mirror of
https://github.com/YunoHost/apps.git
synced 2024-09-03 20:06:07 +02:00
appstore: add CSRF token for wishlist_add form
This commit is contained in:
Alexandre Aubin
parent
c6889e4b01
commit
846d3d096f
2 changed files with 36 additions and 10 deletions
24
store/app.py
24
store/app.py
|
|
@ -5,6 +5,7 @@ import base64
|
|||
import hashlib
|
||||
import hmac
|
||||
import os
|
||||
import string
|
||||
import random
|
||||
import urllib
|
||||
import json
|
||||
|
|
@ -186,6 +187,22 @@ def add_to_wishlist():
|
|||
"wishlist_add.html",
|
||||
locale=get_locale(),
|
||||
user=session.get("user", {}),
|
||||
csrf_token=None,
|
||||
successmsg=None,
|
||||
errormsg=errormsg,
|
||||
)
|
||||
|
||||
csrf_token = request.form["csrf_token"]
|
||||
print(csrf_token)
|
||||
print(session.get("csrf_token"))
|
||||
|
||||
if csrf_token != session.get("csrf_token"):
|
||||
errormsg = _("Invalid CSRF token, please refresh the form and try again")
|
||||
return render_template(
|
||||
"wishlist_add.html",
|
||||
locale=get_locale(),
|
||||
user=session.get("user", {}),
|
||||
csrf_token=csrf_token,
|
||||
successmsg=None,
|
||||
errormsg=errormsg,
|
||||
)
|
||||
|
|
@ -227,6 +244,7 @@ def add_to_wishlist():
|
|||
"wishlist_add.html",
|
||||
locale=get_locale(),
|
||||
user=session.get("user", {}),
|
||||
csrf_token=csrf_token,
|
||||
successmsg=None,
|
||||
errormsg=errormsg,
|
||||
)
|
||||
|
|
@ -247,6 +265,7 @@ def add_to_wishlist():
|
|||
"wishlist_add.html",
|
||||
locale=get_locale(),
|
||||
user=session.get("user", {}),
|
||||
csrf_token=csrf_token,
|
||||
successmsg=None,
|
||||
errormsg=_(
|
||||
"An entry with the name %(slug) already exists in the wishlist",
|
||||
|
|
@ -280,6 +299,7 @@ def add_to_wishlist():
|
|||
"wishlist_add.html",
|
||||
locale=get_locale(),
|
||||
user=session.get("user", {}),
|
||||
csrf_token=csrf_token,
|
||||
successmsg=None,
|
||||
errormsg=errormsg,
|
||||
)
|
||||
|
|
@ -328,10 +348,14 @@ Proposed by **{session['user']['username']}**
|
|||
successmsg=successmsg,
|
||||
)
|
||||
else:
|
||||
letters = string.ascii_lowercase + string.digits
|
||||
csrf_token = ''.join(random.choice(letters) for i in range(16))
|
||||
session["csrf_token"] = csrf_token
|
||||
return render_template(
|
||||
"wishlist_add.html",
|
||||
locale=get_locale(),
|
||||
user=session.get("user", {}),
|
||||
csrf_token=csrf_token,
|
||||
successmsg=None,
|
||||
errormsg=None,
|
||||
)
|
||||
|
|
|
|||
|
|
@ -50,7 +50,9 @@
|
|||
</div>
|
||||
{% endif %}
|
||||
|
||||
<form method="POST" action="{{ url_for('add_to_wishlist') }}" class="mt-8 mb-8" >
|
||||
<form method="POST" action="{{ url_for('add_to_wishlist') }}" class="my-8" >
|
||||
|
||||
<input name="csrf_token" type="text" class="hidden" value="{{ csrf_token }}" >
|
||||
|
||||
<label for="name" class="mt-5 block font-bold text-gray-700">{{ _("Name") }}</label>
|
||||
<input name="name" type="text" class="w-full mt-1 rounded-md border-gray-200 text-gray-700 shadow-sm" maxlength="30" required onkeyup="this.value = this.value.replace(/[^a-zA-Z0-9.-\\(\\)\\ ]/, '')" >
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue