From 1e7477dd96ac822fed217793e9aafa2b8a08a894 Mon Sep 17 00:00:00 2001 From: Bui Date: Tue, 17 Mar 2020 02:10:47 +0000 Subject: [PATCH] anti-csrf --- app.py | 4 +++- public/src/js/account.js | 1 + templates/admin_song_detail.html | 2 ++ templates/admin_song_new.html | 3 ++- 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/app.py b/app.py index 122ab2a..22419b7 100644 --- a/app.py +++ b/app.py @@ -14,6 +14,7 @@ from functools import wraps from flask import Flask, g, jsonify, render_template, request, abort, redirect, session, flash from flask_caching import Cache from flask_session import Session +from flask_wtf.csrf import CSRFProtect, generate_csrf from ffmpy import FFmpeg from pymongo import MongoClient @@ -26,6 +27,7 @@ app.config['SESSION_COOKIE_HTTPONLY'] = False app.cache = Cache(app, config=config.REDIS) sess = Session() sess.init_app(app) +csrf = CSRFProtect(app) db = client[config.MONGO['database']] db.users.create_index('username', unique=True) @@ -106,6 +108,7 @@ def get_config(): config_out['assets_baseurl'] = ''.join([request.host_url, 'assets']) + '/' config_out['_version'] = get_version() + config_out['_csrf_token'] = generate_csrf() return config_out @@ -126,7 +129,6 @@ def get_version(): @app.route('/') -@app.cache.cached(timeout=15) def route_index(): version = get_version() return render_template('index.html', version=version, config=get_config()) diff --git a/public/src/js/account.js b/public/src/js/account.js index 22757a7..d33ab05 100644 --- a/public/src/js/account.js +++ b/public/src/js/account.js @@ -423,6 +423,7 @@ class Account{ }) if(obj){ request.setRequestHeader("Content-Type", "application/json;charset=UTF-8") + request.setRequestHeader("X-CSRFToken", gameConfig._csrf_token) request.send(JSON.stringify(obj)) }else{ request.send() diff --git a/templates/admin_song_detail.html b/templates/admin_song_detail.html index 9c860ae..ff221c8 100644 --- a/templates/admin_song_detail.html +++ b/templates/admin_song_detail.html @@ -6,6 +6,7 @@ {% endfor %}
+
@@ -124,6 +125,7 @@ {% if admin.user_level >= 100 %}
+
{% endif %} diff --git a/templates/admin_song_new.html b/templates/admin_song_new.html index 9fc1361..35557b0 100644 --- a/templates/admin_song_new.html +++ b/templates/admin_song_new.html @@ -6,9 +6,10 @@ {% endfor %}
+
- +