YunoHost/apps
1
0
Fork 0
mirror of https://github.com/YunoHost/apps.git synced 2024-09-03 20:06:07 +02:00
Code Projects Activity

appstore: add CSRF token for wishlist_add form

Browse source
This commit is contained in:
Alexandre Aubin 2023-09-19 17:02:56 +02:00
parent c6889e4b01
commit 846d3d096f
2 changed files with 36 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
store/app.py
View file

@ -5,6 +5,7 @@ import base64
import hashlib import hashlib
import hmac import hmac
import os import os
import string
import random import random
import urllib import urllib
import json import json
@ -186,6 +187,22 @@ def add_to_wishlist():
"wishlist_add.html", "wishlist_add.html",
locale=get_locale(), locale=get_locale(),
user=session.get("user", {}), user=session.get("user", {}),
csrf_token=None,
successmsg=None,
errormsg=errormsg,
)
csrf_token = request.form["csrf_token"]
print(csrf_token)
print(session.get("csrf_token"))
if csrf_token != session.get("csrf_token"):
errormsg = _("Invalid CSRF token, please refresh the form and try again")
return render_template(
"wishlist_add.html",
locale=get_locale(),
user=session.get("user", {}),
csrf_token=csrf_token,
successmsg=None, successmsg=None,
errormsg=errormsg, errormsg=errormsg,
) )
@ -227,6 +244,7 @@ def add_to_wishlist():
"wishlist_add.html", "wishlist_add.html",
locale=get_locale(), locale=get_locale(),
user=session.get("user", {}), user=session.get("user", {}),
csrf_token=csrf_token,
successmsg=None, successmsg=None,
errormsg=errormsg, errormsg=errormsg,
) )
@ -247,6 +265,7 @@ def add_to_wishlist():
"wishlist_add.html", "wishlist_add.html",
locale=get_locale(), locale=get_locale(),
user=session.get("user", {}), user=session.get("user", {}),
csrf_token=csrf_token,
successmsg=None, successmsg=None,
errormsg=_( errormsg=_(
"An entry with the name %(slug) already exists in the wishlist", "An entry with the name %(slug) already exists in the wishlist",
@ -280,6 +299,7 @@ def add_to_wishlist():
"wishlist_add.html", "wishlist_add.html",
locale=get_locale(), locale=get_locale(),
user=session.get("user", {}), user=session.get("user", {}),
csrf_token=csrf_token,
successmsg=None, successmsg=None,
errormsg=errormsg, errormsg=errormsg,
) )
@ -328,10 +348,14 @@ Proposed by **{session['user']['username']}**
successmsg=successmsg, successmsg=successmsg,
) )
else: else:
letters = string.ascii_lowercase + string.digits
csrf_token = ''.join(random.choice(letters) for i in range(16))
session["csrf_token"] = csrf_token
return render_template( return render_template(
"wishlist_add.html", "wishlist_add.html",
locale=get_locale(), locale=get_locale(),
user=session.get("user", {}), user=session.get("user", {}),
csrf_token=csrf_token,
successmsg=None, successmsg=None,
errormsg=None, errormsg=None,
) )

4
store/templates/wishlist_add.html
View file

@ -50,7 +50,9 @@
</div> </div>
{% endif %} {% endif %}
<form method="POST" action="{{ url_for('add_to_wishlist') }}" class="mt-8 mb-8" > <form method="POST" action="{{ url_for('add_to_wishlist') }}" class="my-8" >
<input name="csrf_token" type="text" class="hidden" value="{{ csrf_token }}" >
<label for="name" class="mt-5 block font-bold text-gray-700">{{ _("Name") }}</label> <label for="name" class="mt-5 block font-bold text-gray-700">{{ _("Name") }}</label>
<input name="name" type="text" class="w-full mt-1 rounded-md border-gray-200 text-gray-700 shadow-sm" maxlength="30" required onkeyup="this.value = this.value.replace(/[^a-zA-Z0-9.-\\(\\)\\ ]/, '')" > <input name="name" type="text" class="w-full mt-1 rounded-md border-gray-200 text-gray-700 shadow-sm" maxlength="30" required onkeyup="this.value = this.value.replace(/[^a-zA-Z0-9.-\\(\\)\\ ]/, '')" >