HEX
Server: LiteSpeed
System: Linux php-prod-1.spaceapp.ru 5.15.0-157-generic #167-Ubuntu SMP Wed Sep 17 21:35:53 UTC 2025 x86_64
User: xnsbb3110 (1041)
PHP: 8.1.33
Disabled: NONE
$ pwd: /usr/local/CyberCP/lib/python3.10/site-packages/django/middleware/__pycache__/
Upload Files
File: //usr/local/CyberCP/lib/python3.10/site-packages/django/middleware/__pycache__/csrf.cpython-310.pyc
o

�hM�@s�dZddlZddlZddlmZddlmZddlmZddl	m
Z
mZddlm
Z
mZddlmZdd	lmZdd
lmZmZddlmZddlmZdd
lmZddlmZddlmZe� d�Z!ed�Z"dZ#dZ$dZ%dZ&dZ'dZ(dZ)dZ*dZ+dZ,de,Z-ej.ej/Z0dZ1dd�Z2d d!�Z3d"d#�Z4d$d%�Z5d&d'�Z6d(d)�Z7d*d+�Z8Gd,d-�d-e9�Z:d.d/�Z;d0d1�Z<Gd2d3�d3e9�Z=Gd4d5�d5e�Z>dS)6z�
Cross Site Request Forgery Middleware.

This module provides a middleware that implements protection
against request forgeries from other sites.
�N)�defaultdict��urlparse)�settings)�DisallowedHost�ImproperlyConfigured)�HttpHeaders�UnreadablePostError)�get_callable)�patch_vary_headers)�constant_time_compare�get_random_string)�MiddlewareMixin)�cached_property��is_same_domain)�log_response)�_lazy_re_compilezdjango.security.csrfz[^a-zA-Z0-9]z?Origin checking failed - %s does not match any trusted origins.z%Referer checking failed - no Referer.z@Referer checking failed - %s does not match any trusted origins.zCSRF cookie not set.zCSRF token missing.z/Referer checking failed - Referer is malformed.zCReferer checking failed - Referer is insecure while host is secure.zhas incorrect lengthzhas invalid characters� ��
_csrftokencCs
ttj�S)z/Return the view to be used for CSRF rejections.)r
r�CSRF_FAILURE_VIEW�rr�I/usr/local/CyberCP/lib/python3.10/site-packages/django/middleware/csrf.py�_get_failure_view1s
rcCstttd�S)N)�
allowed_chars)r
�CSRF_SECRET_LENGTH�CSRF_ALLOWED_CHARSrrrr�_get_new_csrf_string6srcsPt�}t�t�fdd�|D��fdd�|D��}d��fdd�|D��}||S)z�
    Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a
    token by adding a mask and applying it to the secret.
    c3��|]}��|�VqdS�N��index��.0�x��charsrr�	<genexpr>A��z&_mask_cipher_secret.<locals>.<genexpr>�c3s(�|]\}}�||t��VqdSr )�len�r$r%�yr&rrr(Bs�&)rr�zip�join)�secret�mask�pairs�cipherrr&r�_mask_cipher_secret:s
&r4csZ|dt�}|td�}t�t�fdd�|D��fdd�|D��}d��fdd�|D��S)z�
    Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length
    CSRF_TOKEN_LENGTH, and that its first half is a mask), use it to decrypt
    the second half to produce the original secret.
    Nc3rr r!r#r&rrr(Or)z'_unmask_cipher_token.<locals>.<genexpr>r*c3s �|]\}}�||VqdSr rr,r&rrr(Ps�)rrr.r/)�tokenr1r2rr&r�_unmask_cipher_tokenFs
&r6cCs*t�}|j�tjr
t|�n|dd��|S)zDGenerate a new random CSRF_COOKIE value, and add it to request.META.T)�CSRF_COOKIE�CSRF_COOKIE_NEEDS_UPDATE)r�META�updater�CSRF_COOKIE_MASKEDr4��request�csrf_secretrrr�_add_new_csrf_cookieSs
���r?cCs6d|jvr|jd}d|jd<t|�St|�}t|�S)a�
    Return the CSRF token required for a POST form. The token is an
    alphanumeric value. A new token is created if one is not already set.

    A side effect of calling this function is to make the csrf_protect
    decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie'
    header to the outgoing response.  For this reason, you may need to use this
    function lazily, as is done by the csrf context processor.
    r7Tr8)r9r?r4r<rrr�	get_tokenes



�r@cCst|�dS)zi
    Change the CSRF token in use for a request - should be done on login
    for security purposes.
    N)r?)r=rrr�rotate_tokenzsrAc@�eZdZdd�ZdS)�InvalidTokenFormatcC�
||_dSr ��reason��selfrFrrr�__init__��
zInvalidTokenFormat.__init__N��__name__�
__module__�__qualname__rIrrrrrC��rCcCs.t|�ttfvrtt��t�|�rtt��dS)z�
    Raise an InvalidTokenFormat error if the token has an invalid length or
    characters that aren't allowed. The token argument can be a CSRF cookie
    secret or non-cookie CSRF token, and either masked or unmasked.
    N)r+�CSRF_TOKEN_LENGTHrrC�REASON_INCORRECT_LENGTH�invalid_token_chars_re�search�REASON_INVALID_CHARACTERS)r5rrr�_check_token_format�s

�rUcCs.t|�tkr
t|�}t|�tksJ�t||�S)a�
    Return whether the given CSRF token matches the given CSRF secret, after
    unmasking the token if necessary.

    This function assumes that the request_csrf_token argument has been
    validated to have the correct length (CSRF_SECRET_LENGTH or
    CSRF_TOKEN_LENGTH characters) and allowed characters, and that if it has
    length CSRF_TOKEN_LENGTH, it is a masked secret.
    )r+rPr6rr)�request_csrf_tokenr>rrr�_does_token_match�s
rWc@rB)�
RejectRequestcCrDr rErGrrrrI�rJzRejectRequest.__init__NrKrrrrrX�rOrXc@s�eZdZdZedd��Zedd��Zedd��Zdd	�Zd
d�Z	dd
�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zdd�Zdd�Zdd�ZdS)�CsrfViewMiddlewarez�
    Require a present and correct csrfmiddlewaretoken for POST requests that
    have a CSRF cookie, and set an outgoing CSRF cookie.

    This middleware should be used in conjunction with the {% csrf_token %}
    template tag.
    cC�dd�tjD�S)NcSsg|]
}t|�j�d��qS��*)r�netloc�lstrip�r$�originrrr�
<listcomp>�s��zACsrfViewMiddleware.csrf_trusted_origins_hosts.<locals>.<listcomp>�r�CSRF_TRUSTED_ORIGINS�rHrrr�csrf_trusted_origins_hosts�s�z-CsrfViewMiddleware.csrf_trusted_origins_hostscCrZ)NcSsh|]}d|vr|�qSr[rr_rrr�	<setcomp>�sz;CsrfViewMiddleware.allowed_origins_exact.<locals>.<setcomp>rbrdrrr�allowed_origins_exact�sz(CsrfViewMiddleware.allowed_origins_exactcCs:tt�}dd�tjD�D]}||j�|j�d��q|S)z�
        A mapping of allowed schemes to list of allowed netlocs, where all
        subdomains of the netloc are allowed.
        css �|]}d|vrt|�VqdS)r\Nrr_rrrr(�s���z?CsrfViewMiddleware.allowed_origin_subdomains.<locals>.<genexpr>r\)r�listrrc�scheme�appendr]r^)rH�allowed_origin_subdomains�parsedrrrrk�s
�z,CsrfViewMiddleware.allowed_origin_subdomainscCs
d|_dS)NT)�csrf_processing_done)rHr=rrr�_accept�szCsrfViewMiddleware._acceptcCs(t�||d�}td||j||td�|S)NrEzForbidden (%s): %s)�responser=�logger)rr�pathrp)rHr=rFrorrr�_reject�s�zCsrfViewMiddleware._rejectcCs�tjrz|j�t�}Wn#tytd��wz|jtj}Wnt	y*d}Ynwt
|�|dur5dSt|�tkr?t
|�}|S)a
        Return the CSRF secret originally associated with the request, or None
        if it didn't have one.

