Fixed #21495 -- Added settings.CSRF_HEADER_NAME
This commit is contained in:
parent
8e744fa150
commit
668d53cd12
1
AUTHORS
1
AUTHORS
|
@ -264,6 +264,7 @@ answer newbie questions, and generally made Django that much better:
|
||||||
Greg Chapple <gregchapple1@gmail.com>
|
Greg Chapple <gregchapple1@gmail.com>
|
||||||
Gregor Müllegger <gregor@muellegger.de>
|
Gregor Müllegger <gregor@muellegger.de>
|
||||||
Grigory Fateyev <greg@dial.com.ru>
|
Grigory Fateyev <greg@dial.com.ru>
|
||||||
|
Grzegorz Ślusarek <grzegorz.slusarek@gmail.com>
|
||||||
Guilherme Mesquita Gondim <semente@taurinus.org>
|
Guilherme Mesquita Gondim <semente@taurinus.org>
|
||||||
Guillaume Pannatier <guillaume.pannatier@gmail.com>
|
Guillaume Pannatier <guillaume.pannatier@gmail.com>
|
||||||
Gustavo Picon
|
Gustavo Picon
|
||||||
|
|
|
@ -555,6 +555,7 @@ CSRF_COOKIE_DOMAIN = None
|
||||||
CSRF_COOKIE_PATH = '/'
|
CSRF_COOKIE_PATH = '/'
|
||||||
CSRF_COOKIE_SECURE = False
|
CSRF_COOKIE_SECURE = False
|
||||||
CSRF_COOKIE_HTTPONLY = False
|
CSRF_COOKIE_HTTPONLY = False
|
||||||
|
CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN'
|
||||||
|
|
||||||
############
|
############
|
||||||
# MESSAGES #
|
# MESSAGES #
|
||||||
|
|
|
@ -183,7 +183,7 @@ class CsrfViewMiddleware(object):
|
||||||
if request_csrf_token == "":
|
if request_csrf_token == "":
|
||||||
# Fall back to X-CSRFToken, to make things easier for AJAX,
|
# Fall back to X-CSRFToken, to make things easier for AJAX,
|
||||||
# and possible for PUT/DELETE.
|
# and possible for PUT/DELETE.
|
||||||
request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')
|
request_csrf_token = request.META.get(settings.CSRF_HEADER_NAME, '')
|
||||||
|
|
||||||
if not constant_time_compare(request_csrf_token, csrf_token):
|
if not constant_time_compare(request_csrf_token, csrf_token):
|
||||||
return self._reject(request, REASON_BAD_TOKEN)
|
return self._reject(request, REASON_BAD_TOKEN)
|
||||||
|
|
|
@ -92,6 +92,9 @@ protection for your views as outlined above.
|
||||||
The CSRF token cookie is named ``csrftoken`` by default, but you can control
|
The CSRF token cookie is named ``csrftoken`` by default, but you can control
|
||||||
the cookie name via the :setting:`CSRF_COOKIE_NAME` setting.
|
the cookie name via the :setting:`CSRF_COOKIE_NAME` setting.
|
||||||
|
|
||||||
|
The CSRF header name is ``HTTP_X_CSRFTOKEN`` by default, but you can
|
||||||
|
customize it using the :setting:`CSRF_HEADER_NAME` setting.
|
||||||
|
|
||||||
Acquiring the token is straightforward:
|
Acquiring the token is straightforward:
|
||||||
|
|
||||||
.. code-block:: javascript
|
.. code-block:: javascript
|
||||||
|
@ -456,3 +459,4 @@ A number of settings can be used to control Django's CSRF behavior:
|
||||||
* :setting:`CSRF_COOKIE_PATH`
|
* :setting:`CSRF_COOKIE_PATH`
|
||||||
* :setting:`CSRF_COOKIE_SECURE`
|
* :setting:`CSRF_COOKIE_SECURE`
|
||||||
* :setting:`CSRF_FAILURE_VIEW`
|
* :setting:`CSRF_FAILURE_VIEW`
|
||||||
|
* :setting:`CSRF_HEADER_NAME`
|
||||||
|
|
|
@ -409,6 +409,23 @@ where ``reason`` is a short message (intended for developers or logging, not for
|
||||||
end users) indicating the reason the request was rejected. See
|
end users) indicating the reason the request was rejected. See
|
||||||
:doc:`/ref/csrf`.
