add-CSFR-protection

3 years ago · ba5cf8ed93
parent ac2b46e62d
commit ba5cf8ed93
21 changed files with 29 additions and 7 deletions
--- a/app/init.py
+++ b/app/init.py
@ -5,6 +5,8 @@ from flask_mail import Mail
 from flask_moment import Moment
 from flask_sqlalchemy import SQLAlchemy
 from flask_login import LoginManager
+from flask_wtf import CSRFProtect
+
 from config import config
 from flask_pagedown import PageDown

@ -13,6 +15,7 @@ mail = Mail()
 moment = Moment()
 db = SQLAlchemy()
 pagedown = PageDown()
+csrf = CSRFProtect()

 login_manager = LoginManager()
 login_manager.login_view = 'auth.login'
@ -26,6 +29,7 @@ def create_app(config_name):
    bootstrap.init_app(app)
    mail.init_app(app)
    moment.init_app(app)
+    csrf.init_app(app=app)
    db.init_app(app)
    login_manager.init_app(app)
    pagedown.init_app(app)
--- a/app/templates/auth/change_password.html
+++ b/app/templates/auth/change_password.html
@ -38,6 +38,7 @@
 					<div class="tab-pane active" id="panel-1">
 						<div class="pwd">
 							<form class="form-horizontal" role="form" method="post">
+                                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                                <div class="board">
 {#                                    旧密码#}
                                    <div class="form-group">
--- a/app/templates/auth/login.html
+++ b/app/templates/auth/login.html
@ -76,6 +76,7 @@
                {% endfor %}

                <form role="form" class="form-signin" method="post" style="margin: 120px auto 0px auto;">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                    <h2 class="form-signin-heading">Please sign in</h2>

                    <label for="inputName" class="sr-only">Email address</label>
--- a/app/templates/auth/register.html
+++ b/app/templates/auth/register.html
@ -77,6 +77,7 @@
                {% endfor %}

                <form class="form-signin" method="post" style="margin: 75px auto 0 auto;">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                    <h1 class="form-signin-heading">Register</h1>

 <!--                    {#                    前两个信息是用来验证的（学号，身份证号）#}-->
--- a/app/templates/auth/reset_password.html
+++ b/app/templates/auth/reset_password.html
@ -77,6 +77,7 @@
                {% endfor %}

                <form role="form" class="form-signin" method="post" style="margin: 120px auto 0px auto;">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                    <h2 class="form-signin-heading">Reset Your Password</h2>

                    {{ form.csrf_token }}
--- a/app/templates/auth/reset_password_inEmail.html
+++ b/app/templates/auth/reset_password_inEmail.html
@ -77,6 +77,7 @@
                {% endfor %}

                <form role="form" class="form-signin" method="post" style="margin: 120px auto 0px auto;">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                    <h2 class="form-signin-heading">Reset Your Password</h2>
                    {{ form.csrf_token }}
                    {{ form.password }}
--- a/app/templates/edit_profile.html
+++ b/app/templates/edit_profile.html
@ -36,7 +36,7 @@
 {#        更改头像的按钮#}
        <div class="col-sm-8" style="margin: 0px 45px ">
            <form action="{{ url_for('.uploadPhoto') }}" method="post" enctype="multipart/form-data">
-                {{ form.csrf_token }}
+                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                <a href="javascript:;" class="file btn btn-warning" style="margin: 3px 10px">Change Avatar
                    {{ form.photo }}
                </a>
@ -49,6 +49,7 @@

        <div class="col-sm-6" style="margin-top: 25px">
            <form class="form-horizontal" method="post">
+                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                <div class="form-group" style="margin-top: 15px; ">
                    <label for="username" class="col-sm-3 control-label text-left">User name</label>
                    <div class="col-sm-9">
--- a/app/templates/index/index_activities.html
+++ b/app/templates/index/index_activities.html
@ -32,7 +32,8 @@
                    <li><a href="{{ url_for('main.index') }}">Home</a></li>

                    <form class="navbar-form navbar-left" role="search" method="post">
-                      <div class="form-group">
+                      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                        <div class="form-group">
                          <input name="search" value=" " style="width: 420px;margin-left: 20px;" type="text" class="form-control" placeholder="Search">
                      </div>
                      <button type="submit" class="btn btn-default" >Submit</button>
--- a/app/templates/index/index_follows.html
+++ b/app/templates/index/index_follows.html
@ -32,7 +32,8 @@
                    <li><a href="{{ url_for('main.index') }}">Home</a></li>

                    <form class="navbar-form navbar-left" role="search" method="post">
-                      <div class="form-group">
+                      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                        <div class="form-group">
                          <input name="search" value=" " style="width: 420px;margin-left: 20px;" type="text" class="form-control" placeholder="Search">
                      </div>
                      <button type="submit" class="btn btn-default" >Submit</button>
--- a/app/templates/index/index_posts.html
+++ b/app/templates/index/index_posts.html
@ -32,7 +32,8 @@
                    <li><a href="{{ url_for('main.index') }}">Home</a></li>