        If the CSRF_USE_SESSIONS setting is false, raises InvalidTokenFormat if
        the request's secret has invalid characters or an invalid length.
        z�CSRF_USE_SESSIONS is enabled, but request.session is not set. SessionMiddleware must appear before CsrfViewMiddleware in MIDDLEWARE.N)r�CSRF_USE_SESSIONS�session�get�CSRF_SESSION_KEY�AttributeErrorr�COOKIES�CSRF_COOKIE_NAME�KeyErrorrUr+rPr6�rHr=r>rrr�_get_secret�s&���zCsrfViewMiddleware._get_secretc
Csptjr|j�t�|jdkr|jd|jt<dSdS|jtj|jdtjtj	tj
tjtjtj
d�t|d�dS)Nr7)�max_age�domainrq�secure�httponly�samesite)�Cookie)rrsrtrurvr9�
set_cookiery�CSRF_COOKIE_AGE�CSRF_COOKIE_DOMAIN�CSRF_COOKIE_PATH�CSRF_COOKIE_SECURE�CSRF_COOKIE_HTTPONLY�CSRF_COOKIE_SAMESITEr�rHr=rorrr�_set_csrf_cookies��z#CsrfViewMiddleware._set_csrf_cookiecs�|jd}z|��}Wn	tyYnwd|��rdnd|f}||kr'dS||jvr.dSzt|�}Wn
ty>YdSw|j}|j�t	�fdd�|j
�|d	�D��S)
N�HTTP_ORIGINz%s://%s�https�httpTFc3s�|]}t�|�VqdSr r�r$�host��request_netlocrrr()s
��
�z6CsrfViewMiddleware._origin_verified.<locals>.<genexpr>r)r9�get_hostr�	is_securergr�
ValueErrorrir]�anyrkru)rHr=�request_origin�	good_host�good_origin�
parsed_origin�request_schemerr�r�_origin_verifieds0
��
��z#CsrfViewMiddleware._origin_verifiedcs|j�d���durtt��zt���Wntytt��wd�j�jfvr,tt���jdkr5tt	��t
�fdd�|jD��rCdStj
rItjntj}|durfz|��}Wntyett�����w|��}|dvrtd||f}t�j|�s�tt�����dS)N�HTTP_REFERERr*r�c3s�|]	}t�j|�VqdSr )rr]r���refererrrr(@s
�
�
�z4CsrfViewMiddleware._check_referer.<locals>.<genexpr>)�443�80z%s:%s)r9rurX�REASON_NO_REFERERrr��REASON_MALFORMED_REFERERrir]�REASON_INSECURE_REFERERr�rerrs�SESSION_COOKIE_DOMAINr�r�r�REASON_BAD_REFERER�geturl�get_portr)rHr=�good_referer�server_portrr�r�_check_referer.s@�
�����z!CsrfViewMiddleware._check_referercCs0|dkrt�|�}d|�d�}d|�d|�d�S)N�POSTzthe z HTTP headerzCSRF token from � �.)r�parse_header_name)rHrF�token_source�header_namerrr�_bad_token_message[s
z%CsrfViewMiddleware._bad_token_messagec
Csz|�|�}Wnty}z	td|j�d���d}~ww|dur%tt��d}|jdkr?z	|j�dd�}Wn	ty>Ynw|dkr[z|j	t
j}WntyVtt
��wt
j}nd}zt|�Wntyz}z|�|j|�}t|��d}~wwt||�s�|�d|�}t|��dS)NzCSRF cookie r�r*r��csrfmiddlewaretoken�	incorrect)r|rCrXrF�REASON_NO_CSRF_COOKIE�methodr�rur	r9r�CSRF_HEADER_NAMErz�REASON_CSRF_TOKEN_MISSINGrUr�rW)rHr=r>�excrVr�rFrrr�_check_tokenbsD��
����
�zCsrfViewMiddleware._check_tokencCsFz|�|�}Wntyt|�YdSw|dur!||jd<dSdS)Nr7)r|rCr?r9r{rrr�process_request�s��z"CsrfViewMiddleware.process_requestc
Cst|dd�rdSt|dd�rdS|jdvr|�|�St|dd�r%|�|�Sd|jvr;|�|�s:|�|t|jd�Sn%|��r`z|�|�Wnt	y_}z
|�||j
�WYd}~Sd}~wwz|�|�Wnt	y�}z
|�||j
�WYd}~Sd}~ww|�|�S)NrmF�csrf_exempt)�GET�HEAD�OPTIONS�TRACE�_dont_enforce_csrf_checksr�)�getattrr�rnr9r�rr�REASON_BAD_ORIGINr�r�rXrFr�)rHr=�callback�
callback_args�callback_kwargsr�rrr�process_view�s8




������
zCsrfViewMiddleware.process_viewcCs&|j�d�r|�||�d|jd<|S)Nr8F)r9rur�r�rrr�process_response�s
z#CsrfViewMiddleware.process_responseN)rLrMrN�__doc__rrergrkrnrrr|r�r�r�r�r�r�r�r�rrrrrY�s&


 -4
9rY)?r��logging�string�collectionsr�urllib.parser�django.confr�django.core.exceptionsrr�django.httprr	�django.urlsr
�django.utils.cacher�django.utils.cryptorr
�django.utils.deprecationr�django.utils.functionalr�django.utils.httpr�django.utils.logr�django.utils.regex_helperr�	getLoggerrprRr�r�r�r�r�r�r�rQrTrrP�
ascii_letters�digitsrrvrrr4r6r?r@rA�	ExceptionrCrUrWrXrYrrrr�<module>sX
�


@ Telegram