mirror of
				https://github.com/django/django.git
				synced 2025-10-25 14:46:09 +00:00 
			
		
		
		
	Refs #32800 -- Added CsrfViewMiddleware tests for all combinations of masked/unmasked cookies and tokens.
This commit is contained in:
		
				
					committed by
					
						 Mariusz Felisiak
						Mariusz Felisiak
					
				
			
			
				
	
			
			
			
						parent
						
							defa8d3d87
						
					
				
				
					commit
					5e60c3943b
				
			| @@ -975,6 +975,33 @@ class CsrfViewMiddlewareTests(CsrfViewMiddlewareTestMixin, SimpleTestCase): | |||||||
|         self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH) |         self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH) | ||||||
|         self.assertNotEqual(csrf_cookie.value, token) |         self.assertNotEqual(csrf_cookie.value, token) | ||||||
|  |  | ||||||
|  |     def test_masked_unmasked_combinations(self): | ||||||
|  |         """ | ||||||
|  |         All combinations are allowed of (1) masked and unmasked cookies, | ||||||
|  |         (2) masked and unmasked tokens, and (3) tokens provided via POST and | ||||||
|  |         the X-CSRFToken header. | ||||||
|  |         """ | ||||||
|  |         cases = [ | ||||||
|  |             (TEST_SECRET, TEST_SECRET, None), | ||||||
|  |             (TEST_SECRET, MASKED_TEST_SECRET2, None), | ||||||
|  |             (TEST_SECRET, None, TEST_SECRET), | ||||||
|  |             (TEST_SECRET, None, MASKED_TEST_SECRET2), | ||||||
|  |             (MASKED_TEST_SECRET1, TEST_SECRET, None), | ||||||
|  |             (MASKED_TEST_SECRET1, MASKED_TEST_SECRET2, None), | ||||||
|  |             (MASKED_TEST_SECRET1, None, TEST_SECRET), | ||||||
|  |             (MASKED_TEST_SECRET1, None, MASKED_TEST_SECRET2), | ||||||
|  |         ] | ||||||
|  |         for args in cases: | ||||||
|  |             with self.subTest(args=args): | ||||||
|  |                 cookie, post_token, meta_token = args | ||||||
|  |                 req = self._get_POST_csrf_cookie_request( | ||||||
|  |                     cookie=cookie, post_token=post_token, meta_token=meta_token, | ||||||
|  |                 ) | ||||||
|  |                 mw = CsrfViewMiddleware(token_view) | ||||||
|  |                 mw.process_request(req) | ||||||
|  |                 resp = mw.process_view(req, token_view, (), {}) | ||||||
|  |                 self.assertIsNone(resp) | ||||||
|  |  | ||||||
|     def test_bare_secret_accepted_and_replaced(self): |     def test_bare_secret_accepted_and_replaced(self): | ||||||
|         """ |         """ | ||||||
|         The csrf token is reset from a bare secret. |         The csrf token is reset from a bare secret. | ||||||
| @@ -1055,6 +1082,29 @@ class CsrfViewMiddlewareUseSessionsTests(CsrfViewMiddlewareTestMixin, SimpleTest | |||||||
|             mw = CsrfViewMiddleware(lambda req: HttpResponse()) |             mw = CsrfViewMiddleware(lambda req: HttpResponse()) | ||||||
|             mw.process_request(HttpRequest()) |             mw.process_request(HttpRequest()) | ||||||
|  |  | ||||||
|  |     def test_masked_unmasked_combinations(self): | ||||||
|  |         """ | ||||||
|  |         Masked and unmasked tokens are allowed both as POST and as the | ||||||
|  |         X-CSRFToken header. | ||||||
|  |         """ | ||||||
|  |         cases = [ | ||||||
|  |             # Bare secrets are not allowed when CSRF_USE_SESSIONS=True. | ||||||
|  |             (MASKED_TEST_SECRET1, TEST_SECRET, None), | ||||||
|  |             (MASKED_TEST_SECRET1, MASKED_TEST_SECRET2, None), | ||||||
|  |             (MASKED_TEST_SECRET1, None, TEST_SECRET), | ||||||
|  |             (MASKED_TEST_SECRET1, None, MASKED_TEST_SECRET2), | ||||||
|  |         ] | ||||||
|  |         for args in cases: | ||||||
|  |             with self.subTest(args=args): | ||||||
|  |                 cookie, post_token, meta_token = args | ||||||
|  |                 req = self._get_POST_csrf_cookie_request( | ||||||
|  |                     cookie=cookie, post_token=post_token, meta_token=meta_token, | ||||||
|  |                 ) | ||||||
|  |                 mw = CsrfViewMiddleware(token_view) | ||||||
|  |                 mw.process_request(req) | ||||||
|  |                 resp = mw.process_view(req, token_view, (), {}) | ||||||
|  |                 self.assertIsNone(resp) | ||||||
|  |  | ||||||
|     def test_process_response_get_token_used(self): |     def test_process_response_get_token_used(self): | ||||||
|         """The ensure_csrf_cookie() decorator works without middleware.""" |         """The ensure_csrf_cookie() decorator works without middleware.""" | ||||||
|         req = self._get_GET_no_csrf_cookie_request() |         req = self._get_GET_no_csrf_cookie_request() | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user