Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Django 1.10: Compare CSRF tokens after unsalting them. 

For reference: https://docs.djangoproject.com/en/1.10/ref/csrf/#how-it-works
This commit is contained in:
Umair Khan 2016-11-15 14:21:11 +05:00 committed by Tim Abbott
parent 29254142f6
commit 2314adc4fc
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
zerver/lib/socket.py
View File

@ -6,6 +6,13 @@ from typing import Any, Union, Mapping, Optional
from django.conf import settings
from django.utils import timezone
from django.contrib.sessions.models import Session as djSession
try:
from django.middleware.csrf import _compare_salted_tokens
except ImportError:
# This function was added in Django 1.10.
def _compare_salted_tokens(token1, token2):
# type: (str, str) -> bool
return token1 == token2
import sockjs.tornado
from sockjs.tornado.session import ConnectionInfo
@ -126,7 +133,7 @@ class SocketConnection(sockjs.tornado.SockJSConnection):
raise SocketAuthError('Unknown or missing session')
self.session.user_profile = user_profile
if msg['request']['csrf_token'] != self.csrf_token:
if not _compare_salted_tokens(msg['request']['csrf_token'], self.csrf_token):
raise SocketAuthError('CSRF token does not match that in cookie')
if 'queue_id' not in msg['request']: