Skip to content

Commit

Permalink
加强CSRF防御
Browse files Browse the repository at this point in the history
  • Loading branch information
showpy committed Jul 6, 2019
1 parent 7e581cf commit 39776be
Show file tree
Hide file tree
Showing 5 changed files with 47 additions and 10 deletions.
23 changes: 15 additions & 8 deletions BTPanel/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -178,9 +178,9 @@ def is_login(result):
if 'login' in session:
if session['login'] == True:
result = make_response(result)
request_token = public.md5(app.secret_key + str(time.time()))
request_token = public.GetRandomString(48)
session['request_token'] = request_token
result.set_cookie('request_token',request_token,httponly=True,max_age=86400*30)
result.set_cookie('request_token',request_token,max_age=86400*30)
return result

@app.route('/site',methods=method_all)
Expand Down Expand Up @@ -987,14 +987,19 @@ def websocket_test(data):
if not hasattr(pdata,'s_response'): pdata.s_response = 'response'
emit(pdata.s_response,{'data':result})

def check_csrf():
request_token = request.cookies.get('request_token')
if session['request_token'] != request_token: return False
http_token = request.headers.get('x-http-token')
if not http_token: return False
if http_token != session['request_token_head']: return False
cookie_token = request.headers.get('x-cookie-token')
if cookie_token != session['request_token']: return False
return True

def publicObject(toObject,defs,action=None,get = None):
if 'request_token' in session and 'login' in session:
request_token = request.cookies.get('request_token')
if session['request_token'] != request_token:
if session['login'] != False:
session['login'] = False;
cache.set('dologin',True)
return redirect('/login')
if not check_csrf(): return public.ReturnJson(False,'Csrf-Token error.'),json_header

if not get: get = get_input()
if action: get.action = action
Expand All @@ -1021,6 +1026,8 @@ def check_login():
if cache.get('dologin'): return False
if 'login' in session:
loginStatus = session['login']
if loginStatus:
if not check_csrf(): return False
return loginStatus
return False

Expand Down
17 changes: 17 additions & 0 deletions BTPanel/static/js/public.js
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,23 @@ $(document).ready(function() {
});
});

var my_headers = {};
var request_token_ele = document.getElementById("request_token_head");
if (request_token_ele) {
var request_token = request_token_ele.getAttribute('token');
if (request_token) {
my_headers['x-http-token'] = request_token
}
}
request_token_cookie = getCookie('request_token');
if (request_token_cookie) {
my_headers['x-cookie-token'] = request_token_cookie
}

if (my_headers) {
$.ajaxSetup({ headers: my_headers });
}

function RandomStrPwd(b) {
b = b || 32;
var c = "AaBbCcDdEeFfGHhiJjKkLMmNnPpRSrTsWtXwYxZyz2345678";
Expand Down
7 changes: 5 additions & 2 deletions BTPanel/templates/default/layout.html
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
<body>
<div class="bt-warp bge6">
<div class="top-tips">当前IE浏览器版本过低,部分功能无法展示,请更换至其他浏览器,国产浏览器请使用极速模式!</div>
<a style="display:none;" id="request_token_head" token="{{session['request_token_head']}}"></a>
<div id="container" class="container-fluid {% if 'tmp_login' in session %}group-control{% endif %}">
<div class="sidebar-scroll{% if 'tmp_login' in session %}-panel{% endif %}">
<div class="sidebar-auto">
Expand Down Expand Up @@ -88,7 +89,7 @@ <h3 class="mypcip"><span class="f14 cw">{{session['address']}}</span></h3>
<script src="/static/build/addons/search/search.js"></script>
<script src="/static/build/addons/winptyCompat/winptyCompat.js"></script>
<script type="text/javascript" src="/static/js/clipboard.min.js"></script>
<script src="/static/js/public.js?version={{g['version']}}"></script>
<script src="/static/js/public.js?v={{g['version']}}"></script>
<script src="/static/js/public_backup.js?version={{g['version']}}"></script>
<script src="/static/js/bt_upload.js?version={{g['version']}}"></script>
{% block content %}{% endblock %}
Expand All @@ -97,7 +98,7 @@ <h3 class="mypcip"><span class="f14 cw">{{session['address']}}</span></h3>
</div>
</body>
</html>
<script type="text/javascript">
<script type="text/javascript">
if (navigator.appName == "Microsoft Internet Explorer" && parseInt(navigator.appVersion.split(";")[1].replace(/[ ]/g, "").replace("MSIE", "")) < 9) {
$(".main-content").css("margin-top", "50px");
$('.top-tips').show();
Expand Down Expand Up @@ -132,6 +133,8 @@ <h3 class="mypcip"><span class="f14 cw">{{session['address']}}</span></h3>
}
return;
}

console.log(task_list.length)
var msg_body = '';
var is_add = false;
for (var i = 0; i < task_list.length; i++) {
Expand Down
5 changes: 5 additions & 0 deletions class/userlogin.py
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ def request_post(self,post):
cache.delete('dologin')
sess_input_path = 'data/session_last.pl'
public.writeFile(sess_input_path,str(int(time.time())))
self.set_request_token()
return public.returnJson(True,'LOGIN_SUCCESS'),json_header
except Exception as ex:
stringEx = str(ex)
Expand Down Expand Up @@ -115,6 +116,10 @@ def request_get(self,get):
session['code'] = False
self.error_num(False)

#生成request_token
def set_request_token(self):
session['request_token_head'] = public.GetRandomString(48)

#防暴破
def error_num(self,s = True):
nKey = 'panelNum'
Expand Down
5 changes: 5 additions & 0 deletions init.sh
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,11 @@ py26=$(python -V 2>&1|grep '2.6.')
if [ "$py26" != "" ];then
pythonV=python3
fi
env_path=$panel_path/env/bin/activate
if [ -f $env_path ];then
source $env_path
fi

panel_start()
{
isStart=`ps aux|grep 'runserver:app'|grep -v grep|awk '{print $2}'`
Expand Down

0 comments on commit 39776be

Please sign in to comment.