Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.

Thanks Seth Gottlieb for help with the documentation and Carl Meyer and Joshua Kehn for reviews.
2025-10-24 06:06:09 +00:00 · 2015-03-17 02:52:55 -07:00
parent 535809e121
commit b0c56b895f
8 changed files with 177 additions and 64 deletions
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -10,31 +10,6 @@ from django.utils.datastructures import MultiValueDict

 class TestUtilsHttp(unittest.TestCase):

-    def test_same_origin_true(self):
-        # Identical
-        self.assertTrue(http.same_origin('http://foo.com/', 'http://foo.com/'))
-        # One with trailing slash - see #15617
-        self.assertTrue(http.same_origin('http://foo.com', 'http://foo.com/'))
-        self.assertTrue(http.same_origin('http://foo.com/', 'http://foo.com'))
-        # With port
-        self.assertTrue(http.same_origin('https://foo.com:8000', 'https://foo.com:8000/'))
-        # No port given but according to RFC6454 still the same origin
-        self.assertTrue(http.same_origin('http://foo.com', 'http://foo.com:80/'))
-        self.assertTrue(http.same_origin('https://foo.com', 'https://foo.com:443/'))
-
-    def test_same_origin_false(self):
-        # Different scheme
-        self.assertFalse(http.same_origin('http://foo.com', 'https://foo.com'))
-        # Different host
-        self.assertFalse(http.same_origin('http://foo.com', 'http://goo.com'))
-        # Different host again
-        self.assertFalse(http.same_origin('http://foo.com', 'http://foo.com.evil.com'))
-        # Different port
-        self.assertFalse(http.same_origin('http://foo.com:8000', 'http://foo.com:8001'))
-        # No port given
-        self.assertFalse(http.same_origin('http://foo.com', 'http://foo.com:8000/'))
-        self.assertFalse(http.same_origin('https://foo.com', 'https://foo.com:8000/'))
-
    def test_urlencode(self):
        # 2-tuples (the norm)
        result = http.urlencode((('a', 1), ('b', 2), ('c', 3)))
@@ -157,6 +132,25 @@ class TestUtilsHttp(unittest.TestCase):
            http.urlunquote_plus('Paris+&+Orl%C3%A9ans'),
            'Paris & Orl\xe9ans')

+    def test_is_same_domain_good(self):
+        for pair in (
+            ('example.com', 'example.com'),
+            ('example.com', '.example.com'),
+            ('foo.example.com', '.example.com'),
+            ('example.com:8888', 'example.com:8888'),
+            ('example.com:8888', '.example.com:8888'),
+            ('foo.example.com:8888', '.example.com:8888'),
+        ):
+            self.assertTrue(http.is_same_domain(*pair))
+
+    def test_is_same_domain_bad(self):
+        for pair in (
+            ('example2.com', 'example.com'),
+            ('foo.example.com', 'example.com'),
+            ('example.com:9999', 'example.com:8888'),
+        ):
+            self.assertFalse(http.is_same_domain(*pair))
+

 class ETagProcessingTests(unittest.TestCase):
    def test_parsing(self):