From 98b0e7ac266c24f4c2db7dee3eca8606589109ee Mon Sep 17 00:00:00 2001
From: Vlad <vlad@ddl.su>
Date: Sat, 10 May 2025 23:57:19 +0300
Subject: [PATCH] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB=D0=B5?=
 =?UTF-8?q?=D0=BD=D0=B0=20=D0=B7=D0=B0=D1=89=D0=B8=D1=82=D0=B0=20=D0=BE?=
 =?UTF-8?q?=D1=82=20=D0=BF=D1=80=D1=8F=D0=BC=D0=BE=D0=B3=D0=BE=20=D0=B4?=
 =?UTF-8?q?=D0=BE=D1=81=D1=82=D1=83=D0=BF=D0=B0=20=D0=BA=20=D0=B3=D0=B5?=
 =?UTF-8?q?=D0=BD=D0=B5=D1=80=D0=B0=D1=86=D0=B8=D0=B8=20=D0=BE=D1=82=D1=87?=
 =?UTF-8?q?=D0=B5=D1=82=D0=BE=D0=B2?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Добавлена проверка сессии для VIN

- Добавлено ограничение по времени (5 минут)

- Добавлено логирование попыток прямого доступа
---
 app.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/app.py b/app.py
index c9a7d7f..bc44ffe 100644
--- a/app.py
+++ b/app.py
@@ -358,6 +358,11 @@ def search():
         res = cur.fetchall()
         cur.execute("""select rownum, t.vin, t.title, t.odo, t.odos, t.dem1, t.dem2, t.year||'/'||t.month  from salvagedb t where vin = :p1 and svin = substr(:p1,1,10)  """, {'p1': vin})
         his = cur.fetchall()
+        
+        # Сохраняем VIN в сессии
+        session['last_searched_vin'] = vin
+        session['last_search_time'] = datetime.datetime.now().timestamp()
+        
         return render_template('search.html', site=site, vin=vin, det=res, his=his)
     except:
         logger.error(traceback.format_exc())
@@ -897,6 +902,16 @@ def serve_static(filename):
 @app.route("/salvagereport/<string:vin>")
 def generate_pdf_report(vin):
     try:
+        # Проверяем наличие VIN в сессии и время последнего поиска
+        if 'last_searched_vin' not in session or session['last_searched_vin'] != vin:
+            logger.warning(f'Direct access attempt to report generation for VIN: {vin}')
+            return 'Access denied', 403
+            
+        # Проверяем время последнего поиска (не более 5 минут)
+        if datetime.datetime.now().timestamp() - session['last_search_time'] > 300:
+            logger.warning(f'Report generation attempt expired for VIN: {vin}')
+            return 'Access denied', 403
+            
         conn = pool.acquire()
         cur = conn.cursor()
         user_ip = get_ip(request)