Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.

This is a large change to CSRF protection for Django. It includes: * removing the dependency on the session framework. * deprecating CsrfResponseMiddleware, and replacing with a core template tag. * turning on CSRF protection by default by adding CsrfViewMiddleware to the default value of MIDDLEWARE_CLASSES. * protecting all contrib apps (whatever is in settings.py) using a decorator. For existing users of the CSRF functionality, it should be a seamless update, but please note that it includes DEPRECATION of features in Django 1.1, and there are upgrade steps which are detailed in the docs. Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work on the patch, and to lots of other people including Simon Willison and Russell Keith-Magee who refined the ideas. Details of the rationale for these changes is found here: http://code.djangoproject.com/wiki/CsrfProtection As of this commit, the CSRF code is mainly in 'contrib'. The code will be moved to core in a separate commit, to make the changeset as readable as possible. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-10-31 09:41:08 +00:00 · 2009-10-26 23:23:07 +00:00
parent d1da261417
commit 8e70cef9b6
47 changed files with 1439 additions and 246 deletions
--- a/django/template/context.py
+++ b/django/template/context.py
@@ -1,7 +1,12 @@
 from django.core.exceptions import ImproperlyConfigured
 from django.utils.importlib import import_module

+# Cache of actual callables.
 _standard_context_processors = None
+# We need the CSRF processor no matter what the user has in their settings,
+# because otherwise it is a security vulnerability, and we can't afford to leave
+# this to human error or failure to read migration instructions.
+_builtin_context_processors =  ('django.contrib.csrf.context_processors.csrf',)

 class ContextPopException(Exception):
    "pop() has been called more times than push()"
@@ -75,7 +80,10 @@ def get_standard_processors():
    global _standard_context_processors
    if _standard_context_processors is None:
        processors = []
-        for path in settings.TEMPLATE_CONTEXT_PROCESSORS:
+        collect = []
+        collect.extend(_builtin_context_processors)
+        collect.extend(settings.TEMPLATE_CONTEXT_PROCESSORS)
+        for path in collect:
            i = path.rfind('.')
            module, attr = path[:i], path[i+1:]
            try:
--- a/django/template/defaulttags.py
+++ b/django/template/defaulttags.py
@@ -37,6 +37,23 @@ class CommentNode(Node):
    def render(self, context):
        return ''

+class CsrfTokenNode(Node):
+    def render(self, context):
+        csrf_token = context.get('csrf_token', None)
+        if csrf_token:
+            if csrf_token == 'NOTPROVIDED':
+                return mark_safe(u"")
+            else:
+                return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % (csrf_token))
+        else:
+            # It's very probable that the token is missing because of
+            # misconfiguration, so we raise a warning
+            from django.conf import settings
+            if settings.DEBUG:
+                import warnings
+                warnings.warn("A {% csrf_token %} was used in a template, but the context did not provide the value.  This is usually caused by not using RequestContext.")
+            return u''
+
 class CycleNode(Node):
    def __init__(self, cyclevars, variable_name=None):
        self.cycle_iter = itertools_cycle(cyclevars)
@@ -523,6 +540,10 @@ def cycle(parser, token):
    return node
 cycle = register.tag(cycle)

+def csrf_token(parser, token):
+    return CsrfTokenNode()
+register.tag(csrf_token)
+
 def debug(parser, token):
    """
    Outputs a whole load of debugging information, including the current