1
0
mirror of https://github.com/django/django.git synced 2024-12-22 17:16:24 +00:00
Commit Graph

56 Commits

Author SHA1 Message Date
Chris Jerdonek
ff514309e1 Fixed #32578 -- Fixed crash in CsrfViewMiddleware when a request with Origin header has an invalid host. 2021-03-25 10:34:58 +01:00
Mariusz Felisiak
717b5e633a
Made CsrfViewMiddlewareTestMixin._get_GET_no_csrf_cookie_request() return GET requests. 2021-03-22 08:22:58 +01:00
Adam Donaghy
e49fdfa405 Fixed #32571 -- Made CsrfViewMiddleware handle invalid URLs in Referer header. 2021-03-19 11:19:19 +01:00
Tim Graham
2411b8b5eb Fixed #16010 -- Added Origin header checking to CSRF middleware.
Thanks David Benjamin for the original patch, and Florian
Apolloner, Chris Jerdonek, and Adam Johnson for reviews.
2021-03-18 20:25:20 +01:00
Tim Graham
dba44a7a7a Refs #16010 -- Required CSRF_TRUSTED_ORIGINS setting to include the scheme. 2021-03-18 20:00:22 +01:00
François Freitag
7ca7f4495b Refs #21429 -- Added SimpleTestCase.assertNoLogs() on Python < 3.10. 2021-03-02 20:35:33 +01:00
Jon Dufresne
d6aff369ad Refs #30116 -- Simplified regex match group access with Match.__getitem__().
The method has been available since Python 3.6. The shorter syntax is
also marginally faster.
2020-05-11 12:01:28 +02:00
Ram Rachum
5b09354954
Fixed #31291 -- Renamed salt to mask for CSRF tokens. 2020-02-25 14:16:19 +01:00
Claude Paroz
4d973f5939 Refs #26601 -- Deprecated passing None as get_response arg to middleware classes.
This is the new contract since middleware refactoring in Django 1.10.

Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-02-18 20:03:44 +01:00
Claude Paroz
9d5a487f33 Dropped obsolete mimetype kwarg in csrf test view 2019-09-21 20:46:39 +02:00
Jon Dufresne
7785e03ba8 Fixed #30137 -- Replaced OSError aliases with the canonical OSError.
Used more specific errors (e.g. FileExistsError) as appropriate.
2019-01-28 11:15:06 -05:00
Michal Čihař
22e8ab0286 Fixed #29728 -- Prevented session resaving if CSRF cookie is unchanged. 2018-09-08 11:46:13 -04:00
Claude Paroz
607970f31c Replaced django.test.utils.patch_logger() with assertLogs().
Thanks Tim Graham for the review.
2018-05-07 09:34:00 -04:00
CHI Cheng
98019df855 Used double quotation marks for csrf form element. 2018-05-03 08:57:18 +02:00
Alex Gaynor
9a56b4b13e Fixed #27863 -- Added support for the SameSite cookie flag.
Thanks Alex Gaynor for contributing to the patch.
2018-04-13 20:58:31 -04:00
Tomer Chachamu
7ec0fdf62a Fixed #28693 -- Fixed crash in CsrfViewMiddleware when an HTTPS request has an invalid host. 2018-02-14 20:24:01 -05:00
Jon Dufresne
ff05de760c Fixed #29038 -- Removed closing slash from HTML void tags. 2018-01-21 02:09:10 -05:00
Florian Apolloner
c4c128d67c Fixed #28488 -- Reallowed error handlers to access CSRF tokens.
Regression in eef95ea96f.
2017-09-20 16:22:18 -04:00
Florian Apolloner
77f82c4bf1 Initialized CsrfViewMiddleware once in csrf_tests. 2017-09-20 16:22:12 -04:00
Claude Paroz
c688336ebc Refs #23919 -- Assumed request COOKIES and META are str 2017-01-30 14:13:29 +01:00
chillaranand
d6eaf7c018 Refs #23919 -- Replaced super(ClassName, self) with super(). 2017-01-25 12:23:46 -05:00
Claude Paroz
2366100872 Removed unneeded force_text calls in the test suite 2017-01-24 18:45:54 +01:00
Simon Charette
cecc079168 Refs #23919 -- Stopped inheriting from object to define new style classes. 2017-01-19 08:39:46 +01:00
Claude Paroz
7b2f2e74ad Refs #23919 -- Removed six.<various>_types usage
Thanks Tim Graham and Simon Charette for the reviews.
2017-01-18 20:18:46 +01:00
Claude Paroz
d7b9aaa366 Refs #23919 -- Removed encoding preambles and future imports 2017-01-18 09:55:19 +01:00
Tim Graham
78500102b7 Moved csrf_tests views to a spearate file. 2016-11-30 18:24:29 -05:00
Raphael Michel
ddf169cdac Refs #16859 -- Allowed storing CSRF tokens in sessions.
Major thanks to Shai for helping to refactor the tests, and to
Shai, Tim, Florian, and others for extensive and helpful review.
2016-11-30 08:57:27 -05:00
za
321e94fa41 Refs #27392 -- Removed "Tests that", "Ensures that", etc. from test docstrings. 2016-11-10 21:30:21 -05:00
Tim Graham
7fe2d8d940 Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True.
This is a security fix.
2016-11-01 09:30:57 -04:00
Jon Dufresne
4f336f6652 Fixed #26747 -- Used more specific assertions in the Django test suite. 2016-06-16 14:19:18 -04:00
Holly Becker
55fec16aaf Fixed #26628 -- Changed CSRF logger to django.security.csrf. 2016-06-04 10:17:06 -04:00
Shai Berger
5112e65ef2 Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).

