Skip to content

AI spam #927

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
aizu-m wants to merge 1 commit into from
+12 −2
Closed

AI spam #927

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion src/wtforms/csrf/core.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
import hmac

from wtforms.fields import HiddenField
from wtforms.validators import ValidationError

Expand Down Expand Up @@ -92,5 +94,11 @@ def validate_csrf_token(self, form, field):
:param form: The form which has this CSRF token.
:param field: The CSRF token field.
"""
if field.current_token != field.data:
if (
not field.current_token
or not field.data
or not hmac.compare_digest(
field.current_token.encode("utf8"), field.data.encode("utf8")
)
):
raise ValidationError(field.gettext("Invalid CSRF Token."))
4 changes: 3 additions & 1 deletion src/wtforms/csrf/session.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,9 @@ def validate_csrf_token(self, form, field):
check_val = (self.session["csrf"] + expires).encode("utf8")

hmac_compare = hmac.new(meta.csrf_secret, check_val, digestmod=sha1)
if hmac_compare.hexdigest() != hmac_csrf:
if not hmac.compare_digest(
hmac_compare.hexdigest().encode("utf8"), hmac_csrf.encode("utf8")
):
raise ValidationError(field.gettext("CSRF failed."))

if self.time_limit:
Expand Down
Loading