{"id":1434,"date":"2017-09-09T19:42:28","date_gmt":"2017-09-09T11:42:28","guid":{"rendered":"http:\/\/www.yueguangzu.net\/?p=1434"},"modified":"2017-09-09T19:43:04","modified_gmt":"2017-09-09T11:43:04","slug":"django%e7%b3%bb%e5%88%9712-csrf%e8%a3%85%e9%a5%b0%e5%99%a8%e5%92%8c%e4%b8%ad%e9%97%b4%e4%bb%b6","status":"publish","type":"post","link":"http:\/\/www.yueguangzu.net\/?p=1434","title":{"rendered":"[Django\u7cfb\u5217]12.CSRF,\u88c5\u9970\u5668\u548c\u4e2d\u95f4\u4ef6"},"content":{"rendered":"
\n
CSRF\uff08Cross-site request forgery\uff09\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\uff0c\u4e5f\u88ab\u79f0\u4e3a\u201cOne Click Attack\u201d\u6216\u8005Session Riding\uff0c\u901a\u5e38\u7f29\u5199\u4e3aCSRF\u6216\u8005XSRF\uff0c\u662f\u4e00\u79cd\u5bf9\u7f51\u7ad9\u7684\u6076\u610f\u5229\u7528\u3002\u5c3d\u7ba1\u542c\u8d77\u6765\u50cf\u8de8\u7ad9\u811a\u672c\uff08<\/span>XSS<\/a><\/span>\uff09\uff0c\u4f46\u5b83\u4e0eXSS\u975e\u5e38\u4e0d\u540c\uff0cXSS\u5229\u7528\u7ad9\u70b9\u5185\u7684\u4fe1\u4efb\u7528\u6237\uff0c\u800cCSRF\u5219\u901a\u8fc7\u4f2a\u88c5\u6765\u81ea\u53d7\u4fe1\u4efb\u7528\u6237\u7684\u8bf7\u6c42\u6765\u5229\u7528\u53d7\u4fe1\u4efb\u7684\u7f51\u7ad9\u3002\u4e0e<\/span>XSS<\/a><\/span>\u653b\u51fb\u76f8\u6bd4\uff0cCSRF\u653b\u51fb\u5f80\u5f80\u4e0d\u5927\u6d41\u884c\uff08\u56e0\u6b64\u5bf9\u5176\u8fdb\u884c\u9632\u8303\u7684\u8d44\u6e90\u4e5f\u76f8\u5f53\u7a00\u5c11\uff09\u548c\u96be\u4ee5\u9632\u8303\uff0c\u6240\u4ee5\u88ab\u8ba4\u4e3a\u6bd4XSS<\/a><\/span>\u66f4\u5177\u5371\u9669\u6027\u3002<\/span><\/h5>\n<\/blockquote>\n

\u6a21\u62dfCSRF\u653b\u51fb\u6848\u4f8b:\u4f59\u989d\u600e\u4e48\u53d8\u5c11\u4e86?<\/span><\/h2>\n
\n
\u5c0f\u738b\u548c\u5c0f\u674e\u662f\u67d0ICBC\u94f6\u884c\u76842\u4e2a\u6b63\u5e38\u7684\u7528\u6237,\u7528\u6237\u5c0f\u9ed1\u662f\u4e00\u540d\u9ed1\u5ba2,\u4e5f\u5728\u8be5\u94f6\u884c\u5f00\u4e86\u94f6\u884c\u8d26\u6237.\u4e09\u4e2a\u7528\u6237\u7684\u4f59\u989d\u60c5\u51b5\u5982\u4e0b:<\/span><\/h5>\n<\/blockquote>\n

<\/span><\/span><\/p>\n

\n
\u67d0\u5929,\u5c0f\u738b\u7ed9\u5c0f\u674e\u8f6c\u8d262000\u5143\u6210\u529f\u540e,\u6536\u5230\u4e86\u9ed1\u5ba2\u5c0f\u9ed1\u53d1\u4e86\u4e00\u4e2a\u94fe\u63a5<\/span><\/h5>\n<\/blockquote>\n

<\/span><\/span><\/p>\n

<\/span><\/span><\/p>\n

\n
\u5c0f\u738b\u6253\u5f00\u8fde\u63a5\u540e,\u663e\u793a\u7684\u662f\u4e00\u4e2a\u5e7d\u9ed8\u7684\u5927\u56fe:\u662f\u7537\u4eba\u5c31\u575a\u6301600\u79d2<\/span><\/h5>\n<\/blockquote>\n

<\/span><\/span><\/p>\n

