diff --git a/apps/jumpserver/middleware.py b/apps/jumpserver/middleware.py index cfe26bb36..9c6113b3a 100644 --- a/apps/jumpserver/middleware.py +++ b/apps/jumpserver/middleware.py @@ -10,6 +10,7 @@ import pytz from django.conf import settings from django.core.exceptions import MiddlewareNotUsed from django.db.utils import OperationalError +from django.middleware.csrf import CsrfViewMiddleware from django.http.response import HttpResponseForbidden, JsonResponse from django.shortcuts import HttpResponse from django.shortcuts import redirect @@ -19,6 +20,7 @@ from rest_framework import status from .utils import set_current_request +IGNORE_CSRF_CHECK = '*' in os.getenv("DOMAINS", "").split(',') class TimezoneMiddleware: def __init__(self, get_response): @@ -191,3 +193,10 @@ class SafeRedirectMiddleware: host, port = netloc.split(':', 1) return host, port return netloc, '80' + + +class CsrfCheckMiddleware(CsrfViewMiddleware): + def _origin_verified(self, request): + if IGNORE_CSRF_CHECK: + return True + return super()._origin_verified(request) diff --git a/apps/jumpserver/settings/base.py b/apps/jumpserver/settings/base.py index ae82d3738..fc2cdadaa 100644 --- a/apps/jumpserver/settings/base.py +++ b/apps/jumpserver/settings/base.py @@ -92,6 +92,9 @@ ALLOWED_HOSTS = ['*'] # https://docs.djangoproject.com/en/4.1/ref/settings/#std-setting-CSRF_TRUSTED_ORIGINS CSRF_TRUSTED_ORIGINS = [] for host_port in ALLOWED_DOMAINS: + if '*' in ALLOWED_DOMAINS: + CSRF_TRUSTED_ORIGINS = ['http://*', 'https://*'] + break origin = host_port.strip('.') if not origin: @@ -167,7 +170,8 @@ MIDDLEWARE = [ 'django.middleware.locale.LocaleMiddleware', 'corsheaders.middleware.CorsMiddleware', 'django.middleware.common.CommonMiddleware', - 'django.middleware.csrf.CsrfViewMiddleware', + # 'django.middleware.csrf.CsrfViewMiddleware', + 'jumpserver.middleware.CsrfCheckMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware',