OK, I've been able to nail it down on a simple example : depending on the CSRF storage policy I use, "request.session.get_csrf_token()" (called from python or a template) and "get_csrf_token()" (called from a template) return the same value *or not*.
- no storage policy => ok - LegacySessionCSRFStoragePolicy => ok - CookieCSRFStoragePolicy => ko I'm attaching my example, I called it "onefile.py", although I needed two files actually (one python file + one mako template). Sorry ;) Le mer. 28 avr. 2021 à 22:32, Laurent Daverio <[email protected]> a écrit : > > Thank you Steve. I'll have to think about it, not that the code is > secret, just a matter of knowing what to post to be relevant. > > Le mer. 28 avr. 2021 à 22:10, Steve Piercy > <[email protected]> a écrit : > > > > It's difficult to say without your example. I've been using CSRF as shown > > in the Deform demo without any issues. > > > > --steve > > > > > > On 4/28/21 10:32 AM, Laurent Daverio wrote: > > > Hello List, > > > > > > I'd like to report a problem I've just encountered, occurring betwen > > > Pyramid's CSRF protection and Deform. > > > > > > Basically, I have a Pyramid 2.0 web app configured along the lines of > > > the "URL dispatch wiki tutorial" > > > (https://docs.pylonsproject.org/projects/pyramid/en/2.0-branch/tutorials/wiki2/authentication.html), > > > with some Deform forms in it. > > > > > > The Deform Demo > > > (https://deformdemo.pylonsproject.org/pyramid_csrf_demo/) shows how to > > > use a deferred value to create hidden field "csrf_token" in the > > > generated forms. > > > > > > But there's a problem: the token generated that way doesn't have the > > > same value as when I directly call get_csrf_token() in a template. > > > > > > As I don't have the time/energy to fully investigate the problem right > > > now, I think I will just use a workaround: as I'm using Diazo as a > > > theming engine (awesome tech, btw), I think I will add a rule to > > > inject the token into every form. Should work. > > > > > > Still, I wanted to take the time to report the problem, in case it > > > could be useful. > > > > > > Laurent. > > > > > > > -- > > You received this message because you are subscribed to the Google Groups > > "pylons-discuss" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/pylons-discuss/44979a98-12ae-239e-8478-c2323aecfaf1%40gmail.com. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAB7cU6zNrhyPN%3DdQxkrTp3S%3DvkwYQ8%2BhottYXOSOHRKjz7078A%40mail.gmail.com.
from wsgiref.simple_server import make_server
from pyramid.config import Configurator
from pyramid.csrf import CookieCSRFStoragePolicy, LegacySessionCSRFStoragePolicy
from pyramid.renderers import render_to_response
from pyramid.session import SignedCookieSessionFactory
def hello_world(request):
print(request.session.get_csrf_token())
return render_to_response('onefile.mako', {}, request)
if __name__ == '__main__':
my_session_factory = SignedCookieSessionFactory('itsaseekreet')
with Configurator() as config:
settings = config.get_settings()
config.set_session_factory(my_session_factory)
config.include('pyramid_mako')
# >>> Enable one storage policy below, or none <<<
#config.set_csrf_storage_policy(LegacySessionCSRFStoragePolicy())
config.set_csrf_storage_policy(CookieCSRFStoragePolicy())
config.set_default_csrf_options(require_csrf=True)
config.add_route('hello', '/')
config.add_view(hello_world, route_name='hello')
app = config.make_wsgi_app()
server = make_server('0.0.0.0', 6543, app)
server.serve_forever()
onefile.mako
Description: Binary data
