@ -12,7 +12,6 @@ from werkzeug.http import dump_cookie
from werkzeug . routing import Rule
from werkzeug . wrappers import Response
from werkzeug . exceptions import BadRequest , Forbidden , NotFound
from werkzeug . useragents import UserAgent
from isso . compat import text_type as str
@ -32,33 +31,6 @@ class JSON(Response):
return super ( JSON , self ) . __init__ ( * args , content_type = ' application/json ' )
def csrf ( view ) :
""" A decorator to check if Origin matches Host (may be empty if in the same
origin , except for IE of course ) . When MSIE , use Referer . See
* https : / / www . owasp . org / index . php / Cross - Site_Request_Forgery_ ( CSRF ) _Prevention_Cheat_Sheet #Checking_The_Origin_Header
* http : / / tools . ietf . org / html / draft - abarth - origin - 09
* https : / / wiki . mozilla . org / Security / Origin
for details .
"""
def dec ( self , environ , request , * args , * * kwargs ) :
hosts = map ( parse . host , self . conf . getiter ( " host " ) )
if UserAgent ( environ ) . browser == " msie " : # yup
if parse . host ( request . headers . get ( " Referer " , " " ) ) not in hosts :
raise Forbidden ( " CSRF " )
elif " Origin " in request . headers :
if parse . host ( request . headers . get ( " Origin " , " " ) ) not in hosts :
raise Forbidden ( " CSRF " )
return view ( self , environ , request , * args , * * kwargs )
return dec
class API ( object ) :
FIELDS = set ( [ ' id ' , ' parent ' , ' text ' , ' author ' , ' website ' , ' email ' ,
@ -119,7 +91,6 @@ class API(object):
return True , " "
@csrf
@requires ( str , ' uri ' )
def new ( self , environ , request , uri ) :
@ -203,7 +174,6 @@ class API(object):
return Response ( json . dumps ( rv ) , 200 , content_type = ' application/json ' )
@csrf
def edit ( self , environ , request , id ) :
try :
@ -247,7 +217,6 @@ class API(object):
resp . headers . add ( " X-Set-Cookie " , cookie ( " isso- %i " % rv [ " id " ] ) )
return resp
@csrf
def delete ( self , environ , request , id , key = None ) :
try :
@ -350,13 +319,11 @@ class API(object):
return JSON ( json . dumps ( rv ) , 200 )
@csrf
def like ( self , environ , request , id ) :
nv = self . comments . vote ( True , id , utils . anonymize ( str ( request . remote_addr ) ) )
return Response ( json . dumps ( nv ) , 200 )
@csrf
def dislike ( self , environ , request , id ) :
nv = self . comments . vote ( False , id , utils . anonymize ( str ( request . remote_addr ) ) )