From 9e3b327aca75b4b34abf6b00f1fd3c2cf65c8db6 Mon Sep 17 00:00:00 2001 From: James Bennett Date: Thu, 9 Sep 2010 00:34:54 +0000 Subject: [PATCH] Patch CSRF-protection system to deal with reported security issue. Announcement and details to follow. git-svn-id: http://code.djangoproject.com/svn/django/trunk@13698 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/middleware/csrf.py | 6 ++++-- django/template/defaulttags.py | 3 ++- tests/regressiontests/csrf_tests/tests.py | 7 +++++-- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py index 1b9cd33e4b..ca2ec8aa38 100644 --- a/django/middleware/csrf.py +++ b/django/middleware/csrf.py @@ -13,6 +13,7 @@ from django.conf import settings from django.core.urlresolvers import get_callable from django.utils.cache import patch_vary_headers from django.utils.hashcompat import md5_constructor +from django.utils.html import escape from django.utils.safestring import mark_safe _POST_FORM_RE = \ @@ -52,7 +53,8 @@ def _make_legacy_session_token(session_id): def get_token(request): """ - Returns the the CSRF token required for a POST form. + Returns the the CSRF token required for a POST form. No assumptions should + be made about what characters might be in the CSRF token. A side effect of calling this function is to make the the csrf_protect decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie' @@ -247,7 +249,7 @@ class CsrfResponseMiddleware(object): """Returns the matched
tag plus the added element""" return mark_safe(match.group() + "
" + \ "
") # Modify any POST forms diff --git a/django/template/defaulttags.py b/django/template/defaulttags.py index d629a690c5..0914b1c3b1 100644 --- a/django/template/defaulttags.py +++ b/django/template/defaulttags.py @@ -9,6 +9,7 @@ from django.template import TemplateSyntaxError, VariableDoesNotExist, BLOCK_TAG from django.template import get_library, Library, InvalidTemplateLibrary from django.template.smartif import IfParser, Literal from django.conf import settings +from django.utils.html import escape from django.utils.encoding import smart_str, smart_unicode from django.utils.safestring import mark_safe @@ -42,7 +43,7 @@ class CsrfTokenNode(Node): if csrf_token == 'NOTPROVIDED': return mark_safe(u"") else: - return mark_safe(u"
" % (csrf_token)) + return mark_safe(u"
" % escape(csrf_token)) else: # It's very probable that the token is missing because of # misconfiguration, so we raise a warning diff --git a/tests/regressiontests/csrf_tests/tests.py b/tests/regressiontests/csrf_tests/tests.py index f383978266..fadecf565e 100644 --- a/tests/regressiontests/csrf_tests/tests.py +++ b/tests/regressiontests/csrf_tests/tests.py @@ -6,6 +6,7 @@ from django.middleware.csrf import CsrfMiddleware, CsrfViewMiddleware from django.views.decorators.csrf import csrf_exempt, csrf_view_exempt from django.core.context_processors import csrf from django.contrib.sessions.middleware import SessionMiddleware +from django.utils.html import escape from django.utils.importlib import import_module from django.conf import settings from django.template import RequestContext, Template @@ -56,7 +57,9 @@ class TestingHttpRequest(HttpRequest): return getattr(self, '_is_secure', False) class CsrfMiddlewareTest(TestCase): - _csrf_id = "1" + # The csrf token is potentially from an untrusted source, so could have + # characters that need escaping + _csrf_id = "<1>" # This is a valid session token for this ID and secret key. This was generated using # the old code that we're to be backwards-compatible with. Don't use the CSRF code @@ -101,7 +104,7 @@ class CsrfMiddlewareTest(TestCase): return req def _check_token_present(self, response, csrf_id=None): - self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % (csrf_id or self._csrf_id)) + self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % escape(csrf_id or self._csrf_id)) # Check the post processing and outgoing cookie def test_process_response_no_csrf_cookie(self):