csrf', self.get_csrf(), db.get_secret(), path='/')
def get_csrf(self):
csrf_token = request.get_cookie('csrf')
csrf_token = request.get_cookie('csrf', secret=db.get_secret())
if not csrf_token:
allchar = "1234567890"
csrf_token = "".join(choice(allchar) for x in [32])
allchar = "0123456789"
csrf_token = "".join(choice(allchar) for x in range(32))
return csrf_token
def check_password(self, password):