From 682a9b9df6f42f8261daa077f04b47b65bf00c34 Mon Sep 17 00:00:00 2001 From: Michael Merickel <michael@merickel.org> Date: Sat, 29 Apr 2017 09:04:58 +0200 Subject: [PATCH] final cleanup of csrf decoupling in #2854 --- pyramid/interfaces.py | 30 ++++++++++++++++++------------ 1 files changed, 18 insertions(+), 12 deletions(-) diff --git a/pyramid/interfaces.py b/pyramid/interfaces.py index c3b6b16..853e8fc 100644 --- a/pyramid/interfaces.py +++ b/pyramid/interfaces.py @@ -927,6 +927,13 @@ usually accessed via ``request.session``. Keys and values of a session must be pickleable. + + .. versionchanged:: 1.9 + + Sessions are no longer required to implement ``get_csrf_token`` and + ``new_csrf_token``. CSRF token support was moved to the pluggable + :class:`pyramid.interfaces.ICSRFStoragePolicy` configuration hook. + """ # attributes @@ -984,24 +991,23 @@ class ICSRFStoragePolicy(Interface): """ An object that offers the ability to verify CSRF tokens and generate - new ones""" + new ones.""" def new_csrf_token(request): - """ Create and return a new, random cross-site request forgery - protection token. Return the token. It will be a string.""" + """ Create and return a new, random cross-site request forgery + protection token. The token will be an ascii-compatible unicode + string. + + """ def get_csrf_token(request): """ Return a cross-site request forgery protection token. It - will be a string. If a token was previously set for this user via - ``new_csrf_token``, that token will be returned. If no CSRF token - was previously set, ``new_csrf_token`` will be called, which will - create and set a token, and this token will be returned. - """ + will be an ascii-compatible unicode string. If a token was previously + set for this user via ``new_csrf_token``, that token will be returned. + If no CSRF token was previously set, ``new_csrf_token`` will be + called, which will create and set a token, and this token will be + returned. - def check_csrf_token(request, supplied_token): - """ Returns a boolean that represents if ``supplied_token`` is a valid - CSRF token for this request. Comparing strings for equality must be done - using :func:`pyramid.utils.strings_differ` to avoid timing attacks. """ -- Gitblit v1.9.3