From 02c59b7a4355fda8c99224b5de9c0a3929bffe22 Mon Sep 17 00:00:00 2001 From: Chris Jerdonek Date: Mon, 5 Apr 2021 16:51:53 -0700 Subject: [PATCH] Refs #32596 -- Added extra tests for CsrfViewMiddleware's referer logic. --- tests/csrf_tests/tests.py | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py index 810c869690..5425c50fca 100644 --- a/tests/csrf_tests/tests.py +++ b/tests/csrf_tests/tests.py @@ -305,6 +305,19 @@ class CsrfViewMiddlewareTestMixin: status_code=403, ) + @override_settings(DEBUG=True) + def test_https_no_referer(self): + """A POST HTTPS request with a missing referer is rejected.""" + req = self._get_POST_request_with_token() + req._is_secure_override = True + mw = CsrfViewMiddleware(post_form_view) + response = mw.process_view(req, post_form_view, (), {}) + self.assertContains( + response, + 'Referer checking failed - no Referer.', + status_code=403, + ) + def test_https_malformed_host(self): """ CsrfViewMiddleware generates a 403 response if it receives an HTTPS @@ -416,6 +429,21 @@ class CsrfViewMiddlewareTestMixin: resp = mw.process_view(req, post_form_view, (), {}) self.assertIsNone(resp) + @override_settings(CSRF_TRUSTED_ORIGINS=['https://dashboard.example.com']) + def test_https_good_referer_malformed_host(self): + """ + A POST HTTPS request is accepted if it receives a good referer with + a bad host. + """ + req = self._get_POST_request_with_token() + req._is_secure_override = True + req.META['HTTP_HOST'] = '@malformed' + req.META['HTTP_REFERER'] = 'https://dashboard.example.com/somepage' + mw = CsrfViewMiddleware(post_form_view) + mw.process_request(req) + resp = mw.process_view(req, post_form_view, (), {}) + self.assertIsNone(resp) + @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_TRUSTED_ORIGINS=['https://dashboard.example.com']) def test_https_csrf_trusted_origin_allowed(self): """