Commits

imbolc committed 2af0a19

check csrf token in "X-CSRFToken" header

  • Participants
  • Parent commits 95fe59a

Comments (0)

Files changed (1)

File pysi/middlewares.py

 import marshal
 import base64
 import uuid
+import logging
 
 try:
     from jinja2 import Markup
             token = token.value
         if rq.method == 'POST':
             if not getattr(func, '_pysi_csrf_exempt', None):
-                if not token or token != rq.POST.get(cfg.CSRF_TOKEN_POST_NAME):
+                rq_token = (rq.POST.get(cfg.CSRF_TOKEN_POST_NAME)
+                        or rq.environ.get('HTTP_X_CSRFTOKEN'))
+                if not token or token != rq_token:
+                    logging.debug('Bad CSRF token. Expected: %s Got: %s' % (
+                        token, rq_token))
                     res = get_error_page(rq, 403)
                     if token is not None:
                         res.delete_cookie(cfg.CSRF_TOKEN_COOKIE_NAME)