On Tue, Oct 4, 2011 at 12:56 AM, Robert Forkel <[email protected]>wrote:
> I do think checking the csrf token is some kind of validation, at
> least for some of my apps there's parts of validating a form which
> check the authorization of the request
>
I'm not sure that this is "best practice" but I found it very convenient to
use the events/subscribers to get this check out of my way in my views:
(near my configuration code:)
from pyramid.events import ContextFound, NewRequest
from pyramid.httpexceptions import HTTPForbidden
def check_csrf(request):
"""for any request that has a POST, make sure the CSRF is valid"""
token = request.session.get_csrf_token()
if 'csrf' in request.POST and request.POST.get('csrf') == token:
log.debug("CSRF in POST matches session token")
return True
else:
log.warn("Form POST without CSRF! %s from %s"
% (request.url, request.remote_addr))
return False
def check_request_for_csrf(event):
if event.request.POST and not check_csrf(event.request):
raise HTTPForbidden("Token mismatch; bad request")
config.add_subscriber(check_request_for_csrf, NewRequest)
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
