vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Fix and unify CSRF support across web and API endpoints.

Browse source
This commit is contained in:
jakedt 2014-03-25 14:32:26 -04:00
parent 0097daebc2
commit f060fd6ae0
5 changed files with 53 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

15
endpoints/common.py
View file

@ -1,11 +1,9 @@
import logging
import os
import base64
import urlparse
import json
from flask import session, make_response, render_template, request
from flask.ext.login import login_user, UserMixin, current_user
from flask import make_response, render_template, request
from flask.ext.login import login_user, UserMixin
from flask.ext.principal import identity_changed
from data import model
@ -85,15 +83,6 @@ def handle_dme(ex):
return make_response(json.dumps({'message': ex.message}), 400)
def generate_csrf_token():
if '_csrf_token' not in session:
session['_csrf_token'] = base64.b64encode(os.urandom(48))
return session['_csrf_token']
app.jinja_env.globals['csrf_token'] = generate_csrf_token
def render_page_template(name, **kwargs):
resp = make_response(render_template(name, route_data=json.dumps(get_route_data()), **kwargs))
resp.headers['X-FRAME-OPTIONS'] = 'DENY'