From 86d57ed67aafa6543d97bd60b0a17563623fd340 Mon Sep 17 00:00:00 2001 From: "bt.cn" <287962566@qq.com> Date: Sat, 6 Jul 2019 18:46:54 +0800 Subject: [PATCH] =?UTF-8?q?=E5=8A=A0=E5=BC=BACSRF=E9=98=B2=E5=BE=A1?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- BTPanel/__init__.py | 23 +++++++++++++++-------- BTPanel/static/js/public.js | 17 +++++++++++++++++ BTPanel/templates/default/layout.html | 7 +++++-- class/userlogin.py | 5 +++++ init.sh | 5 +++++ 5 files changed, 47 insertions(+), 10 deletions(-) diff --git a/BTPanel/__init__.py b/BTPanel/__init__.py index 20629923..e0a393e9 100644 --- a/BTPanel/__init__.py +++ b/BTPanel/__init__.py @@ -178,9 +178,9 @@ def is_login(result): if 'login' in session: if session['login'] == True: result = make_response(result) - request_token = public.md5(app.secret_key + str(time.time())) + request_token = public.GetRandomString(48) session['request_token'] = request_token - result.set_cookie('request_token',request_token,httponly=True,max_age=86400*30) + result.set_cookie('request_token',request_token,max_age=86400*30) return result @app.route('/site',methods=method_all) @@ -987,14 +987,19 @@ def websocket_test(data): if not hasattr(pdata,'s_response'): pdata.s_response = 'response' emit(pdata.s_response,{'data':result}) +def check_csrf(): + request_token = request.cookies.get('request_token') + if session['request_token'] != request_token: return False + http_token = request.headers.get('x-http-token') + if not http_token: return False + if http_token != session['request_token_head']: return False + cookie_token = request.headers.get('x-cookie-token') + if cookie_token != session['request_token']: return False + return True + def publicObject(toObject,defs,action=None,get = None): if 'request_token' in session and 'login' in session: - request_token = request.cookies.get('request_token') - if session['request_token'] != request_token: - if session['login'] != False: - session['login'] = False; - cache.set('dologin',True) - return redirect('/login') + if not check_csrf(): return public.ReturnJson(False,'Csrf-Token error.'),json_header if not get: get = get_input() if action: get.action = action @@ -1021,6 +1026,8 @@ def check_login(): if cache.get('dologin'): return False if 'login' in session: loginStatus = session['login'] + if loginStatus: + if not check_csrf(): return False return loginStatus return False diff --git a/BTPanel/static/js/public.js b/BTPanel/static/js/public.js index 1edc24b3..311123ba 100644 --- a/BTPanel/static/js/public.js +++ b/BTPanel/static/js/public.js @@ -4,6 +4,23 @@ $(document).ready(function() { }); }); +var my_headers = {}; +var request_token_ele = document.getElementById("request_token_head"); +if (request_token_ele) { + var request_token = request_token_ele.getAttribute('token'); + if (request_token) { + my_headers['x-http-token'] = request_token + } +} +request_token_cookie = getCookie('request_token'); +if (request_token_cookie) { + my_headers['x-cookie-token'] = request_token_cookie +} + +if (my_headers) { + $.ajaxSetup({ headers: my_headers }); +} + function RandomStrPwd(b) { b = b || 32; var c = "AaBbCcDdEeFfGHhiJjKkLMmNnPpRSrTsWtXwYxZyz2345678"; diff --git a/BTPanel/templates/default/layout.html b/BTPanel/templates/default/layout.html index 6abbe4f1..4c934cdb 100644 --- a/BTPanel/templates/default/layout.html +++ b/BTPanel/templates/default/layout.html @@ -34,6 +34,7 @@
当前IE浏览器版本过低,部分功能无法展示,请更换至其他浏览器,国产浏览器请使用极速模式!
+
@@ -88,7 +89,7 @@

{{session['address']}}

- + {% block content %}{% endblock %} @@ -97,7 +98,7 @@

{{session['address']}}

-