\u4e07\u4e07\u6ca1\u60f3\u5230\u7684\u662f,\u5c0f\u738b\u94f6\u884c\u5361\u91cc\u7684\u94b1\u5c11\u4e86100,\u66f4\u90aa\u95e8\u7684\u662f,\u6bcf\u6253\u5f00\u4e00\u6b21\u8fd9\u4e2a\u754c\u9762,\u5c31\u4f1a\u5c11100\u5143!<\/span><\/h5>\n

<\/span><\/span><\/p>\n

\n
\u5c0f\u738b\u4e00\u5171\u70b9\u51fb\u4e86\u8be5\u9875\u976210\u6b21,\u7d2f\u8ba1\u635f\u5931\u4e861000\u5143.<\/span><\/h5>\n<\/blockquote>\n

<\/span><\/span><\/p>\n

\u8fd9\u662f\u4e3a\u4f55?<\/span><\/h5>\n
\n
\u539f\u6765\u8be5icbc\u94f6\u884c\u7f51\u7ad9\u5e76\u6ca1\u6709\u5f00\u542fcsrf\u7684\u6821\u9a8c,\u8be5\u4f4d\u7f6e\u4f4d\u4e8esettings.py\u7684MIDDLEWARE<\/code><\/span>\u4e0b\u9762django.middleware.csrf.CsrfViewMiddleware<\/code><\/span><\/h5>\n<\/blockquote>\n
MIDDLEWARE<\/span> = [\r\n \u00a0  'django.middleware.security.SecurityMiddleware'<\/span>, # \u5b89\u5168\u76f8\u5173\u7684\u4e2d\u95f4\u4ef6 \u6bd4\u5982\uff1a\u9884\u9632XSS\u653b\u51fb\u5904\u7406<\/span>\r\n \u00a0  'django.contrib.sessions.middleware.SessionMiddleware'<\/span>,# session\u4e2d\u95f4\u4ef6<\/span>\r\n \u00a0  'django.middleware.common.CommonMiddleware'<\/span>, # \u81ea\u52a8\u7ed9URL\u52a0\u659c\u6760\u548cwww\u7684\uff0c\u7b49\u4e00\u4e9b\u5176\u4ed6\u7684\u5c0f\u7ec6\u8282\u5904\u7406<\/span>\r\n \u00a0 # 'django.middleware.csrf.CsrfViewMiddleware', # csrf\u653b\u51fb\u7684\u4e2d\u95f4\u4ef6<\/span>\r\n \u00a0  'django.contrib.auth.middleware.AuthenticationMiddleware'<\/span>, # \u6dfb\u52a0user\u8fd9\u6837\u4e00\u4e2a\u5c5e\u6027\uff0c\u5f53\u7136\u4e0d\u4ec5\u4ec5\u8fd9\u4e9b\uff0c\u662f\u4e00\u4e2a\u6388\u6743\u7684\u4e2d\u95f4\u4ef6<\/span>\r\n \u00a0  'django.contrib.messages.middleware.MessageMiddleware'<\/span>, # message\u4e2d\u95f4\u4ef6<\/span>\r\n \u00a0  'django.middleware.clickjacking.XFrameOptionsMiddleware'<\/span>, # \u9632\u6b62\u901a\u8fc7\u6d4f\u89c8\u5668\u9875\u9762\u8de8Frame\u51fa\u73b0clickjacking\uff08\u6b3a\u9a97\u70b9\u51fb\uff09\u653b\u51fb\u51fa\u73b0\u3002<\/span>\r\n \u00a0  'account.middleware.mymiddleware.UserMiddleware'<\/span>\r\n]<\/pre>\n
\n
\u542f\u7528\u8be5\u4e2d\u95f4\u4ef6,\u540c\u65f6\u5728\u8f93\u5165\u7684\u8868\u5355\u4e2d,\u52a0\u5165{% csrf_token %}<\/code><\/span><\/h5>\n<\/blockquote>\n
<<\/span>form<\/span> action<\/span>=\"\"<\/span> method<\/span>='POST'<\/span>><\/span>\r\n \u00a0 \u00a0 \u00a0  {%<\/span> csrf_token<\/span> %<\/span>}\r\n        <<\/span>table<\/span>><\/span>\r\n            <<\/span>tbody<\/span>><\/span>\r\n                <<\/span>tr<\/span>><\/span>\r\n                    <<\/span>td<\/span>><<\/span>label<\/span> for<\/span>=\"\"<\/span>><\/span>\u76ee\u6807\u7528\u6237<\/span>:<\/<\/span>label<\/span>><\/<\/span>td<\/span>><\/span>\r\n                    <<\/span>td<\/span>><<\/span>input<\/span> type<\/span>=\"text\"<\/span> name<\/span>='username'<\/span>><\/<\/span>td<\/span>><\/span>\r\n                <\/<\/span>tr<\/span>><\/span>\r\n                <<\/span>tr<\/span>><\/span>\r\n                    <<\/span>td<\/span>><<\/span>label<\/span> for<\/span>=\"\"<\/span>><\/span>\u8f6c\u8d26\u91d1\u989d<\/span>:<\/<\/span>label<\/span>><\/<\/span>td<\/span>><\/span>\r\n                    <<\/span>td<\/span>><<\/span>input<\/span> type<\/span>=\"text\"<\/span> name<\/span>='money'<\/span>><\/<\/span>td<\/span>><\/span>\r\n                <\/<\/span>tr<\/span>><\/span>\r\n                <<\/span>tr<\/span>><\/span>\r\n                    <<\/span>td<\/span>><\/<\/span>td<\/span>><\/span>\r\n                    <<\/span>td<\/span>><<\/span>input<\/span> type<\/span>=\"submit\"<\/span> value<\/span>='\u786e\u5b9a'<\/span>><\/<\/span>td<\/span>><\/span>\r\n                <\/<\/span>tr<\/span>><\/span>\r\n            <\/<\/span>tbody<\/span>><\/span>\r\n        <\/<\/span>table<\/span>><\/span>\r\n        {%<\/span> if<\/span> errors<\/span> %<\/span>}\r\n            <<\/span>p<\/span>><\/span>{{errors<\/span>}}<\/<\/span>p<\/span>><\/span>\r\n        {%<\/span> endif<\/span> %<\/span>}\r\n    <\/<\/span>form<\/span>><\/span><\/pre>\n
\n
\u4ece\u90a3\u4e4b\u540e,\u65e0\u8bba\u5c0f\u738b\u518d\u600e\u4e48\u4e0d\u662f\u7537\u4eba,\u70b9\u5f00\u662f\u7537\u4eba\u575a\u6301600\u79d2\u7684 \u90a3\u4e2a\u9493\u9c7c\u7ad9\u70b9,\u90fd\u4e0d\u4f1a\u518d\u635f\u5931\u94b1\u4e86.<\/span><\/h5>\n<\/blockquote>\n
<\/span><\/span><\/p>\n
1.CSRF\u8de8\u7ad9\u653b\u51fb\u539f\u56e0\u5206\u6790<\/span><\/h4>\n
<\/span><\/span><\/p>\n
    \n
  • \n
    \u7528\u6237C\u5728\u8bbf\u95eeicbc\u7ad9\u70b9A\u7684\u65f6,\u767b\u5f55\u5b8c\u6210\u540e,A\u751f\u6210cookie\u4ea4\u7ed9C<\/span><\/h5>\n<\/li>\n
  • \n
    C\u6ca1\u6709\u9000\u51fa\u7684\u60c5\u51b5\u4e0b,\u8bbf\u95ee\u4e86\u7ad9\u70b9B<\/span><\/h5>\n<\/li>\n
  • \n
    B\u5728C\u6ca1\u6709\u9000\u51fa\u767b\u5f55\u7684\u60c5\u51b5\u4e0b,\u62ff\u7740C\u7684cookie\u53bb\u8bbf\u95eeA,\u8fdb\u884c\u8f6c\u8d26\u64cd\u4f5c.<\/h5>\n<\/li>\n
  • \n
    \u7531\u4e8eC\u5e76\u6ca1\u6709\u9000\u51fa\u767b\u5f55,A\u6267\u884c\u4e86B\u4f2a\u9020C\u7684\u8bf7\u6c42,\u6240\u4ee5\u5b8c\u6210\u4e86\u8f6c\u8d26.<\/span><\/h5>\n<\/li>\n<\/ul>\n
    \n
    \u5206\u6790\u8be5\u7f51\u7ad9\u7684\u6e90\u4ee3\u7801\u53ef\u4ee5\u770b\u5230,\u8f6c\u8d26\u64cd\u4f5c\u5176\u5b9e\u662f\u4f7f\u7528post\u65b9\u5f0f\u63d0\u4ea4\u4e86\u4e00\u4e2a\u5305\u542b\u4e86\u7528\u6237\u540dusername,\u91d1\u989dmoney\u7684\u8868\u5355\u5230\u5f53\u524d\u7684\u9875\u9762.<\/span><\/h5>\n<\/blockquote>\n
