diff options
| author | Elrond <elrond+mediagoblin.org@samba-tng.org> | 2011-10-04 00:12:03 +0200 |
|---|---|---|
| committer | Elrond <elrond+mediagoblin.org@samba-tng.org> | 2011-10-14 21:46:17 +0200 |
| commit | 2dc8d249326458b4d70e0cf1efbc956dccb12d3f (patch) | |
| tree | c288186023cf6f8628369b04fd86adfcd20d52f7 /mediagoblin/middleware/csrf.py | |
| parent | 917d4663afedded7e6606b1a799771da8dc2a37c (diff) | |
| download | mediagoblin-2dc8d249326458b4d70e0cf1efbc956dccb12d3f.tar.lz mediagoblin-2dc8d249326458b4d70e0cf1efbc956dccb12d3f.tar.xz mediagoblin-2dc8d249326458b4d70e0cf1efbc956dccb12d3f.zip | |
Some mostly cosmetic changes to CSRF
* remove max_age - A session cookie is better, because it's
a session thing, really.
* Call the cookie mediagoblin_csrftoken, much clearer.
* Use the SCRIPT_NAME for the path of the cookie, so that
the cookie is sent back to the right place only.
Alternatively the path= parameter could be removed, so
that it defaults to '/'.
* call the randomness function only once, instead of twice.
64 bits should be enough. If really more bits are needed,
increase the number.
* Just give the number as cookie. No point in md5 and
hexdigest in my view (those functions just make another
representation).
* getrandbits gets a bit count directly, simpler API
Diffstat (limited to 'mediagoblin/middleware/csrf.py')
| -rw-r--r-- | mediagoblin/middleware/csrf.py | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/mediagoblin/middleware/csrf.py b/mediagoblin/middleware/csrf.py index 44b799d5..7a5e352e 100644 --- a/mediagoblin/middleware/csrf.py +++ b/mediagoblin/middleware/csrf.py @@ -25,9 +25,9 @@ from mediagoblin import mg_globals # Use the system (hardware-based) random number generator if it exists. # -- this optimization is lifted from Django if hasattr(random, 'SystemRandom'): - randrange = random.SystemRandom().randrange + getrandbits = random.SystemRandom().getrandbits else: - randrange = random.randrange + getrandbits = random.getrandbits class CsrfForm(Form): @@ -54,7 +54,7 @@ class CsrfMiddleware(object): and matches the form token for non-safe requests. """ - MAX_CSRF_KEY = 2 << 63 + CSRF_KEYLEN = 64 SAFE_HTTP_METHODS = ("GET", "HEAD", "OPTIONS", "TRACE") def __init__(self, mg_app): @@ -92,9 +92,8 @@ class CsrfMiddleware(object): response.set_cookie( mg_globals.app_config['csrf_cookie_name'], request.environ['CSRF_TOKEN'], - max_age=60 * 60 * 24 * 7 * 52, - path='/', - domain=mg_globals.app_config.get('csrf_cookie_domain', None), + path=request.environ['SCRIPT_NAME'], + domain=mg_globals.app_config.get('csrf_cookie_domain'), secure=(request.scheme.lower() == 'https'), httponly=True) @@ -104,9 +103,7 @@ class CsrfMiddleware(object): def _make_token(self, request): """Generate a new token to use for CSRF protection.""" - return hashlib.md5("%s%s" % - (randrange(0, self.MAX_CSRF_KEY), - randrange(0, self.MAX_CSRF_KEY))).hexdigest() + return "%s" % (getrandbits(self.CSRF_KEYLEN),) def verify_tokens(self, request): """Verify that the CSRF Cookie exists and that it matches the |