From c618290a4476fd01f46b079e8b95bbc16341cbca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marjo=20Murtom=C3=A4ki?= Date: Mon, 27 Nov 2023 19:56:22 +0200 Subject: Adding csrf checking to every post handler. --- routes/analyse.py | 1 + routes/answer.py | 2 ++ routes/base.py | 1 + routes/create.py | 2 ++ routes/question.py | 1 + routes/tools.py | 14 +++++++------- 6 files changed, 14 insertions(+), 7 deletions(-) diff --git a/routes/analyse.py b/routes/analyse.py index 3076d99..e256201 100644 --- a/routes/analyse.py +++ b/routes/analyse.py @@ -94,6 +94,7 @@ def analyse(): @app.route("/set/compare",methods=["POST"]) def set_compare(): + csrf_check("/#analyse") session["anal_user1"] = request.form["user1"] session["anal_user2"] = request.form["user2"] return redirect("/#analyse") diff --git a/routes/answer.py b/routes/answer.py index 2fbeec8..6d767be 100644 --- a/routes/answer.py +++ b/routes/answer.py @@ -14,6 +14,7 @@ def kys_link(link): @app.route("/set/answer_id",methods=["POST"]) def answer_id(): next = "/#"+request.form["caller"] if "caller" in request.form else "/" + csrf_check(next) if "id" not in session: session["alert"] = "Nimimerkkiä ei ole asetettu." return redirect(next) @@ -81,6 +82,7 @@ def answer(): @app.route("/set/answers",methods=["POST"]) def set_answers(): + csrf_check("/#answer") if "id" not in session: session["alert"]="Nimimerkkiä ei ole vielä valittu!" return redirect( "/#answer" ) diff --git a/routes/base.py b/routes/base.py index 22245c5..6d6dcd8 100644 --- a/routes/base.py +++ b/routes/base.py @@ -25,6 +25,7 @@ def info(): @app.route("/set/nick",methods=["POST"]) def new_nick(): next = "/#"+request.form["caller"] if "caller" in request.form else "/" + csrf_check(next) if "id" in session.keys(): session["alert"]="Sinulla on jo nimimerkki. Käytä sitä." return redirect(next) diff --git a/routes/create.py b/routes/create.py index 36c2521..c218d1f 100644 --- a/routes/create.py +++ b/routes/create.py @@ -41,6 +41,7 @@ def create(): @app.route("/set/quiz",methods=["POST"]) def new_quiz(): + csrf_check("/#create") if not "id" in session.keys(): session["alert"]="Tarvitset nimimerkin loudaksesi." return redirect("/#create") @@ -51,6 +52,7 @@ def new_quiz(): @app.route("/set/quiz_ready",methods=["POST"]) def quiz_ready(): + csrf_check("/#create") if "quiz_id" not in session.keys(): session["alert"] = "Kyselmä jota ei ole aloitettu ei voi olla valmis." return redirect("/#create") diff --git a/routes/question.py b/routes/question.py index ad31993..981e15d 100644 --- a/routes/question.py +++ b/routes/question.py @@ -14,6 +14,7 @@ def question(): @app.route("/set/question",methods=["POST"]) def new_question(): + csrf_check("/#create") try: question = request.form["question"] neg_ans = request.form["neg_ans"] diff --git a/routes/tools.py b/routes/tools.py index 69e6fef..eea6a8f 100644 --- a/routes/tools.py +++ b/routes/tools.py @@ -2,13 +2,6 @@ from random import randint from flask import session import db_actions as D -red = { - "nick": "", - "new_answer": "", - "quiz": "" -} - - def rows2dicts( rows, names ): dlist=[] for i in range(len(rows)): @@ -44,3 +37,10 @@ def generate_link(): str+=konso[randint(0,len(konso)-1)] str+=vocal[randint(0,len(vocal)-1)] return str + +def csrf_check( redir ) + if "csrf" not in session + or "csrf" not in request.form + of session["csrf"]!=request.form["csrf"]: + session["alert"]="Istuntosi katkesi tai pyyntö toiselta sivulta!" + return redirect( redir ) -- cgit v1.2.3