While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).

Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2016-05-19 05:02:19 +03:00
chemary
2d28144c95 Fixed #26094 -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True). 2016-01-20 18:19:24 -05:00
Josh Soref
93452a70e8 Fixed many spelling mistakes in code, comments, and docs. 2015-12-03 12:48:24 -05:00
Matt Robenolt
b0c56b895f Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
2015-09-16 12:21:50 -04:00
Joshua Kehn
e687794f6b Cleaned up docstrings in csrf_tests/tests.py. 2015-09-05 09:20:57 -04:00
Joshua Kehn
ab26b65b2f Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS.
Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other
domains that are included during the CSRF Referer header verification
for secure (HTTPS) requests.
2015-09-05 09:19:57 -04:00
Tim Graham
70be31bba7 Fixed #24836 -- Made force_text() resolve lazy objects. 2015-05-27 09:48:53 -04:00
Simon Charette
be67400b47 Refs #24652 -- Used SimpleTestCase where appropriate. 2015-05-20 13:46:13 -04:00
Jay Cox
eef95ea96f Fixed #24696 -- Made CSRF_COOKIE computation lazy.
Only compute the CSRF_COOKIE when it is actually used. This is a
significant speedup for clients not using cookies.

Changed result of the “test_token_node_no_csrf_cookie” test:  It gets
a valid CSRF token now which seems like the correct behavior.

Changed auth_tests.test_views.LoginTest.test_login_csrf_rotate to
use get_token() to trigger CSRF cookie inclusion instead of changing
request.META["CSRF_COOKIE_USED"] directly.
2015-05-02 19:45:14 -04:00
Grzegorz Slusarek
668d53cd12 Fixed #21495 -- Added settings.CSRF_HEADER_NAME 2015-03-05 15:03:40 -05:00
Tim Graham
0ed7d15563 Sorted imports with isort; refs #23860. 2015-02-06 08:16:28 -05:00
Claude Paroz
011f21b4fa Used None-related assertions in CSRF tests
Thanks Markus Holtermann for spotting this.
2015-01-06 08:48:01 +01:00
Claude Paroz
27dd7e7271 Fixed #23815 -- Prevented UnicodeDecodeError in CSRF middleware
Thanks codeitloadit for the report, living180 for investigations
and Tim Graham for the review.
2015-01-06 08:42:58 +01:00
Aymeric Augustin
92e8f1f302 Moved context_processors from django.core to django.template. 2014-12-28 17:00:07 +01:00
Berker Peksag
f7969b0920 Fixed #23620 -- Used more specific assertions in the Django test suite. 2014-11-03 11:56:37 -05:00
Tim Graham
815e7a5721 Fixed #20128 -- Made CsrfViewMiddleware ignore IOError when reading POST data.
Thanks Walter Doekes.
2014-06-25 07:08:16 -04:00
Roger Hu
9b729ddd8f Fixed #22185 -- Added settings.CSRF_COOKIE_AGE
Thanks Paul McMillan for the review.
2014-03-06 08:28:43 -05:00
Aymeric Augustin
e32095616c Imported override_settings from its new location. 2013-12-23 21:37:56 +01:00
Aymeric Augustin
6e895f9e06 Removed superfluous models.py files.
Added comments in the three empty models.py files that are still needed.

Adjusted the test runner to add applications corresponding to test
labels to INSTALLED_APPS even when they don't have a models module.
2013-12-17 11:16:48 +01:00