mirror of
https://github.com/django/django.git
synced 2024-12-22 17:16:24 +00:00
Refs #32596 -- Added extra tests for CsrfViewMiddleware's referer logic.
This commit is contained in:
parent
e513fb0e77
commit
02c59b7a43
@ -305,6 +305,19 @@ class CsrfViewMiddlewareTestMixin:
|
||||
status_code=403,
|
||||
)
|
||||
|
||||
@override_settings(DEBUG=True)
|
||||
def test_https_no_referer(self):
|
||||
"""A POST HTTPS request with a missing referer is rejected."""
|
||||
req = self._get_POST_request_with_token()
|
||||
req._is_secure_override = True
|
||||
mw = CsrfViewMiddleware(post_form_view)
|
||||
response = mw.process_view(req, post_form_view, (), {})
|
||||
self.assertContains(
|
||||
response,
|
||||
'Referer checking failed - no Referer.',
|
||||
status_code=403,
|
||||
)
|
||||
|
||||
def test_https_malformed_host(self):
|
||||
"""
|
||||
CsrfViewMiddleware generates a 403 response if it receives an HTTPS
|
||||
@ -416,6 +429,21 @@ class CsrfViewMiddlewareTestMixin:
|
||||
resp = mw.process_view(req, post_form_view, (), {})
|
||||
self.assertIsNone(resp)
|
||||
|
||||
@override_settings(CSRF_TRUSTED_ORIGINS=['https://dashboard.example.com'])
|
||||
def test_https_good_referer_malformed_host(self):
|
||||
"""
|
||||
A POST HTTPS request is accepted if it receives a good referer with
|
||||
a bad host.
|
||||
"""
|
||||
req = self._get_POST_request_with_token()
|
||||
req._is_secure_override = True
|
||||
req.META['HTTP_HOST'] = '@malformed'
|
||||
req.META['HTTP_REFERER'] = 'https://dashboard.example.com/somepage'
|
||||
mw = CsrfViewMiddleware(post_form_view)
|
||||
mw.process_request(req)
|
||||
resp = mw.process_view(req, post_form_view, (), {})
|
||||
self.assertIsNone(resp)
|
||||
|
||||
@override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_TRUSTED_ORIGINS=['https://dashboard.example.com'])
|
||||
def test_https_csrf_trusted_origin_allowed(self):
|
||||
"""
|
||||
|
Loading…
Reference in New Issue
Block a user