g!LdZddlZddlZddlmZddlmZddlmZddl m Z m Z ddl m Z mZddlmZdd lmZdd lmZmZdd lmZdd lmZdd lmZddlmZddlmZej@dZ!edZ"dZ#dZ$dZ%dZ&dZ'dZ(dZ)dZ*dZ+dZ,de,zZ-ej\ej^zZ0dZ1dZ2dZ3d Z4d!Z5d"Z6d#Z7d$Z8Gd%d&e9Z:d'Z;d(Z<Gd)d*e9Z=Gd+d,eZ>y)-z Cross Site Request Forgery Middleware. This module provides a middleware that implements protection against request forgeries from other sites. N) defaultdicturlparse)settings)DisallowedHostImproperlyConfigured) HttpHeadersUnreadablePostError) get_callable)patch_vary_headers)constant_time_compareget_random_string)MiddlewareMixin)cached_propertyis_same_domain) log_response)_lazy_re_compilezdjango.security.csrfz [^a-zA-Z0-9]z?Origin checking failed - %s does not match any trusted origins.z%Referer checking failed - no Referer.z@Referer checking failed - %s does not match any trusted origins.zCSRF cookie not set.zCSRF token missing.z/Referer checking failed - Referer is malformed.zCReferer checking failed - Referer is insecure while host is secure.zhas incorrect lengthzhas invalid characters  _csrftokenc4ttjS)z/Return the view to be used for CSRF rejections.)r rCSRF_FAILURE_VIEWn/var/www/python.vincentserveurtest.ovh/public_html/venv/lib/python3.12/site-packages/django/middleware/csrf.py_get_failure_viewr2s 22 33rc,tttS)N) allowed_chars)rCSRF_SECRET_LENGTHCSRF_ALLOWED_CHARSrrr_get_new_csrf_stringr"7s /?Q RRrct}ttfd|Dfd|D}djfd|D}||zS)z Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a token by adding a mask and applying it to the secret. c3@K|]}j|ywNindex.0xcharss r z&_mask_cipher_secret..Bs0AQc3@K|]}j|ywr%r&r(s rr,z&_mask_cipher_secret..Bs2P4a5;;q>4r-c3LK|]\}}||ztzywr%)lenr)r*yr+s rr,z&_mask_cipher_secret..Cs(CUTQUAESZ/0Us!$)r"r!zipjoin)secretmaskpairscipherr+s @r_mask_cipher_secretr:;sH !D E 002P42P QE WWCUC CF &=rc|dt}|td}ttfd|Dfd|D}djfd|DS)z Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length CSRF_TOKEN_LENGTH, and that its first half is a mask), use it to decrypt the second half to produce the original secret. Nc3@K|]}j|ywr%r&r(s rr,z'_unmask_cipher_token..Ps/AQr-c3@K|]}j|ywr%r&r(s rr,z'_unmask_cipher_token..Ps1O$Q%++a.$r-r/c34K|]\}}||z ywr%rr2s rr,z'_unmask_cipher_token..Qs2EDAq5Q.s$ 7f} V 7srm)rlistrrnschemeappendrorp)rTallowed_origin_subdomainsparseds rr{z,CsrfViewMiddleware.allowed_origin_subdomainssZ %0$5! "77 F &fmm 4 ; ;FMM  LL  rcLtjr! |jjt}n) |jtj}t||yt|tk(r t|}|S#t $r t dwxYw#t$rd}YGwxYw)a Return the CSRF secret originally associated with the request, or None if it didn't have one. If the CSRF_USE_SESSIONS setting is false, raises InvalidTokenFormat if the request's secret has invalid characters or an invalid length. zCSRF_USE_SESSIONS is enabled, but request.session is not set. SessionMiddleware must appear before CsrfViewMiddleware in MIDDLEWARE.N)rCSRF_USE_SESSIONSsessiongetCSRF_SESSION_KEYAttributeErrorrCOOKIESCSRF_COOKIE_NAMErbKeyErrorr1r]r@rTrGrHs r _get_secretzCsrfViewMiddleware._get_secrets  % % %oo112BC  1%ooh.G.GH $K0   { 0 0.