                    <form class="navbar-form navbar-left" role="search" method="post">
-                      <div class="form-group">
+                      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                        <div class="form-group">
                          <input name="search" value=" " style="width: 420px;margin-left: 20px;" type="text" class="form-control" placeholder="Search">
                      </div>
                      <button type="submit" class="btn btn-default" >Submit</button>
--- a/app/templates/index/index_transactions.html
+++ b/app/templates/index/index_transactions.html
@ -32,7 +32,8 @@
                    <li><a href="{{ url_for('main.index') }}">Home</a></li>

                    <form class="navbar-form navbar-left" role="search" method="post">
-                      <div class="form-group">
+                      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                        <div class="form-group">
                           <input name="search" value=" " style="width: 420px;margin-left: 20px;" type="text" class="form-control" placeholder="Search">
                      </div>
                      <button type="submit" class="btn btn-default" >Submit</button>
--- a/app/templates/new_posting/new_mdpost.html
+++ b/app/templates/new_posting/new_mdpost.html
@ -57,7 +57,7 @@
    <div>
        {% if current_user.can(Permission.WRITE) %}
            <form method="post">
-
+<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                <div class="col-md-offset-3 col-md-8">
                    <label class="WriteIndex-titleInput Input-wrapper Input-wrapper--multiline">
                        <textarea  id="title" name="title" rows="1" class="Input" maxlength="30"
--- a/app/templates/organization/new_activity.html
+++ b/app/templates/organization/new_activity.html
@ -21,6 +21,7 @@
    <!--        左侧表单-->
            <div class="col-md-6">
                <form class="form-activity form-horizontal" method="post">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                    <h1 class="form-activity-heading col-sm-offset-1">Activity</h1>
 <!--                    活动名称-->
                    <div class="form-group">
--- a/app/templates/organization/organization_register.html
+++ b/app/templates/organization/organization_register.html
@ -78,6 +78,7 @@
                {% endfor %}

                <form role="form" class="form-signin" method="post" style="margin: 120px auto 0px auto;">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                    <h2 class="form-signin-heading">Organization Register</h2>

                    {{ form.csrf_token }}
--- a/app/templates/organization/send_result.html
+++ b/app/templates/organization/send_result.html
@ -77,6 +77,7 @@
                {% endfor %}

                <form role="form" class="form-signin" method="post" style="margin: 120px auto 0px auto;">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                    <h2 class="form-signin-heading">Send Result Email</h2>
                    <a class="btn btn-lg btn-warning btn-block chose" href="{{ url_for('organization.register_success', oid=oid) }}">Register Success</a>
                    <a class="btn btn-lg btn-warning btn-block chose" href="{{ url_for('organization.result_fail', oid=oid) }}">Register Fail</a>
--- a/app/templates/post.html
+++ b/app/templates/post.html
@ -127,6 +127,7 @@
            {% if current_user.can(Permission.COMMENT) %}
                <div class="comment-form">
                    <form role="form" class="form-signin"  method="post">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                        <div class="col-md-12">
                             {% if request.args.get('reply') %}
                                <div class="alert alert-warning alert-dismissible" id="reply" role="alert">
--- a/app/templates/querypost.html
+++ b/app/templates/querypost.html
@ -17,6 +17,7 @@

    <div class="col-sm-12">
        <form class="form-horizontal" method="post">
+            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
            <div class="form-group" style="margin-top: 15px; ">

                <h4 class="col-sm-3 control-label text-left" style="padding-top: 7px; text-align: right; margin-top: 0px;">
--- a/app/templates/querytransaction.html
+++ b/app/templates/querytransaction.html
@ -15,6 +15,7 @@

    <div class="col-sm-12">
        <form class="form-horizontal" method="post">
+            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
            <div class="form-group query-title">

                <h4 class="col-sm-3 control-label text-right">
--- a/app/templates/queryuser.html
+++ b/app/templates/queryuser.html
@ -15,6 +15,7 @@

    <div class="col-sm-12">
        <form class="form-horizontal" method="post">
+            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
            <div class="form-group query-title">

                <h4 class="col-sm-3 control-label text-right">
--- a/app/templates/transaction/new_transaction.html
+++ b/app/templates/transaction/new_transaction.html
@ -20,6 +20,7 @@
    <!--        右侧表单-->
            <div class="col-md-6">
                <form class="form-transaction form-horizontal" method="post" style="margin: 75px auto 0 auto;">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                    <h1 class="form-transaction-heading">Transaction</h1>
    <!--                商品名-->
                    <div class="form-group">
--- a/config.py
+++ b/config.py
@ -6,7 +6,7 @@ basedir = os.path.abspath(os.path.dirname(__file__))
 # basic configuration

 class Config:
-    SECRET_KEY = os.environ.get('SECRET_KEY') or 'hard to guess string'
+    SECRET_KEY = os.environ.get('SECRET_KEY') or 'ec94cr32ffs2123ffd3fg3dsa2r39cfc6d796ae3029594d'

    MAIL_SERVER = 'smtp.qq.com'
    MAIL_PORT = 587