    <\/span><\/span><\/p>\n
    \n
    \u800c\u9493\u9c7c\u7f51\u7ad9\u521a\u597d\u662f\u5229\u7528\u4e86\u8fd9\u70b9\u6f0f\u6d1e,\u901a\u8fc7\u4f7f\u7528iframe\u9690\u85cf\u6846\u67b6,\u4e0b\u6302\u4e00\u4e2a\u9690\u85cf\u7684\u8868\u5355,\u8fd9\u4e2a\u8868\u5355\u8ddf\u94f6\u884c\u8f6c\u8d26\u7684\u8868\u5355\u76f8\u4f3c,\u53c2\u6570\u4e00\u6837,\u63d0\u4ea4\u7684\u5185\u5bb9\u4e00\u6837.\u901a\u8fc7js\u811a\u672c\u63a7\u5236,\u52a0\u8f7d\u8be5\u9875\u9762\u540e,\u81ea\u52a8\u63d0\u4ea4\u8be5\u8868\u5355\u7684\u8f6c\u8d26\u7ed9\u5c0f\u9ed1100\u5143\u7684\u8bf7\u6c42.<\/span><\/h5>\n
      \n
    • \n
      \u5c0f\u738b\u53c8\u6b63\u597d\u5728\u767b\u5f55\u72b6\u6001\u4e0b,\u70b9\u5f00\u4e86\u8fd9\u4e2a\u7f51\u7ad9.\u767b\u5f55\u94f6\u884c\u7684\u4f1a\u8bddsessionid\u4f9d\u7136\u5b58\u5728.<\/h5>\n<\/li>\n
    • \n
      \u9493\u9c7c\u7f51\u7ad9\u6070\u597d\u5229\u7528\u4e86\u8be5\u6f0f\u6d1e,\u8fdb\u884c\u8de8\u57df\u653b\u51fb.\u5229\u7528\u7684\u662f\u672a\u9000\u51fa\u7684\u4f1a\u8bdd\u72b6\u6001\u548c\u672a\u8fdb\u884ccsrf\u9632\u8303\u7684\u6f0f\u6d1e\u7f51\u7ad9.<\/span><\/h5>\n<\/li>\n<\/ul>\n<\/blockquote>\n
      <\/span><\/span><\/p>\n
      \n
      \u5f53\u7f51\u7ad9\u5f00\u542f\u4e86csrf\u6821\u9a8c\u540e,\u6bcf\u6b21\u5411\u7528\u6237\u53d1\u9001\u7684\u9875\u9762,\u90fd\u5e26\u6709csrfmiddlewaretoken\u8fd9\u4e2a\u4e2d\u95f4\u4ef6\u7684\u8de8\u7ad9\u4f2a\u9020\u6821\u9a8c\u7801.\u6bcf\u4e00\u6b21\u63d0\u4ea4\u8868\u5355,\u90fd\u4f1a\u5c06\u8fd9\u4e2a\u6821\u9a8c\u7801\u56de\u4f20,\u5982\u679c\u56de\u4f20\u7684\u6821\u9a8c\u7801\u4e0d\u6b63\u786e,\u90a3\u4e48\u8fd9\u4e2a\u63d0\u4ea4\u7684\u64cd\u4f5c\u5c06\u4f1a\u88ab\u62d2\u7edd.\u8fbe\u5230\u4e86\u8de8\u7ad9\u653b\u51fb\u9632\u5fa1\u7684\u76ee\u7684.\u56e0\u4e3a\u9493\u9c7c\u7f51\u7ad9\u6ca1\u6709\u5f97\u5230csrf_token,\u65e0\u6cd5\u901a\u8fc7\u9a8c\u8bc1.<\/span><\/h5>\n<\/blockquote>\n
      <\/span><\/span><\/p>\n
      \u76f8\u5173\u4ee3\u7801\u4e0b\u8f7d<\/span>http:\/\/test.gxticket.com:8080\/pic\/?name=csrf.rar<\/code><\/span><\/h5>\n
      2.\u88c5\u9970\u5668\u7684\u7528\u6cd5<\/span><\/h4>\n
      <\/span><\/span><\/p>\n
      \n
      \u4e0a\u4e2a\u4f8b\u5b50\u4e2d,\u8f6c\u8d26\u4e4b\u524d\u4f7f\u7528\u4e86\u88c5\u9970\u5668login_required\u6765\u68c0\u67e5\u662f\u5426\u5df2\u7ecf\u767b\u9646,\u90a3\u4e48\u662f\u5982\u4f55\u5b9e\u73b0\u7684\u5462?<\/span><\/h5>\n<\/blockquote>\n