|
:doc:`/ref/csrf`.
|
||||||
|
|
||||||
|
.. setting:: CSRF_HEADER_NAME
|
||||||
|
|
||||||
|
CSRF_HEADER_NAME
|
||||||
|
----------------
|
||||||
|
|
||||||
|
.. versionadded:: 1.9
|
||||||
|
|
||||||
|
Default: ``'HTTP_X_CSRFTOKEN'``
|
||||||
|
|
||||||
|
The name of the request header used for CSRF authentication.
|
||||||
|
|
||||||
|
As with other HTTP headers in ``request.META``, the header name received from
|
||||||
|
the server is normalized by converting all characters to uppercase, replacing
|
||||||
|
any hyphens with underscores, and adding an ``'HTTP_'`` prefix to the name.
|
||||||
|
For example, if your client sends a ``'X-XSRF-TOKEN'`` header, the setting
|
||||||
|
should be ``'HTTP_X_XSRF_TOKEN'``.
|
||||||
|
|
||||||
.. setting:: DATABASES
|
.. setting:: DATABASES
|
||||||
|
|
||||||
DATABASES
|
DATABASES
|
||||||
|
@ -3261,6 +3278,7 @@ Security
|
||||||
* :setting:`CSRF_COOKIE_PATH`
|
* :setting:`CSRF_COOKIE_PATH`
|
||||||
* :setting:`CSRF_COOKIE_SECURE`
|
* :setting:`CSRF_COOKIE_SECURE`
|
||||||
* :setting:`CSRF_FAILURE_VIEW`
|
* :setting:`CSRF_FAILURE_VIEW`
|
||||||
|
* :setting:`CSRF_HEADER_NAME`
|
||||||
|
|
||||||
* :setting:`SECRET_KEY`
|
* :setting:`SECRET_KEY`
|
||||||
* :setting:`X_FRAME_OPTIONS`
|
* :setting:`X_FRAME_OPTIONS`
|
||||||
|
|
|
@ -142,6 +142,12 @@ Models
|
||||||
managers created by ``ForeignKey``, ``GenericForeignKey``, and
|
managers created by ``ForeignKey``, ``GenericForeignKey``, and
|
||||||
``ManyToManyField``.
|
``ManyToManyField``.
|
||||||
|
|
||||||
|
CSRF
|
||||||
|
^^^^
|
||||||
|
|
||||||
|
* The request header's name used for CSRF authentication can be customized
|
||||||
|
with :setting:`CSRF_HEADER_NAME`.
|
||||||
|
|
||||||
Signals
|
Signals
|
||||||
^^^^^^^
|
^^^^^^^
|
||||||
|
|
||||||
|
|
|
@ -189,6 +189,16 @@ class CsrfViewMiddlewareTest(TestCase):
|
||||||
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
|
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
|
||||||
self.assertIsNone(req2)
|
self.assertIsNone(req2)
|
||||||
|
|
||||||
|
@override_settings(CSRF_HEADER_NAME='HTTP_X_CSRFTOKEN_CUSTOMIZED')
|
||||||
|
def test_csrf_token_in_header_with_customized_name(self):
|
||||||
|
"""
|
||||||
|
settings.CSRF_HEADER_NAME can be used to customize the CSRF header name
|
||||||
|
"""
|
||||||
|
req = self._get_POST_csrf_cookie_request()
|
||||||
|
req.META['HTTP_X_CSRFTOKEN_CUSTOMIZED'] = self._csrf_id
|
||||||
|
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
|
||||||
|
self.assertIsNone(req2)
|
||||||
|
|
||||||
def test_put_and_delete_rejected(self):
|
def test_put_and_delete_rejected(self):
|
||||||
"""
|
"""
|
||||||
Tests that HTTP PUT and DELETE methods have protection
|
Tests that HTTP PUT and DELETE methods have protection
|
||||||
|
|
Loading…
Reference in New Issue