diff --git a/frontend.py b/frontend.py index 452769f..c6076ae 100755 --- a/frontend.py +++ b/frontend.py @@ -144,6 +144,7 @@ def settings(user): @post('/settings/markdown') +#csrf @view('template/settings.tpl') def update_markdown(user): user.set_markdown(request.forms['markdown']) @@ -151,6 +152,7 @@ def update_markdown(user): @post('/settings/mail_md') +#csrf @view('template/settings.tpl') def update_mail_md(user): user.set_mail_md(request.forms['mail_md']) @@ -158,6 +160,7 @@ def update_mail_md(user): @post('/settings/goodlist') +#csrf @view('template/settings.tpl') def update_trigger_patterns(user): user.set_trigger_words(request.forms['goodlist']) @@ -165,6 +168,7 @@ def update_trigger_patterns(user): @post('/settings/blocklist') +#csrf @view('template/settings.tpl') def update_badwords(user): user.set_badwords(request.forms['blocklist']) @@ -172,15 +176,17 @@ def update_badwords(user): @post('/settings/telegram') +#csrf def register_telegram(user): apikey = request.forms['apikey'] user.update_telegram_key(apikey) return city_page(user.get_city(), info="Thanks for registering Telegram!") -@get('/api/state') -def api_enable(user): - return user.state() +# unused afaik +#@get('/api/state') +#def api_enable(user): +# return user.state() @get('/static/') @@ -197,6 +203,7 @@ def guides(filename): def logout(): # clear auth cookie response.set_cookie('uid', '', expires=0, path="/") + response.set_cookie('csrf', '', expires=0, path="/") # :todo show info "Logout successful." redirect('/') @@ -240,6 +247,7 @@ def twitter_callback(user): @post('/login/mastodon') +#csrf def login_mastodon(user): """ Mastodon OAuth authentication process. diff --git a/session.py b/session.py index b361604..b1a0b62 100644 --- a/session.py +++ b/session.py @@ -1,4 +1,4 @@ -from bottle import redirect, request +from bottle import redirect, request, abort, response from db import db from functools import wraps from inspect import Signature @@ -21,6 +21,9 @@ class SessionPlugin(object): if uid is None: return redirect(self.loginpage) kwargs[self.keyword] = User(uid) + if request.method == 'POST': + if request.forms['csrf'] != request.get_cookie('csrf'): + abort(400) return callback(*args, **kwargs) return wrapper diff --git a/template/settings.tpl b/template/settings.tpl index dae30ce..0971d1b 100644 --- a/template/settings.tpl +++ b/template/settings.tpl @@ -106,6 +106,7 @@

+
diff --git a/user.py b/user.py index 92eb463..43d9050 100644 --- a/user.py +++ b/user.py @@ -4,12 +4,16 @@ from db import db import jwt from mastodon import Mastodon from pylibscrypt import scrypt_mcf, scrypt_mcf_check +from random import choice class User(object): def __init__(self, uid): # set cookie response.set_cookie('uid', uid, secret=db.get_secret(), path='/') + allchar = "1234567890" + response.set_cookie('csrf', "".join(choice(allchar) for x in [32]), + db.get_secret(), path='/') self.uid = uid def check_password(self, password):