      \u5728\u5f53\u524d\u5e94\u7528\u76ee\u5f55\u4e0b\u9762\u7684decorators.py,\u7528\u6765\u5b58\u653e\u6211\u4eec\u9700\u8981\u4f7f\u7528\u7684\u88c5\u9970\u5668\u51fd\u6570.<\/span><\/h5>\n
      #coding: utf-8<\/span>\r\nfrom<\/span> models<\/span> import<\/span> AccountModel<\/span>\r\nfrom<\/span> django<\/span>.shortcuts<\/span> import<\/span> redirect<\/span>,reverse<\/span>\r\nlogin_required<\/span>\r\ndef<\/span> login_required<\/span>(func<\/span>):  #\u88c5\u9970\u5668\u540d\u79f0\u662flogin_required<\/span>\r\n    def<\/span> wrapper<\/span>(request<\/span>,*<\/span>args<\/span>,**<\/span>kwargs<\/span>):  #\u5185\u90e8\u5b9a\u4e49\u4e2awrapper\u51fd\u6570,\u4f20\u5165request,\u548c\u5176\u4ed6\u53c2\u6570,wrapper\u662f\u5305\u88c5,\u5c01\u88c5\u7684\u610f\u601d<\/span>\r\n        username<\/span> = request<\/span>.session<\/span>.get<\/span>('username'<\/span>,None<\/span>) #\u901a\u8fc7\u4f20\u5165\u7684request\u4ece\u670d\u52a1\u5668\u5907\u4efd\u7684request.session\u4e2d\u83b7\u53d6username.<\/span>\r\n        account<\/span> = AccountModel<\/span>.objects<\/span>.filter<\/span>(username<\/span>=username<\/span>).first<\/span>() #\u67e5\u8be2\u6570\u636e\u5e93\u7528\u6237\u540d\u662f\u5426\u5b58\u5728,\u8fd4\u56de\u7b2c\u4e00\u6761\u8bb0\u5f55\u5bf9\u8c61<\/span>\r\n        if<\/span> account<\/span>: #\u5982\u679c\u5b58\u5728,\u5c06\u4f20\u5165\u7684\u51fd\u6570\u539f\u5c01\u4e0d\u52a8\u7684\u8fd4\u56de<\/span>\r\n            return<\/span> func<\/span>(request<\/span>,*<\/span>args<\/span>,**<\/span>kwargs<\/span>)\r\n        else<\/span>:\r\n            return<\/span> redirect<\/span>(reverse<\/span>('login'<\/span>)) #\u5426\u5219\u8df3\u8f6c\u5230\u767b\u9646\u754c\u9762<\/span>\r\n    return<\/span> wrapper<\/span><\/pre>\n
      3.\u4e2d\u95f4\u4ef6\uff08Middleware\uff09<\/span><\/h4>\n
      3.1\u4ec0\u4e48\u662f\u4e2d\u95f4\u4ef6?<\/span><\/h5>\n
        \n
      • \n
        \u4e2d\u95f4\u4ef6\u662f\u5728request\u548cview\u4e4b\u95f4\u4ee5\u53caview\u5230response\u4e4b\u95f4\u505a\u7684\u4e00\u4e9b\u5904\u7406\u3002<\/span><\/h5>\n<\/li>\n
      • \n
        \u4f7f\u7528\u4e2d\u95f4\u4ef6\u8981\u6ce8\u610f\u653e\u7684\u987a\u5e8f\u3002\u901a\u5e38\u662f\u6309\u7167\u987a\u5e8f\u6267\u884c.<\/span><\/h5>\n<\/li>\n<\/ul>\n
        #django\u5e38\u89c1\u7684\u4e2d\u95f4\u4ef6\u53ca\u76f8\u5173\u89e3\u91ca<\/span>\r\nMIDDLEWARE<\/span> = [\r\n \u00a0  'django.middleware.security.SecurityMiddleware'<\/span>, # \u5b89\u5168\u76f8\u5173\u7684\u4e2d\u95f4\u4ef6 \u6bd4\u5982\uff1a\u9884\u9632XSS\u653b\u51fb\u5904\u7406<\/span>\r\n \u00a0  'django.contrib.sessions.middleware.SessionMiddleware'<\/span>,# session\u4e2d\u95f4\u4ef6<\/span>\r\n \u00a0  'django.middleware.common.CommonMiddleware'<\/span>, # \u81ea\u52a8\u7ed9URL\u52a0\u659c\u6760\u548cwww\u7684\uff0c\u7b49\u4e00\u4e9b\u5176\u4ed6\u7684\u5c0f\u7ec6\u8282\u5904\u7406<\/span>\r\n \u00a0  'django.middleware.csrf.CsrfViewMiddleware'<\/span>, # csrf\u653b\u51fb\u7684\u4e2d\u95f4\u4ef6<\/span>\r\n \u00a0  'django.contrib.auth.middleware.AuthenticationMiddleware'<\/span>, # \u6dfb\u52a0user\u8fd9\u6837\u4e00\u4e2a\u5c5e\u6027\uff0c\u5f53\u7136\u4e0d\u4ec5\u4ec5\u8fd9\u4e9b\uff0c\u662f\u4e00\u4e2a\u6388\u6743\u7684\u4e2d\u95f4\u4ef6<\/span>\r\n \u00a0  'django.contrib.messages.middleware.MessageMiddleware'<\/span>, # message\u4e2d\u95f4\u4ef6<\/span>\r\n \u00a0  'django.middleware.clickjacking.XFrameOptionsMiddleware'<\/span>, # \u9632\u6b62\u901a\u8fc7\u6d4f\u89c8\u5668\u9875\u9762\u8de8Frame\u51fa\u73b0clickjacking\uff08\u6b3a\u9a97\u70b9\u51fb\uff09\u653b\u51fb\u51fa\u73b0\u3002<\/span>\r\n \u00a0  'account.middleware.mymiddleware.UserMiddleware'<\/span>  #\u7528\u6237\u81ea\u5b9a\u4e49\u7684\u4e2d\u95f4\u4ef6<\/span>\r\n]<\/pre>\n
        3.2\u4e2d\u95f4\u4ef6\u7684\u5b9e\u73b0\u8fc7\u7a0b<\/h5>\n
        \n
        – \u524d\u53f0\u53d1\u8d77http\u8bf7\u6c42\u8fc7\u6765\u662f,\u9996\u5148\u8981\u7ecf\u8fc7\u4e00\u4e9b\u5217\u7684\u4e2d\u95f4\u4ef6<\/span><\/h5>\n
        \u4f8b\u5982CommonMiddleware\u81ea\u52a8\u7ed9URL\u52a0\u659c\u6760\u548cwww\u7684,\u7b49\u4e00\u4e9b\u5176\u4ed6\u7684\u5c0f\u7ec6\u8282\u5904\u7406,SessionMiddleware’,# \u8fdb\u884c\u4f1a\u8bdd\u5904\u7406,CsrfViewMiddleware\u8fdb\u884ccsrf\u653b\u51fb\u7684\u5904\u7406,AuthenticationMiddleware\u8ba4\u8bc1\u5904\u7406,MessageMiddleware\u6d88\u606f\u5904\u7406<\/span><\/span><\/p><\/blockquote>\n
        – \u7ecf\u8fc7\u8fd9\u4e9b\u4e2d\u95f4\u4ef6,\u5176\u5b9e\u7c7b\u4f3c\u4e8e\u8c03\u7528\u4e86\u4e00\u4e2a\u6709\u4e00\u4e2a\u7684\u51fd\u6570\u53bb\u8fc7\u6ee4.\u624d\u5230\u8fbeviews\u89c6\u56fe\u51fd\u6570\u5904\u7406<\/h5>\n
        – \u5904\u7406\u5b8c\u6bd5\u540e,\u4e2d\u95f4\u4ef6\u4e5f\u53ef\u4ee5\u53c2\u4e0eresponse\u7684\u54cd\u5e94<\/span><\/h5>\n<\/blockquote>\n
        <\/span><\/span><\/p>\n
        3.3\u81ea\u5b9a\u4e49\u4e2d\u95f4\u4ef6\uff1a<\/span><\/h5>\n
        \n
        \u5728\u5e94\u7528\u76ee\u5f55\u4e0b\u521b\u5efa\u4e00\u4e2a\u4e13\u95e8\u5b58\u653e\u4e2d\u95f4\u4ef6\u7684\u6587\u4ef6\u5939middleware\uff0c\u7136\u540e\u5728\u91cc\u9762\u5305\u542b\u4e00\u4e2ainit<\/strong><\/span>.py\u6587\u4ef6\u7528\u6765\u8868\u793a\u8fd9\u662f\u4e00\u4e2a\u5305\uff0c\u7136\u540e\u521b\u5efa\u4e00\u4e2a\u4e2d\u95f4\u4ef6\u7684\u6587\u4ef6mymiddleware.py\uff0c\u7528\u6765\u5b58\u653e\u6307\u5b9a\u7684\u4e2d\u95f4\u4ef6\uff1a<\/h5>\n<\/blockquote>\n
