diff options
| author | Kalevi Yypänaho <kyypanah@local> | 2023-11-27 20:35:57 +0200 |
|---|---|---|
| committer | Kalevi Yypänaho <kyypanah@local> | 2023-11-27 20:35:57 +0200 |
| commit | d74aca91c689b54b7b49bbfa7121f458f4caf751 (patch) | |
| tree | b13f1ffc7d6f5c816ac16147cc9b8703a17c69c7 | |
| parent | d6c73dbde8a35905a8f29caf9b6d088043a5e78f (diff) | |
Adding csrf to templates.
| -rw-r--r-- | routes/analyse.py | 3 | ||||
| -rw-r--r-- | routes/answer.py | 10 | ||||
| -rw-r--r-- | routes/base.py | 4 | ||||
| -rw-r--r-- | routes/create.py | 6 | ||||
| -rw-r--r-- | routes/question.py | 3 | ||||
| -rw-r--r-- | routes/tools.py | 11 | ||||
| -rw-r--r-- | templates/analyse.html | 6 | ||||
| -rw-r--r-- | templates/answer.html | 2 | ||||
| -rw-r--r-- | templates/base.html | 1 | ||||
| -rw-r--r-- | templates/create.html | 2 | ||||
| -rw-r--r-- | templates/question.html | 1 |
11 files changed, 37 insertions, 12 deletions
diff --git a/routes/analyse.py b/routes/analyse.py index 70d852b..3b59ae7 100644 --- a/routes/analyse.py +++ b/routes/analyse.py @@ -94,7 +94,8 @@ def analyse(): @app.route("/set/compare",methods=["POST"]) def set_compare(): - csrf_check("/#analyse") + if csrf_check(): + return redirect("/#analyse") session["anal_user1"] = request.form["user1"] session["anal_user2"] = request.form["user2"] return redirect("/#analyse") diff --git a/routes/answer.py b/routes/answer.py index a554d25..e224b44 100644 --- a/routes/answer.py +++ b/routes/answer.py @@ -14,7 +14,8 @@ def kys_link(link): @app.route("/set/answer_id",methods=["POST"]) def answer_id(): next = "/#"+request.form["caller"] if "caller" in request.form else "/" - csrf_check(next) + if csrf_check(): + return redirect(next) if "id" not in session: session["alert"] = "Nimimerkkiä ei ole asetettu." return redirect(next) @@ -82,7 +83,8 @@ def answer(): @app.route("/set/answers",methods=["POST"]) def set_answers(): - csrf_check("/#answer") + if csrf_check(): + return redirect("/#answer") if "id" not in session: session["alert"]="Nimimerkkiä ei ole vielä valittu!" return redirect( "/#answer" ) @@ -92,6 +94,8 @@ def set_answers(): sid = session["id"] for question, answer in request.form.items(): + if question=="csrf": + continue try: if int(answer) < 0 or int(answer) > 999: session["alert"]="Luvattoman pieniä tai suuria lukuja!" @@ -104,6 +108,8 @@ def set_answers(): return redirect( "/#answer" ) for question, answer in request.form.items(): + if question=="csrf": + continue D.answer_new(int(sid), int(question), int(answer)) return redirect("/#analyse") diff --git a/routes/base.py b/routes/base.py index 42d8cdf..2c4b1f2 100644 --- a/routes/base.py +++ b/routes/base.py @@ -1,3 +1,4 @@ +from secrets import token_urlsafe from app import app from flask import render_template,session,request,redirect import db_actions as D @@ -26,7 +27,8 @@ def info(): @app.route("/set/nick",methods=["POST"]) def new_nick(): next = "/#"+request.form["caller"] if "caller" in request.form else "/" - csrf_check(next) + if csrf_check(): + return redirect(next) if "id" in session.keys(): session["alert"]="Sinulla on jo nimimerkki. Käytä sitä." return redirect(next) diff --git a/routes/create.py b/routes/create.py index 083cc0e..2de8e27 100644 --- a/routes/create.py +++ b/routes/create.py @@ -41,7 +41,8 @@ def create(): @app.route("/set/quiz",methods=["POST"]) def new_quiz(): - csrf_check("/#create") + if csrf_check(): + return redirect("/#create") if not "id" in session.keys(): session["alert"]="Tarvitset nimimerkin loudaksesi." return redirect("/#create") @@ -52,7 +53,8 @@ def new_quiz(): @app.route("/set/quiz_ready",methods=["POST"]) def quiz_ready(): - csrf_check("/#create") + if csrf_check(): + return redirect("/#create") if "quiz_id" not in session.keys(): session["alert"] = "Kyselmä jota ei ole aloitettu ei voi olla valmis." return redirect("/#create") diff --git a/routes/question.py b/routes/question.py index de8dc28..42fce8d 100644 --- a/routes/question.py +++ b/routes/question.py @@ -14,7 +14,8 @@ def question(): @app.route("/set/question",methods=["POST"]) def new_question(): - csrf_check("/#create") + if csrf_check(): + return redirect("/#create") try: question = request.form["question"] neg_ans = request.form["neg_ans"] diff --git a/routes/tools.py b/routes/tools.py index 3f831a9..c55ca74 100644 --- a/routes/tools.py +++ b/routes/tools.py @@ -1,5 +1,5 @@ from random import randint -from flask import session +from flask import session, request import db_actions as D def rows2dicts( rows, names ): @@ -38,9 +38,10 @@ def generate_link(): str+=vocal[randint(0,len(vocal)-1)] return str -def csrf_check( redir ): +def csrf_check(): if "csrf" not in session \ or "csrf" not in request.form \ - or session["csrf"]!