Refs #32800 -- Avoided use of _does_token_match() in some CSRF tests.

2021-08-17 16:43:17 -04:00 · 2021-08-17 16:43:17 -04:00 · 3f0025c18a
parent 0820175d81
commit 3f0025c18a
3 changed files with 17 additions and 9 deletions
--- a/tests/csrf_tests/test_context_processor.py
+++ b/tests/csrf_tests/test_context_processor.py
@ -1,14 +1,15 @@
 from django.http import HttpRequest
-from django.middleware.csrf import _does_token_match as equivalent_tokens
 from django.template.context_processors import csrf
 from django.test import SimpleTestCase

+from .tests import CsrfFunctionTestMixin

-class TestContextProcessor(SimpleTestCase):
+
+class TestContextProcessor(CsrfFunctionTestMixin, SimpleTestCase):

    def test_force_token_to_string(self):
        request = HttpRequest()
        test_token = '1bcdefghij2bcdefghij3bcdefghij4bcdefghij5bcdefghij6bcdefghijABCD'
        request.META['CSRF_COOKIE'] = test_token
        token = csrf(request).get('csrf_token')
-        self.assertTrue(equivalent_tokens(str(token), test_token))
+        self.assertMaskedSecretCorrect(token, 'lcccccccX2kcccccccY2jcccccccssIC')
--- a/tests/csrf_tests/tests.py
+++ b/tests/csrf_tests/tests.py
@ -1396,13 +1396,14 @@ class CsrfViewMiddlewareUseSessionsTests(CsrfViewMiddlewareTestMixin, SimpleTest


@override_settings(ROOT_URLCONF='csrf_tests.csrf_token_error_handler_urls', DEBUG=False)
-class CsrfInErrorHandlingViewsTests(SimpleTestCase):
+class CsrfInErrorHandlingViewsTests(CsrfFunctionTestMixin, SimpleTestCase):
    def test_csrf_token_on_404_stays_constant(self):
        response = self.client.get('/does not exist/')
        # The error handler returns status code 599.
        self.assertEqual(response.status_code, 599)
-        token1 = response.content
+        token1 = response.content.decode('ascii')
        response = self.client.get('/does not exist/')
        self.assertEqual(response.status_code, 599)
-        token2 = response.content
-        self.assertTrue(_does_token_match(token1.decode('ascii'), token2.decode('ascii')))
+        token2 = response.content.decode('ascii')
+        secret2 = _unmask_cipher_token(token2)
+        self.assertMaskedSecretCorrect(token1, secret2)
--- a/tests/template_backends/test_dummy.py
+++ b/tests/template_backends/test_dummy.py
@ -3,7 +3,7 @@ import re
 from django.forms import CharField, Form, Media
 from django.http import HttpRequest, HttpResponse
 from django.middleware.csrf import (
-    CsrfViewMiddleware, _does_token_match as equivalent_tokens, get_token,
+    CSRF_TOKEN_LENGTH, CsrfViewMiddleware, _unmask_cipher_token, get_token,
 )
 from django.template import TemplateDoesNotExist, TemplateSyntaxError
 from django.template.backends.dummy import TemplateStrings
@ -74,6 +74,12 @@ class TemplateStringsTests(SimpleTestCase):

        self.assertHTMLEqual(content, expected)

+    def check_tokens_equivalent(self, token1, token2):
+        self.assertEqual(len(token1), CSRF_TOKEN_LENGTH)
+        self.assertEqual(len(token2), CSRF_TOKEN_LENGTH)
+        token1, token2 = map(_unmask_cipher_token, (token1, token2))
+        self.assertEqual(token1, token2)
+
    def test_csrf_token(self):
        request = HttpRequest()
        CsrfViewMiddleware(lambda req: HttpResponse()).process_view(request, lambda r: None, (), {})
@ -84,7 +90,7 @@ class TemplateStringsTests(SimpleTestCase):
        expected = '<input type="hidden" name="csrfmiddlewaretoken" value="([^"]+)">'
        match = re.match(expected, content) or re.match(expected.replace('"', "'"), content)
        self.assertTrue(match, "hidden csrftoken field not found in output")
-        self.assertTrue(equivalent_tokens(match[1], get_token(request)))
+        self.check_tokens_equivalent(match[1], get_token(request))

    def test_no_directory_traversal(self):
        with self.assertRaises(TemplateDoesNotExist):