2 files changed, 136 insertions, 0 deletions

diff --git a/mediagoblin/middleware/__init__.py b/mediagoblin/middleware/__init__.py
index 586debbf..05325ee5 100644
--- a/mediagoblin/middleware/__init__.py
+++ b/mediagoblin/middleware/__init__.py
@@ -16,4 +16,5 @@
 
 ENABLED_MIDDLEWARE = (
     'mediagoblin.middleware.noop:NoOpMiddleware',
+    'mediagoblin.middleware.csrf:CsrfMiddleware',
     )
diff --git a/mediagoblin/middleware/csrf.py b/mediagoblin/middleware/csrf.py
new file mode 100644
index 00000000..44b799d5
--- /dev/null
+++ b/mediagoblin/middleware/csrf.py
@@ -0,0 +1,135 @@
+# GNU MediaGoblin -- federated, autonomous media hosting
+# Copyright (C) 2011 MediaGoblin contributors.  See AUTHORS.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import hashlib
+import random
+
+from webob.exc import HTTPForbidden
+from wtforms import Form, HiddenField, validators
+
+from mediagoblin import mg_globals
+
+# Use the system (hardware-based) random number generator if it exists.
+# -- this optimization is lifted from Django
+if hasattr(random, 'SystemRandom'):
+    randrange = random.SystemRandom().randrange
+else:
+    randrange = random.randrange
+
+
+class CsrfForm(Form):
+    """Simple form to handle rendering a CSRF token and confirming it
+    is included in the POST."""
+
+    csrf_token = HiddenField("",
+                             [validators.Required()])
+
+
+def render_csrf_form_token(request):
+    """Render the CSRF token in a format suitable for inclusion in a
+    form."""
+
+    form = CsrfForm(csrf_token=request.environ['CSRF_TOKEN'])
+
+    return form.csrf_token
+
+
+class CsrfMiddleware(object):
+    """CSRF Protection Middleware
+
+    Adds a CSRF Cookie to responses and verifies that it is present
+    and matches the form token for non-safe requests.
+    """
+
+    MAX_CSRF_KEY = 2 << 63
+    SAFE_HTTP_METHODS = ("GET", "HEAD", "OPTIONS", "TRACE")
+
+    def __init__(self, mg_app):
+        self.app = mg_app
+
+    def process_request(self, request):
+        """For non-safe requests, confirm that the tokens are present
+        and match.
+        """
+
+        # get the token from the cookie
+        try:
+            request.environ['CSRF_TOKEN'] = \
+                request.cookies[mg_globals.app_config['csrf_cookie_name']]
+
+        except KeyError, e:
+            # if it doesn't exist, make a new one
+            request.environ['CSRF_TOKEN'] = self._make_token(request)
+
+        # if this is a non-"safe" request (ie, one that could have
+        # side effects), confirm that the CSRF tokens are present and
+        # valid
+        if request.method not in self.SAFE_HTTP_METHODS \
+            and ('gmg.verify_csrf' in request.environ or
+                 'paste.testing' not in request.environ):
+
+            return self.verify_tokens(request)
+
+    def process_response(self, request, response):
+        """Add the CSRF cookie to the response if needed and set Vary
+        headers.
+        """
+
+        # set the CSRF cookie
+        response.set_cookie(
+            mg_globals.app_config['csrf_cookie_name'],
+            request.environ['CSRF_TOKEN'],
+            max_age=60 * 60 * 24 * 7 * 52,
+            path='/',
+            domain=mg_globals.app_config.get('csrf_cookie_domain', None),
+            secure=(request.scheme.lower() == 'https'),
+            httponly=True)
+
+        # update the Vary header
+        response.vary = (response.vary or []) + ['Cookie']
+
+    def _make_token(self, request):
+        """Generate a new token to use for CSRF protection."""
+
+        return hashlib.md5("%s%s" %
+                           (randrange(0, self.MAX_CSRF_KEY),
+                            randrange(0, self.MAX_CSRF_KEY))).hexdigest()
+
+    def verify_tokens(self, request):
+        """Verify that the CSRF Cookie exists and that it matches the
+        form value."""
+
+        # confirm the cookie token was presented
+        cookie_token = request.cookies.get(
+            mg_globals.app_config['csrf_cookie_name'],
+            None)
+
+        if cookie_token is None:
+            # the CSRF cookie must be present in the request
+            return HTTPForbidden()
+
+        # get the form token and confirm it matches
+        form = CsrfForm(request.POST)
+        if form.validate():
+            form_token = form.csrf_token.data
+
+            if form_token == cookie_token:
+                # all's well that ends well
+                return
+
+        # either the tokens didn't match or the form token wasn't
+        # present; either way, the request is denied
+        return HTTPForbidden()