Merge branch 'master' of git://gitorious.org/mediagoblin/mediagoblin

author: lora <lorochka85@gmail.com> 2011-11-19 17:01:40 -0600
committer: lora <lorochka85@gmail.com> 2011-11-19 17:01:40 -0600
commit: 707001950a42c7adfd6657f227a2c2dbbd09afce (patch)
tree: 9a7215448098b8681b2b45fe636eb8af6c3ea8ba /mediagoblin/middleware/csrf.py
parent: 2d62e9efd210becd30982e65e06a6ef97029b391 (diff)
parent: aea6d577cbf4d937427dea173f74fb17ad45bd75 (diff)
download: mediagoblin-707001950a42c7adfd6657f227a2c2dbbd09afce.tar.lz
mediagoblin-707001950a42c7adfd6657f227a2c2dbbd09afce.tar.xz
mediagoblin-707001950a42c7adfd6657f227a2c2dbbd09afce.zip
1 files changed, 7 insertions, 10 deletions
diff --git a/mediagoblin/middleware/csrf.py b/mediagoblin/middleware/csrf.py
index 44b799d5..8275c18e 100644
--- a/mediagoblin/middleware/csrf.py
+++ b/mediagoblin/middleware/csrf.py
@@ -25,9 +25,9 @@ from mediagoblin import mg_globals
 # Use the system (hardware-based) random number generator if it exists.
 # -- this optimization is lifted from Django
 if hasattr(random, 'SystemRandom'):
-    randrange = random.SystemRandom().randrange
+    getrandbits = random.SystemRandom().getrandbits
 else:
-    randrange = random.randrange
+    getrandbits = random.getrandbits
 
 
 class CsrfForm(Form):
@@ -54,7 +54,7 @@ class CsrfMiddleware(object):
     and matches the form token for non-safe requests.
     """
 
-    MAX_CSRF_KEY = 2 << 63
+    CSRF_KEYLEN = 64
     SAFE_HTTP_METHODS = ("GET", "HEAD", "OPTIONS", "TRACE")
 
     def __init__(self, mg_app):
@@ -92,21 +92,18 @@ class CsrfMiddleware(object):
         response.set_cookie(
             mg_globals.app_config['csrf_cookie_name'],
             request.environ['CSRF_TOKEN'],
-            max_age=60 * 60 * 24 * 7 * 52,
-            path='/',
-            domain=mg_globals.app_config.get('csrf_cookie_domain', None),
+            path=request.environ['SCRIPT_NAME'],
+            domain=mg_globals.app_config.get('csrf_cookie_domain'),
             secure=(request.scheme.lower() == 'https'),
             httponly=True)
 
         # update the Vary header
-        response.vary = (response.vary or []) + ['Cookie']
+        response.vary = (getattr(response, 'vary', None) or []) + ['Cookie']
 
     def _make_token(self, request):
         """Generate a new token to use for CSRF protection."""
 
-        return hashlib.md5("%s%s" %
-                           (randrange(0, self.MAX_CSRF_KEY),
-                            randrange(0, self.MAX_CSRF_KEY))).hexdigest()
+        return "%s" % (getrandbits(self.CSRF_KEYLEN),)
 
     def verify_tokens(self, request):
         """Verify that the CSRF Cookie exists and that it matches the
author	lora <lorochka85@gmail.com>	2011-11-19 17:01:40 -0600
committer	lora <lorochka85@gmail.com>	2011-11-19 17:01:40 -0600
commit	707001950a42c7adfd6657f227a2c2dbbd09afce (patch)
tree	9a7215448098b8681b2b45fe636eb8af6c3ea8ba /mediagoblin/middleware/csrf.py
parent	2d62e9efd210becd30982e65e06a6ef97029b391 (diff)
parent	aea6d577cbf4d937427dea173f74fb17ad45bd75 (diff)
download	mediagoblin-707001950a42c7adfd6657f227a2c2dbbd09afce.tar.lz mediagoblin-707001950a42c7adfd6657f227a2c2dbbd09afce.tar.xz mediagoblin-707001950a42c7adfd6657f227a2c2dbbd09afce.zip