summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCaio Carrara <ccarrara@thoughtworks.com>2016-06-27 16:14:27 -0300
committerCaio Carrara <ccarrara@thoughtworks.com>2016-06-27 16:39:55 -0300
commitb5d564b147807f289e07df4fe32b6f417ce90c98 (patch)
tree935122944348f86a03a31990c269009c6abe6a50
parent361796f0ff1eb0f450f768749d5c69f5c4f6b1e4 (diff)
Csrf not being enforced on GET
Diffstat
-rw-r--r--service/pixelated/resources/root_resource.py10
1 files changed, 5 insertions, 5 deletions
diff --git a/service/pixelated/resources/root_resource.py b/service/pixelated/resources/root_resource.py
index 6886dda6..f27138b0 100644
--- a/service/pixelated/resources/root_resource.py
+++ b/service/pixelated/resources/root_resource.py
@@ -66,17 +66,17 @@ class RootResource(BaseResource):
return UnAuthorizedResource()
def _is_xsrf_valid(self, request):
+ get_request = (request.method == 'GET')
+ if get_request:
+ return True
+
xsrf_token = request.getCookie('XSRF-TOKEN')
ajax_request = (request.getHeader('x-requested-with') == 'XMLHttpRequest')
if ajax_request:
- xsrf_header = xsrf_token or request.getHeader('x-xsrf-token')
+ xsrf_header = request.getHeader('x-xsrf-token')
return xsrf_header and xsrf_header == xsrf_token
- get_request = (request.method == 'GET')
- if get_request:
- return True
-
csrf_input = request.args.get('csrftoken', [None])[0] or json.loads(request.content.read()).get('csrftoken', [None])[0]
return csrf_input and csrf_input == xsrf_token
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-27 12:08:47 +0000