防瓶剂注射

本文介绍了防瓶剂注射的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

python/flask如何阻止异物注射?

请考虑以下mwe:

app.py

from flask import Flask, request, render template app = Flask(__name__) @app.route('/', methods=['GET','POST']) def helloworld(): if request.method == 'GET': return render_template('index.html') if request.method == 'POST': print(request.form['info']) ## do something with the info, like write to a database return 'nothing' if __name__ == '__main__': app.run(debug=True)

templates/index.html

templates/index.html

<html> <head> <script src="//ajax.googleapis/ajax/libs/jquery/1.9.1/jquery.min.js"></script> <script type='text/javascript' src="{{ url_for('static', filename='js/fire.js') }}"></script> </head> <body> <p>Hello world!</p> </body> </html>

static/js/fire.js

static/js/fire.js

$(document).click(function() { // post data to flask $.post('/', {'info': 'test'}); return false; };

我的问题是:

是否可以从外国网站进行注射?后续行动:这怎么办? (例如，也许通过发布到我的网站网址的表单?)

如果可以进行注入，我该如何在app.py脚本中阻止注入?

编辑

这是一个非常基本的脚本，可用于针对上述烧瓶应用程序测试进样.接受的答案将阻止此脚本:

Edit

Here is a very basic script that can be used to test injections against the above flask application. The accepted answer blocks this script:

<!DOCTYPE html> <html> <body> <h2>Malicious Form Injection</h2> <form action='127.0.0.1:5000/' method='post'> Input 1:<br> <input name="info" value="mal1"><br> <input type="submit" value="Submit"> </form> </body> </html>

推荐答案

app.py

from flask import Flask, request, render template from flask_wtf.csrf import CSRFProtect app = Flask(__name__) CSRFProtect(app) app.config['SECRET_KEY'] = 'somethignrandom' @app.route('/', methods=['GET','POST']) def helloworld(): if request.method == 'GET': return render_template('index.html') if request.method == 'POST': # anything post will autocheck csrf print(request.form['info']) ## do something with the info, like write to a database return 'nothing' if __name__ == '__main__': app.run(debug=True)

无需将密钥传递给html模板，因为CSRFProtect将自动传递密钥.

There is no need to pass the secret key to the html template, as CSRFProtect will automatically pass the secret key.

<html> <head> <script src="//ajax.googleapis/ajax/libs/jquery/1.9.1/jquery.min.js"></script> <meta name='csrf-token' content="{{ csrf_token() }}"> <script type='text/javascript' src="{{ url_for('static', filename='js/fire.js') }}"></script> </head> <body> <p>Hello world!</p> </body> </html>

script.js

$(document).click(function() { // post data to flask $.post('/', {'info': 'test', '_csrf_token':$('meta[name="csrf-token"]').attr('content')}); return false; };