{;K'" *%  #"  #sA=B=B B#"B#c tjrQ|jjt|j dk7r!|j d|jt<yy|j tj|j dtjtjtjtjtjtjt|dy)NrB)max_agedomainrsecurehttponlysamesite)Cookie)rrrrrrD set_cookierCSRF_COOKIE_AGECSRF_COOKIE_DOMAINCSRF_COOKIE_PATHCSRF_COOKIE_SECURECSRF_COOKIE_HTTPONLYCSRF_COOKIE_SAMESITEr rTrGrs r_set_csrf_cookiez#CsrfViewMiddleware._set_csrf_cookies  % %""#34 ]8SS4;LL4O 01T   )) ]+ 0022..22!66!66  x 5rc|jd} |j}|jrdndd|}||k(ry||jvry t |}|j}|jtfd|jj|dDS#t$rYlwxYw#t $rYywxYw) N HTTP_ORIGINhttpshttpz://TFc36K|]}t|ywr%r)r)hostrequest_netlocs rr,z6CsrfViewMiddleware._origin_verified..$s  N >4 0Nsr) rDget_host is_securerrur ValueErrorryroanyr{r)rTrGrequest_origin good_host good_origin parsed_originrequest_schemers @r_origin_verifiedz#CsrfViewMiddleware._origin_verifieds m4 ((*I #,,.F:K, T77 7 $^4M'--&-- 66::>2N   #     s#B" B1" B.-B.1 B=<B=c|jjdtt t djjfvrtt jdk7rtttfd|jDrytjrtjntj}| |j!}n|j)}|dvr|d|}t+j|s tt$j'zy#t $rtt wxYw#t"$r!tt$j'zwxYw)N HTTP_REFERERr/rc3JK|]}tj|ywr%)rro)r)rreferers rr,z4CsrfViewMiddleware._check_referer..;s$ 7 7>>4 07s #)44380:)rDrrgREASON_NO_REFERERrrREASON_MALFORMED_REFERERryroREASON_INSECURE_REFERERrrsrrSESSION_COOKIE_DOMAINrrrREASON_BAD_REFERERgeturlget_portr)rTrG good_referer server_portrs @r_check_refererz!CsrfViewMiddleware._check_referer)si,,"">2 ? 12 2 :w'G '..'..1 1 89 9 >>W $ 78 8  77   ))  * *,,    K&//1 "**,K-/*6 D gnnl; 2W^^5E EF F**73K   56 6  >>V # %,\\%5%56KR%P"  # ? &-\\(2K2K%L"$44L!L (  2 3 !!3[A,,[,GF' 'BU" >,szzl! <= = >'      ?#$=>> ?" (,,SZZFF' ' (sLB>C(C7 D> C%C  C%( C43C47D E'EEc |j|}|||jd<yy#t$rt|YywxYw)NrB)rrDrOrIrs rprocess_requestz"CsrfViewMiddleware.process_requestsM :**73K& /: ]+ '" *  ) *s &==ct|ddryt|ddry|jdvr|j|St|ddr|j|Sd|jvr7|j |sH|j |t |jdzS|jr |j| |j||j|S#t$r&}|j ||jcYd}~Sd}~wwxYw#t$r&}|j ||jcYd}~Sd}~wwxYw)Nr~F csrf_exempt)GETHEADOPTIONSTRACE_dont_enforce_csrf_checksr) getattrrrrDrrREASON_BAD_ORIGINrrrgrRr)rTrGcallback callback_argscallback_kwargsrs r process_viewzCsrfViewMiddleware.process_views2 72E : 8]E 2 >>@ @<<( ( 77 ? <<( ( GLL (((1||.m1LL   $ 9##G, 5   g &||G$$! 9||GSZZ88 9  5<<4 4 5s<0C$D$ D-DDD EE:EEc~|jjdr!|j||d|jd<|S)NrCF)rDrrrs rprocess_responsez#CsrfViewMiddleware.process_responses; <<  6 7  ! !'8 48=GLL3 4rN)rXrYrZ__doc__rrsrur{rrrrrrrrrrrrrrrjrjs  YY ) )  @6$ 4+GZ;2(h :7%r rrj)?rloggingstring collectionsr urllib.parser django.confrdjango.core.exceptionsrr django.httpr r django.urlsr django.utils.cacher django.utils.cryptor rdjango.utils.deprecationrdjango.utils.functionalrdjango.utils.httprdjango.utils.logrdjango.utils.regex_helperr getLoggerrr_rrrrrrrr^rar r] ascii_lettersdigitsr!rrr"r:r@rIrKrM ExceptionrOrbrergrjrrrrs #! G8$1H43,)6   1 2).9U;W.1LI 14**))FMM94 S  3 ,*" <B"I ~~r