        #coding: utf8<\/span>\r\nfrom<\/span> account<\/span>.models<\/span> import<\/span> AccountModel<\/span>\r\nfrom<\/span> django<\/span>.utils<\/span>.deprecation<\/span> import<\/span> MiddlewareMixin<\/span> #\u9700\u8981\u4ecedjango.utils.deprecation\u5bfc\u5165MiddlewareMinxin\u6a21\u5757<\/span>\r\n\u200b\r\n# 1.10\u7248\u672c\u4e4b\u540e\u7684\u4e2d\u95f4\u4ef6 <\/span>\r\ndef<\/span> UserMiddleware<\/span>(get_response<\/span>): #\u5b9a\u4e49\u4e00\u4e2a\u7528\u6237\u81ea\u5b9a\u4e49\u7684UserMiddleware\u4e2d\u95f4\u4ef6,\u4f20\u4e00\u4e2a\u7cfb\u7edf\u51fd\u6570get_response\u4f5c\u4e3a\u53c2\u6570<\/span>\r\n    def<\/span> middleware<\/span>(request<\/span>): \r\n        # request\u4e2d\u95f4\u4ef6<\/span>\r\n        username<\/span> = request<\/span>.session<\/span>.get<\/span>('username'<\/span>,None<\/span>) #\u4eceression\u53d6\u51fa\u662f\u5426\u6709\u8be5\u7528\u6237,\u5982\u679c\u6ca1\u6709\u5219\u4e3a\u7a7a<\/span>\r\n        user<\/span> = AccountModel<\/span>.objects<\/span>.filter<\/span>(username<\/span>=username<\/span>).first<\/span>() #\u68c0\u67e5\u6570\u636e\u5e93\u662f\u5426\u6709\u8be5\u7528\u6237\u5b58\u5728<\/span>\r\n        print<\/span> 'middleware first'<\/span>\r\n        if<\/span> user<\/span> and<\/span> not<\/span> hasattr<\/span>(request<\/span>,'frontuser'<\/span>): #\u5f31\u7528\u6237\u5b58\u5728\u4e8e\u6570\u636e\u5e93,\u4e14\u7528\u6237\u6ca1\u6709\u8bbe\u7f6e\u5c5e\u6027frontuser<\/span>\r\n            setattr<\/span>(request<\/span>,'frontuser'<\/span>,user<\/span>) \u00a0 \u00a0 \u00a0  #\u5bf9\u8be5\u7528\u6237\u8bbe\u7f6efrontuser\u5c5e\u6027,\u5e76\u8fd4\u56de.<\/span>\r\n        response<\/span> = get_response<\/span>(request<\/span>)\r\n        # response\u4e2d\u95f4\u4ef6<\/span>\r\n        return<\/span> response<\/span>\r\n    return<\/span> middleware<\/span>\r\n#1.10\u4e4b\u524d\u662f\u5c01\u88c5\u6210\u7c7b<\/span><\/pre>\n
        \n
        \u4f7f\u7528\u65b9\u6cd5:\u5728\u89c6\u56fe\u51fd\u6570\u4e2d,\u5982\u679c\u8bbf\u95ee\u4e3b\u9875,\u5df2\u767b\u5f55\u7528\u6237,\u5177\u6709frontuser\u5c5e\u6027,\u6253\u5370—,\u672a\u767b\u9646\u7528\u6237,\u6253\u5370++++<\/h5>\n<\/blockquote>\n
        def<\/span> index<\/span>(request<\/span>):\r\n    if<\/span> hasattr<\/span>(request<\/span>,'frontuser'<\/span>): #\u662f\u5426\u6709frontuser\u5c5e\u6027,\u6709\u5219\u8bf4\u660e\u5df2\u7ecf\u767b\u9646.\u8fd9\u4e2a\u5c5e\u6027\u5c31\u662f\u4e0a\u9762\u63d0\u5230\u7684\u4e2d\u95f4\u4ef6\u6dfb\u52a0\u7684.<\/span>\r\n        print<\/span> '------------------'<\/span>\r\n    else<\/span>:\r\n        print<\/span> '++++++++++++++++++'<\/span>\r\n    return<\/span> render<\/span>(request<\/span>,'index.html'<\/span>,{'user'<\/span>:''<\/span>,'comment'<\/span>:''<\/span>})<\/pre>\n
