Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).
While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).
Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2015-11-07 16:35:45 +00:00
|
|
|
import re
|
|
|
|
|
2015-03-10 20:21:28 +00:00
|
|
|
from django.forms import CharField, Form, Media
|
2019-09-26 17:06:35 +00:00
|
|
|
from django.http import HttpRequest, HttpResponse
|
Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).
While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).
Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2015-11-07 16:35:45 +00:00
|
|
|
from django.middleware.csrf import (
|
2022-02-03 19:24:19 +00:00
|
|
|
CSRF_TOKEN_LENGTH,
|
|
|
|
CsrfViewMiddleware,
|
|
|
|
_unmask_cipher_token,
|
|
|
|
get_token,
|
Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).
While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).
Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2015-11-07 16:35:45 +00:00
|
|
|
)
|
2015-01-10 20:35:09 +00:00
|
|
|
from django.template import TemplateDoesNotExist, TemplateSyntaxError
|
2014-12-14 20:22:57 +00:00
|
|
|
from django.template.backends.dummy import TemplateStrings
|
|
|
|
from django.test import SimpleTestCase
|
|
|
|
|
|
|
|
|
|
|
|
class TemplateStringsTests(SimpleTestCase):
|
|
|
|
engine_class = TemplateStrings
|
2022-02-03 19:24:19 +00:00
|
|
|
backend_name = "dummy"
|
2014-12-14 20:22:57 +00:00
|
|
|
options = {}
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
def setUpClass(cls):
|
2017-01-21 13:13:44 +00:00
|
|
|
super().setUpClass()
|
2014-12-14 20:22:57 +00:00
|
|
|
params = {
|
2022-02-03 19:24:19 +00:00
|
|
|
"DIRS": [],
|
|
|
|
"APP_DIRS": True,
|
|
|
|
"NAME": cls.backend_name,
|
|
|
|
"OPTIONS": cls.options,
|
2014-12-14 20:22:57 +00:00
|
|
|
}
|
|
|
|
cls.engine = cls.engine_class(params)
|
|
|
|
|
|
|
|
def test_from_string(self):
|
|
|
|
template = self.engine.from_string("Hello!\n")
|
|
|
|
content = template.render()
|
|
|
|
self.assertEqual(content, "Hello!\n")
|
|
|
|
|
|
|
|
def test_get_template(self):
|
2022-02-03 19:24:19 +00:00
|
|
|
template = self.engine.get_template("template_backends/hello.html")
|
|
|
|
content = template.render({"name": "world"})
|
2014-12-14 20:22:57 +00:00
|
|
|
self.assertEqual(content, "Hello world!\n")
|
|
|
|
|
2017-02-03 01:43:21 +00:00
|
|
|
def test_get_template_nonexistent(self):
|
2015-04-24 19:33:03 +00:00
|
|
|
with self.assertRaises(TemplateDoesNotExist) as e:
|
2022-02-03 19:24:19 +00:00
|
|
|
self.engine.get_template("template_backends/nonexistent.html")
|
2015-04-24 19:33:03 +00:00
|
|
|
self.assertEqual(e.exception.backend, self.engine)
|
2014-12-14 20:22:57 +00:00
|
|
|
|
2015-01-10 20:35:09 +00:00
|
|
|
def test_get_template_syntax_error(self):
