Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
镜像
tornadoweb
Tornado
提交
85954d98
Tornado
项目概览
镜像
/
tornadoweb
/
Tornado
10 个月 前同步成功
通知
26
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
Tornado
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
未验证
提交
85954d98
编写于
3月 30, 2023
作者:
B
Ben Darnell
提交者:
GitHub
3月 30, 2023
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #3244 from bdarnell/xsrf-rename
web: Support renaming the XSRF cookie
上级
7186b865
eb61029a
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
72 addition
and
2 deletion
+72
-2
docs/web.rst
docs/web.rst
+9
-0
tornado/test/web_test.py
tornado/test/web_test.py
+59
-0
tornado/web.py
tornado/web.py
+4
-2
未找到文件。
docs/web.rst
浏览文件 @
85954d98
...
...
@@ -253,12 +253,21 @@
* ``xsrf_cookie_kwargs``: May be set to a dictionary of
additional arguments to be passed to `.RequestHandler.set_cookie`
for the XSRF cookie.
* ``xsrf_cookie_name``: Controls the name used for the XSRF
cookie (default ``_xsrf``). The intended use is to take
advantage of `cookie prefixes`_. Note that cookie prefixes
interact with other cookie flags, so they must be combined
with ``xsrf_cookie_kwargs``, such as
``{"xsrf_cookie_name": "__Host-xsrf", "xsrf_cookie_kwargs":
{"secure": True}}``
* ``twitter_consumer_key``, ``twitter_consumer_secret``,
``friendfeed_consumer_key``, ``friendfeed_consumer_secret``,
``google_consumer_key``, ``google_consumer_secret``,
``facebook_api_key``, ``facebook_secret``: Used in the
`tornado.auth` module to authenticate to various APIs.
.. _cookie prefixes: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#cookie_prefixes
Template settings:
* ``autoescape``: Controls automatic escaping for templates.
...
...
tornado/test/web_test.py
浏览文件 @
85954d98
...
...
@@ -2919,6 +2919,65 @@ class XSRFTest(SimpleHandlerTestCase):
self
.
assertEqual
(
response
.
code
,
200
)
# A subset of the previous test with a different cookie name
class
XSRFCookieNameTest
(
SimpleHandlerTestCase
):
class
Handler
(
RequestHandler
):
def
get
(
self
):
self
.
write
(
self
.
xsrf_token
)
def
post
(
self
):
self
.
write
(
"ok"
)
def
get_app_kwargs
(
self
):
return
dict
(
xsrf_cookies
=
True
,
xsrf_cookie_name
=
"__Host-xsrf"
,
xsrf_cookie_kwargs
=
{
"secure"
:
True
},
)
def
setUp
(
self
):
super
().
setUp
()
self
.
xsrf_token
=
self
.
get_token
()
def
get_token
(
self
,
old_token
=
None
):
if
old_token
is
not
None
:
headers
=
self
.
cookie_headers
(
old_token
)
else
:
headers
=
None
response
=
self
.
fetch
(
"/"
,
headers
=
headers
)
response
.
rethrow
()
return
native_str
(
response
.
body
)
def
cookie_headers
(
self
,
token
=
None
):
if
token
is
None
:
token
=
self
.
xsrf_token
return
{
"Cookie"
:
"__Host-xsrf="
+
token
}
def
test_xsrf_fail_no_token
(
self
):
with
ExpectLog
(
gen_log
,
".*'_xsrf' argument missing"
):
response
=
self
.
fetch
(
"/"
,
method
=
"POST"
,
body
=
b
""
)
self
.
assertEqual
(
response
.
code
,
403
)
def
test_xsrf_fail_body_no_cookie
(
self
):
with
ExpectLog
(
gen_log
,
".*XSRF cookie does not match POST"
):
response
=
self
.
fetch
(
"/"
,
method
=
"POST"
,
body
=
urllib
.
parse
.
urlencode
(
dict
(
_xsrf
=
self
.
xsrf_token
)),
)
self
.
assertEqual
(
response
.
code
,
403
)
def
test_xsrf_success_post_body
(
self
):
response
=
self
.
fetch
(
"/"
,
method
=
"POST"
,
# Note that renaming the cookie doesn't rename the POST param
body
=
urllib
.
parse
.
urlencode
(
dict
(
_xsrf
=
self
.
xsrf_token
)),
headers
=
self
.
cookie_headers
(),
)
self
.
assertEqual
(
response
.
code
,
200
)
class
XSRFCookieKwargsTest
(
SimpleHandlerTestCase
):
class
Handler
(
RequestHandler
):
def
get
(
self
):
...
...
tornado/web.py
浏览文件 @
85954d98
...
...
@@ -1486,7 +1486,8 @@ class RequestHandler(object):
if
version
is
None
:
if
self
.
current_user
and
"expires_days"
not
in
cookie_kwargs
:
cookie_kwargs
[
"expires_days"
]
=
30
self
.
set_cookie
(
"_xsrf"
,
self
.
_xsrf_token
,
**
cookie_kwargs
)
cookie_name
=
self
.
settings
.
get
(
"xsrf_cookie_name"
,
"_xsrf"
)
self
.
set_cookie
(
cookie_name
,
self
.
_xsrf_token
,
**
cookie_kwargs
)
return
self
.
_xsrf_token
def
_get_raw_xsrf_token
(
self
)
->
Tuple
[
Optional
[
int
],
bytes
,
float
]:
...
...
@@ -1501,7 +1502,8 @@ class RequestHandler(object):
for version 1 cookies)
"""
if
not
hasattr
(
self
,
"_raw_xsrf_token"
):
cookie
=
self
.
get_cookie
(
"_xsrf"
)
cookie_name
=
self
.
settings
.
get
(
"xsrf_cookie_name"
,
"_xsrf"
)
cookie
=
self
.
get_cookie
(
cookie_name
)
if
cookie
:
version
,
token
,
timestamp
=
self
.
_decode_xsrf_token
(
cookie
)
else
:
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录