        \n
        \u4f7f\u7528\u4e2d\u95f4\u4ef6\u540e\u67e5\u770b\u662f\u5426\u767b\u9646\u7684\u6548\u679c.<\/h5>\n<\/blockquote>\n
        <\/span><\/span><\/p>\n
        <\/span><\/span><\/p>\n
        \u603b\u7ed3<\/span><\/h2>\n
        \n
        \u901a\u8fc7ICBC\u8f6c\u8d26\u7684\u4e00\u4e2a\u5b9e\u4f8b,\u5f15\u51fa\u4e86CSRF\u7684\u539f\u7406\u548c\u5206\u6790,\u5e76\u63d0\u4f9b\u4e86Django\u8bbe\u7f6ecsrf\u7684\u65b9\u6cd5\u505a\u4e86\u8be6\u7ec6\u4ecb\u7ecd\u8bf4\u660e.\u540c\u65f6\u4ecb\u7ecd\u4e86\u81ea\u5b9a\u4e49\u88c5\u9970\u5668\u7684\u5b9a\u4e49\u548c\u7528\u6cd5,\u4e2d\u95f4\u4ef6\u7684\u7406\u8bba,\u4ee5\u53ca\u5982\u4f55\u81ea\u5b9a\u4e49\u4e2d\u95f4\u4ef6.\u8bf7\u91cd\u70b9\u638c\u63e1.<\/span><\/h5>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"
        CSRF\uff08Cross-site request forgery\uff09\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\uff0c\u4e5f\u88ab\u79f0\u4e3a\u201cOne Click Attack\u201d\u6216\u8005Session Riding\uff0c\u901a\u5e38\u7f29\u5199\u4e3aCSRF\u6216\u8005XSRF\uff0c\u662f\u4e00\u79cd\u5bf9\u7f51\u7ad9\u7684\u6076\u610f\u5229\u7528\u3002\u5c3d\u7ba1\u542c\u8d77\u6765\u50cf\u8de8\u7ad9\u811a\u672c\uff08XSS […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[54],"tags":[],"_links":{"self":[{"href":"http:\/\/www.yueguangzu.net\/index.php?rest_route=\/wp\/v2\/posts\/1434"}],"collection":[{"href":"http:\/\/www.yueguangzu.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.yueguangzu.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.yueguangzu.net\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.yueguangzu.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1434"}],"version-history":[{"count":3,"href":"http:\/\/www.yueguangzu.net\/index.php?rest_route=\/wp\/v2\/posts\/1434\/revisions"}],"predecessor-version":[{"id":1452,"href":"http:\/\/www.yueguangzu.net\/index.php?rest_route=\/wp\/v2\/posts\/1434\/revisions\/1452"}],"wp:attachment":[{"href":"http:\/\/www.yueguangzu.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1434"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.yueguangzu.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1434"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.yueguangzu.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1434"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}