37 Commits

Author	SHA1	Message	Date
Claude Paroz	c688336ebc	Refs #23919 -- Assumed request COOKIES and META are str	2017-01-30 14:13:29 +01:00
chillaranand	d6eaf7c018	Refs #23919 -- Replaced super(ClassName, self) with super().	2017-01-25 12:23:46 -05:00
Claude Paroz	2366100872	Removed unneeded force_text calls in the test suite	2017-01-24 18:45:54 +01:00
Simon Charette	cecc079168	Refs #23919 -- Stopped inheriting from object to define new style classes.	2017-01-19 08:39:46 +01:00
Claude Paroz	7b2f2e74ad	Refs #23919 -- Removed six.<various>_types usage ... Thanks Tim Graham and Simon Charette for the reviews.	2017-01-18 20:18:46 +01:00
Claude Paroz	d7b9aaa366	Refs #23919 -- Removed encoding preambles and future imports	2017-01-18 09:55:19 +01:00
Tim Graham	78500102b7	Moved csrf_tests views to a spearate file.	2016-11-30 18:24:29 -05:00
Raphael Michel	ddf169cdac	Refs #16859 -- Allowed storing CSRF tokens in sessions. ... Major thanks to Shai for helping to refactor the tests, and to Shai, Tim, Florian, and others for extensive and helpful review.	2016-11-30 08:57:27 -05:00
za	321e94fa41	Refs #27392 -- Removed "Tests that", "Ensures that", etc. from test docstrings.	2016-11-10 21:30:21 -05:00
Tim Graham	7fe2d8d940	Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True. ... This is a security fix.	2016-11-01 09:30:57 -04:00
Jon Dufresne	4f336f6652	Fixed #26747 -- Used more specific assertions in the Django test suite.	2016-06-16 14:19:18 -04:00
Holly Becker	55fec16aaf	Fixed #26628 -- Changed CSRF logger to django.security.csrf.	2016-06-04 10:17:06 -04:00
Shai Berger	5112e65ef2	Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them ... Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews.	2016-05-19 05:02:19 +03:00
chemary	2d28144c95	Fixed #26094 -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True).	2016-01-20 18:19:24 -05:00
Josh Soref	93452a70e8	Fixed many spelling mistakes in code, comments, and docs.	2015-12-03 12:48:24 -05:00
Matt Robenolt	b0c56b895f	Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN. ... Thanks Seth Gottlieb for help with the documentation and Carl Meyer and Joshua Kehn for reviews.	2015-09-16 12:21:50 -04:00
Joshua Kehn	e687794f6b	Cleaned up docstrings in csrf_tests/tests.py.	2015-09-05 09:20:57 -04:00
Joshua Kehn	ab26b65b2f	Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS. ... Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other domains that are included during the CSRF Referer header verification for secure (HTTPS) requests.	2015-09-05 09:19:57 -04:00
Tim Graham	70be31bba7	Fixed #24836 -- Made force_text() resolve lazy objects.	2015-05-27 09:48:53 -04:00
Simon Charette	be67400b47	Refs #24652 -- Used SimpleTestCase where appropriate.	2015-05-20 13:46:13 -04:00
Jay Cox	eef95ea96f	Fixed #24696 -- Made CSRF_COOKIE computation lazy. ... Only compute the CSRF_COOKIE when it is actually used. This is a significant speedup for clients not using cookies. Changed result of the “test_token_node_no_csrf_cookie” test: It gets a valid CSRF token now which seems like the correct behavior. Changed auth_tests.test_views.LoginTest.test_login_csrf_rotate to use get_token() to trigger CSRF cookie inclusion instead of changing request.META["CSRF_COOKIE_USED"] directly.	2015-05-02 19:45:14 -04:00
Grzegorz Slusarek	668d53cd12	Fixed #21495 -- Added settings.CSRF_HEADER_NAME	2015-03-05 15:03:40 -05:00
Tim Graham	0ed7d15563	Sorted imports with isort; refs #23860.	2015-02-06 08:16:28 -05:00
Claude Paroz	011f21b4fa	Used None-related assertions in CSRF tests ... Thanks Markus Holtermann for spotting this.	2015-01-06 08:48:01 +01:00
Claude Paroz	27dd7e7271	Fixed #23815 -- Prevented UnicodeDecodeError in CSRF middleware ... Thanks codeitloadit for the report, living180 for investigations and Tim Graham for the review.	2015-01-06 08:42:58 +01:00
Aymeric Augustin	92e8f1f302	Moved context_processors from django.core to django.template.	2014-12-28 17:00:07 +01:00
Berker Peksag	f7969b0920	Fixed #23620 -- Used more specific assertions in the Django test suite.	2014-11-03 11:56:37 -05:00
Tim Graham	815e7a5721	Fixed #20128 -- Made CsrfViewMiddleware ignore IOError when reading POST data. ... Thanks Walter Doekes.	2014-06-25 07:08:16 -04:00
Roger Hu	9b729ddd8f	Fixed #22185 -- Added settings.CSRF_COOKIE_AGE ... Thanks Paul McMillan for the review.	2014-03-06 08:28:43 -05:00
Aymeric Augustin	e32095616c	Imported override_settings from its new location.	2013-12-23 21:37:56 +01:00
Aymeric Augustin	6e895f9e06	Removed superfluous models.py files. ... Added comments in the three empty models.py files that are still needed. Adjusted the test runner to add applications corresponding to test labels to INSTALLED_APPS even when they don't have a models module.	2013-12-17 11:16:48 +01:00
Jason Myers	7a61c68c50	PEP8 cleanup ... Signed-off-by: Jason Myers <jason@jasonamyers.com>	2013-11-02 23:50:49 -05:00
Alex Gaynor	9d740eb8b1	Fix all violators of E231	2013-10-26 12:15:03 -07:00
Alex Gaynor	9d11522599	Removed some more unused local vars	2013-09-08 12:20:01 -07:00
Olivier Sels	63a9555d57	Fixed #19436 -- Don't log warnings in ensure_csrf_cookie.	2013-05-18 16:17:46 +02:00
Florian Apolloner	051cb1f4c6	Fixed #20411 -- Don't let invalid referers blow up CSRF same origin checks. ... Thanks to edevil for the report and saz for the patch.	2013-05-18 12:32:47 +02:00
Florian Apolloner	89f40e3624	Merged regressiontests and modeltests into the test root.	2013-02-26 14:36:57 +01:00