|
|
|
|
# There's no way to trigger a syntax error with the dummy backend.
|
|
|
|
# The test still lives here to factor it between other backends.
|
2022-02-03 19:24:19 +00:00
|
|
|
if self.backend_name == "dummy":
|
2015-03-10 20:21:28 +00:00
|
|
|
self.skipTest("test doesn't apply to dummy backend")
|
2015-01-10 20:35:09 +00:00
|
|
|
with self.assertRaises(TemplateSyntaxError):
|
2022-02-03 19:24:19 +00:00
|
|
|
self.engine.get_template("template_backends/syntax_error.html")
|
2015-01-10 20:35:09 +00:00
|
|
|
|
2014-12-14 20:22:57 +00:00
|
|
|
def test_html_escaping(self):
|
2022-02-03 19:24:19 +00:00
|
|
|
template = self.engine.get_template("template_backends/hello.html")
|
|
|
|
context = {"name": '<script>alert("XSS!");</script>'}
|
2014-12-14 20:22:57 +00:00
|
|
|
content = template.render(context)
|
|
|
|
|
2022-02-03 19:24:19 +00:00
|
|
|
self.assertIn("<script>", content)
|
|
|
|
self.assertNotIn("<script>", content)
|
2014-12-14 20:22:57 +00:00
|
|
|
|
2015-03-10 20:21:28 +00:00
|
|
|
def test_django_html_escaping(self):
|
2022-02-03 19:24:19 +00:00
|
|
|
if self.backend_name == "dummy":
|
2015-03-10 20:21:28 +00:00
|
|
|
self.skipTest("test doesn't apply to dummy backend")
|
|
|
|
|
|
|
|
class TestForm(Form):
|
|
|
|
test_field = CharField()
|
|
|
|
|
2022-02-03 19:24:19 +00:00
|
|
|
media = Media(js=["my-script.js"])
|
2015-03-10 20:21:28 +00:00
|
|
|
form = TestForm()
|
2022-02-03 19:24:19 +00:00
|
|
|
template = self.engine.get_template("template_backends/django_escaping.html")
|
|
|
|
content = template.render({"media": media, "test_form": form})
|
2015-03-10 20:21:28 +00:00
|
|
|
|
2022-02-03 19:24:19 +00:00
|
|
|
expected = "{}\n\n{}\n\n{}".format(media, form, form["test_field"])
|
2015-03-10 20:21:28 +00:00
|
|
|
|
|
|
|
self.assertHTMLEqual(content, expected)
|
|
|
|
|
2021-08-17 20:43:17 +00:00
|
|
|
def check_tokens_equivalent(self, token1, token2):
|
|
|
|
self.assertEqual(len(token1), CSRF_TOKEN_LENGTH)
|
|
|
|
self.assertEqual(len(token2), CSRF_TOKEN_LENGTH)
|
|
|
|
token1, token2 = map(_unmask_cipher_token, (token1, token2))
|
|
|
|
self.assertEqual(token1, token2)
|
|
|
|
|
2014-12-14 20:22:57 +00:00
|
|
|
def test_csrf_token(self):
|
|
|
|
request = HttpRequest()
|
2022-02-03 19:24:19 +00:00
|
|
|
CsrfViewMiddleware(lambda req: HttpResponse()).process_view(
|
|
|
|
request, lambda r: None, (), {}
|
|
|
|
)
|
2014-12-14 20:22:57 +00:00
|
|
|
|
2022-02-03 19:24:19 +00:00
|
|
|
template = self.engine.get_template("template_backends/csrf.html")
|
2014-12-14 20:22:57 +00:00
|
|
|
content = template.render(request=request)
|
|
|
|
|
2018-01-21 07:09:10 +00:00
|
|
|
expected = '<input type="hidden" name="csrfmiddlewaretoken" value="([^"]+)">'
|
2022-02-03 19:24:19 +00:00
|
|
|
match = re.match(expected, content) or re.match(
|
|
|
|
expected.replace('"', "'"), content
|
|
|
|
)
|
Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).
While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).
Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2015-11-07 16:35:45 +00:00
|
|
|
self.assertTrue(match, "hidden csrftoken field not found in output")
|
2021-08-17 20:43:17 +00:00
|
|
|
self.check_tokens_equivalent(match[1], get_token(request))
|
2014-12-14 20:22:57 +00:00
|
|
|
|
|
|
|
def test_no_directory_traversal(self):
|
|
|
|
with self.assertRaises(TemplateDoesNotExist):
|
2022-02-03 19:24:19 +00:00
|
|
|
self.engine.get_template("../forbidden/template_backends/hello.html")
|
2014-12-14 20:22:57 +00:00
|
|
|
|
|
|
|
def test_non_ascii_characters(self):
|
2022-02-03 19:24:19 +00:00
|
|
|
template = self.engine.get_template("template_backends/hello.html")
|
|
|
|
content = template.render({"name": "Jérôme"})
|
2014-12-14 20:22:57 +00:00
|
|
|
self.assertEqual(content, "Hello Jérôme!\n")
|