implement anti-csrf measures in all posted forms
This commit is contained in:
@ -85,9 +85,17 @@ def detail(id):
|
||||
return render_template("capsul-detail.html", vm=vm, delete=True, deleted=True)
|
||||
|
||||
if request.method == "POST":
|
||||
if 'are_you_sure' not in request.form or not request.form['are_you_sure']:
|
||||
if "csrf-token" not in request.form or request.form['csrf-token'] != session['csrf-token']:
|
||||
return abort(418, f"u want tea")
|
||||
|
||||
return render_template("capsul-detail.html", vm=vm, delete=True, deleted=False)
|
||||
if 'are_you_sure' not in request.form or not request.form['are_you_sure']:
|
||||
return render_template(
|
||||
"capsul-detail.html",
|
||||
csrf_token = session["csrf-token"],
|
||||
vm=vm,
|
||||
delete=True,
|
||||
deleted=False
|
||||
)
|
||||
else:
|
||||
current_app.logger.info(f"deleting {vm['id']} per user request ({session['account']})")
|
||||
current_app.config["VIRTUALIZATION_MODEL"].destroy(email=session['account'], id=id)
|
||||
@ -102,7 +110,9 @@ def detail(id):
|
||||
|
||||
return render_template(
|
||||
"capsul-detail.html",
|
||||
vm=vm, delete=False,
|
||||
csrf_token = session["csrf-token"],
|
||||
vm=vm,
|
||||
delete=False,
|
||||
durations=list(map(lambda x: x.strip("_"), metric_durations.keys())),
|
||||
duration=duration
|
||||
)
|
||||
@ -119,6 +129,8 @@ def create():
|
||||
errors = list()
|
||||
|
||||
if request.method == "POST":
|
||||
if "csrf-token" not in request.form or request.form['csrf-token'] != session['csrf-token']:
|
||||
return abort(418, f"u want tea")
|
||||
|
||||
size = request.form["size"]
|
||||
os = request.form["os"]
|
||||
@ -193,6 +205,7 @@ def create():
|
||||
|
||||
return render_template(
|
||||
"create-capsul.html",
|
||||
csrf_token = session["csrf-token"],
|
||||
capacity_avaliable=capacity_avaliable,
|
||||
account_balance=format(account_balance, '.2f'),
|
||||
ssh_public_keys=ssh_public_keys,
|
||||
@ -209,6 +222,9 @@ def ssh_public_keys():
|
||||
errors = list()
|
||||
|
||||
if request.method == "POST":
|
||||
if "csrf-token" not in request.form or request.form['csrf-token'] != session['csrf-token']:
|
||||
return abort(418, f"u want tea")
|
||||
|
||||
method = request.form["method"]
|
||||
content = None
|
||||
|
||||
@ -223,7 +239,6 @@ def ssh_public_keys():
|
||||
else:
|
||||
errors.append("Name is required")
|
||||
if not re.match(r"^[0-9A-Za-z_@. -]+$", name):
|
||||
print(name)
|
||||
errors.append("Name must match \"^[0-9A-Za-z_@. -]+$\"")
|
||||
|
||||
if method == "POST":
|
||||
@ -254,7 +269,12 @@ def ssh_public_keys():
|
||||
get_model().list_ssh_public_keys_for_account(session["account"])
|
||||
))
|
||||
|
||||
return render_template("ssh-public-keys.html", ssh_public_keys=keys_list, has_ssh_public_keys=len(keys_list) > 0)
|
||||
return render_template(
|
||||
"ssh-public-keys.html",
|
||||
csrf_token = session["csrf-token"],
|
||||
ssh_public_keys=keys_list,
|
||||
has_ssh_public_keys=len(keys_list) > 0
|
||||
)
|
||||
|
||||
def get_vms():
|
||||
if 'user_vms' not in g:
|
||||
|
||||
Reference in New Issue
Block a user