mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-26 07:06:08 +00:00
Code Issues 32 Releases Wiki Activity

[1.5.x] Prevented leaking the CSRF token through caching.

Browse Source 
This is a security fix. Disclosure will follow shortly.

Backport of c083e3815a from master
This commit is contained in:
Aymeric Augustin
2014-04-20 16:29:06 -04:00
committed by Tim Graham
parent 2a5bcb69f4
commit 6872f42757
2 changed files with 36 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
tests/regressiontests/cache/tests.py vendored
View File

@@ -18,11 +18,13 @@ from django.core import management
from django.core.cache import get_cache
from django.core.cache.backends.base import (CacheKeyWarning,
InvalidCacheBackendError)
from django.core.context_processors import csrf
from django.db import router
from django.http import (HttpResponse, HttpRequest, StreamingHttpResponse,
QueryDict)
from django.middleware.cache import (FetchFromCacheMiddleware,
UpdateCacheMiddleware, CacheMiddleware)
from django.middleware.csrf import CsrfViewMiddleware
from django.template import Template
from django.template.response import TemplateResponse
from django.test import TestCase, TransactionTestCase, RequestFactory
@@ -1456,6 +1458,10 @@ def hello_world_view(request, value):
return HttpResponse('Hello World %s' % value)
def csrf_view(request):
return HttpResponse(csrf(request)['csrf_token'])
@override_settings(
CACHE_MIDDLEWARE_ALIAS='other',
CACHE_MIDDLEWARE_KEY_PREFIX='middlewareprefix',
@@ -1696,6 +1702,27 @@ class CacheMiddlewareTest(TestCase):
response = other_with_timeout_view(request, '18')
self.assertEqual(response.content, b'Hello World 18')
def test_sensitive_cookie_not_cached(self):
"""
Django must prevent caching of responses that set a user-specific (and
maybe security sensitive) cookie in response to a cookie-less request.
"""
csrf_middleware = CsrfViewMiddleware()
cache_middleware = CacheMiddleware()
request = self.factory.get('/view/')
self.assertIsNone(cache_middleware.process_request(request))
csrf_middleware.process_view(request, csrf_view, (), {})
response = csrf_view(request)
response = csrf_middleware.process_response(request, response)
response = cache_middleware.process_response(request, response)
# Inserting a CSRF cookie in a cookie-less request prevented caching.
self.assertIsNone(cache_middleware.process_request(request))
@override_settings(
CACHE_MIDDLEWARE_KEY_PREFIX='settingsprefix',