mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 14:16:09 +00:00
Code Issues 32 Releases Wiki Activity

Fixed #24696 -- Made CSRF_COOKIE computation lazy.

Browse Source 
Only compute the CSRF_COOKIE when it is actually used. This is a
significant speedup for clients not using cookies.

Changed result of the “test_token_node_no_csrf_cookie” test:  It gets
a valid CSRF token now which seems like the correct behavior.

Changed auth_tests.test_views.LoginTest.test_login_csrf_rotate to
use get_token() to trigger CSRF cookie inclusion instead of changing
request.META["CSRF_COOKIE_USED"] directly.
This commit is contained in:
Jay Cox
2015-04-23 23:24:38 -07:00
committed by Tim Graham
parent 0894643e40
commit eef95ea96f
3 changed files with 17 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
django/middleware/csrf.py
View File

@@ -40,15 +40,17 @@ def _get_new_csrf_key():
def get_token(request):
"""
Returns the CSRF token required for a POST form. The token is an
alphanumeric value.
alphanumeric value. A new token is created if one is not already set.
A side effect of calling this function is to make the csrf_protect
decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie'
header to the outgoing response. For this reason, you may need to use this
function lazily, as is done by the csrf context processor.
"""
if "CSRF_COOKIE" not in request.META:
request.META["CSRF_COOKIE"] = _get_new_csrf_key()
request.META["CSRF_COOKIE_USED"] = True
return request.META.get("CSRF_COOKIE", None)
return request.META["CSRF_COOKIE"]
def rotate_token(request):
@@ -112,9 +114,6 @@ class CsrfViewMiddleware(object):
request.META['CSRF_COOKIE'] = csrf_token
except KeyError:
csrf_token = None
# Generate token and store it in the request, so it's
# available to the view.
request.META["CSRF_COOKIE"] = _get_new_csrf_key()
# Wait until request.META["CSRF_COOKIE"] has been manipulated before
# bailing out, so that get_token still works
@@ -194,12 +193,6 @@ class CsrfViewMiddleware(object):
if getattr(response, 'csrf_processing_done', False):
return response
# If CSRF_COOKIE is unset, then CsrfViewMiddleware.process_view was
# never called, probably because a request middleware returned a response
# (for example, contrib.auth redirecting to a login page).
if request.META.get("CSRF_COOKIE") is None:
return response
if not request.META.get("CSRF_COOKIE_USED", False):
return response