=request.form["csrf"]: - session["alert"]="Istuntosi katkesi tai pyyntö toiselta sivulta!" - return redirect( redir ) + or session["csrf"] != request.form["csrf"]: + session["alert"]="Istuntosi katkesi tai pyyntö on toiselta sivulta!" + return True + return False diff --git a/templates/analyse.html b/templates/analyse.html index b7139e4..6dcc1be 100644 --- a/templates/analyse.html +++ b/templates/analyse.html @@ -26,6 +26,7 @@ Tutkit kyselmää: {{ code }} {% endif %} {% endfor %} </select> +<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true"> <input type="submit" value="Vertaa" class="kysButton"> </form> </div></div> @@ -60,6 +61,7 @@ Tutkit kyselmää: {{ code }} <form action="/set/compare" method="POST"> <input type="text" name="user1" hidden="true" value={{ best.max_u1 }}> <input type="text" name="user2" hidden="true" value={{ best.max_u2 }}> +<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true"> <input type="submit" value="Kaikista paras yhtäläisyys ({{ best.max }}%)" class="kysButton"> </form> @@ -67,6 +69,7 @@ Tutkit kyselmää: {{ code }} <form action="/set/compare" method="POST"> <input type="text" name="user1" hidden="true" value={{ best.maxme_u1 }}> <input type="text" name="user2" hidden="true" value={{ best.maxme_u2 }}> +<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true"> <input type="submit" value="Paras yhtäläisyys kanssani ({{ best.maxme }}%)" class="kysButton"> </form> @@ -74,6 +77,7 @@ Tutkit kyselmää: {{ code }} <form action="/set/compare" method="POST"> <input type="text" name="user1" hidden="true" value={{ best.minme_u1 }}> <input type="text" name="user2" hidden="true" value={{ best.minme_u2 }}> +<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true"> <input type="submit" value="Huonoin yhtäläisyys kanssani ({{ best.minme }}%)" class="kysButton"> </form> @@ -81,6 +85,7 @@ Tutkit kyselmää: {{ code }} <form action="/set/compare" method="POST"> <input type="text" name="user1" hidden="true" value={{ best.min_u1 }}> <input type="text" name="user2" hidden="true" value={{ best.min_u2 }}> +<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true"> <input type="submit" value="Kaikista huonoin yhtäläisyys ({{ best.min }}%)" class="kysButton"> </form> @@ -93,6 +98,7 @@ Tutkit kyselmää: {{ code }} Vaihda kyselyn koodia: <input type="text" name="link"> <input type="text" name="caller" value="analyse" hidden="true"> +<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true"> <input type="submit" value="Vaihda"> </form> diff --git a/templates/answer.html b/templates/answer.html index 6231785..4bf61d3 100644 --- a/templates/answer.html +++ b/templates/answer.html @@ -18,6 +18,7 @@ Vastaa kyselmään "{{ link }}": <input class="kysAnswer" type="range" min="0" max="999" name="{{ q.i }}"> </div> {% endfor %} +<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true"> <input class="kysSubmitAnswers" type="submit" value="Vastaa kyselyyn"> </div> </form> @@ -28,6 +29,7 @@ Vastaa kyselmään "{{ link }}": Vastaa kyselyyn koodilla: <input type="text" name="link"> <input type="text" name="caller" value="answer" hidden="true"> +<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true"> <input type="submit" value="Kyselmään"> </form> diff --git a/templates/base.html b/templates/base.html index f38eb12..e47e643 100644 --- a/templates/base.html +++ b/templates/base.html @@ -5,6 +5,7 @@ Anna itsellesi nimimerkki ensin: <input type="text" name="nick"> <input type="text" name="caller" value="{{ caller }}" hidden="true"> +<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true"> <input type="submit" value="Lähetä"> </form> {% endif %} diff --git a/templates/create.html b/templates/create.html index 21520b5..eb4bccd 100644 --- a/templates/create.html +++ b/templates/create.html @@ -25,6 +25,7 @@ <div class="kysScaleSpacer"></div> <form action="/set/quiz_ready" method="POST"> <input type="text" name="ok" hidden=true> +<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true"> <input type="submit" value="Valmis" class="kysButton"> </form> <div class="kysScale"> @@ -34,6 +35,7 @@ {% else %} <form action="/set/quiz" method="POST"> +<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true"> <input type="submit" value="Aloita uusi kyselmä"> </form> diff --git a/templates/question.html b/templates/question.html index 62afaaf..76cba79 100644 --- a/templates/question.html +++ b/templates/question.html @@ -12,6 +12,7 @@ <input type="range" min="0" max="999" value="500" class="kysAnswer" name="answer" > +<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true"> <input type="submit" value="Lisää kysymys"> </div> </form> |