Patch CSRF-protection system to deal with reported security issue. Announcement and details to follow.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@13698 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
James Bennett 2010-09-09 00:34:54 +00:00
parent ef4b29a001
commit 9e3b327aca
3 changed files with 11 additions and 5 deletions

View File

@ -13,6 +13,7 @@ from django.conf import settings
from django.core.urlresolvers import get_callable from django.core.urlresolvers import get_callable
from django.utils.cache import patch_vary_headers from django.utils.cache import patch_vary_headers
from django.utils.hashcompat import md5_constructor from django.utils.hashcompat import md5_constructor
from django.utils.html import escape
from django.utils.safestring import mark_safe from django.utils.safestring import mark_safe
_POST_FORM_RE = \ _POST_FORM_RE = \
@ -52,7 +53,8 @@ def _make_legacy_session_token(session_id):
def get_token(request): def get_token(request):
""" """
Returns the the CSRF token required for a POST form. Returns the the CSRF token required for a POST form. No assumptions should
be made about what characters might be in the CSRF token.
A side effect of calling this function is to make the the csrf_protect A side effect of calling this function is to make the the csrf_protect
decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie' decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie'
@ -247,7 +249,7 @@ class CsrfResponseMiddleware(object):
"""Returns the matched <form> tag plus the added <input> element""" """Returns the matched <form> tag plus the added <input> element"""
return mark_safe(match.group() + "<div style='display:none;'>" + \ return mark_safe(match.group() + "<div style='display:none;'>" + \
"<input type='hidden' " + idattributes.next() + \ "<input type='hidden' " + idattributes.next() + \
" name='csrfmiddlewaretoken' value='" + csrf_token + \ " name='csrfmiddlewaretoken' value='" + escape(csrf_token) + \
"' /></div>") "' /></div>")
# Modify any POST forms # Modify any POST forms

View File

@ -9,6 +9,7 @@ from django.template import TemplateSyntaxError, VariableDoesNotExist, BLOCK_TAG
from django.template import get_library, Library, InvalidTemplateLibrary from django.template import get_library, Library, InvalidTemplateLibrary
from django.template.smartif import IfParser, Literal from django.template.smartif import IfParser, Literal
from django.conf import settings from django.conf import settings
from django.utils.html import escape
from django.utils.encoding import smart_str, smart_unicode from django.utils.encoding import smart_str, smart_unicode
from django.utils.safestring import mark_safe from django.utils.safestring import mark_safe
@ -42,7 +43,7 @@ class CsrfTokenNode(Node):
if csrf_token == 'NOTPROVIDED': if csrf_token == 'NOTPROVIDED':
return mark_safe(u"") return mark_safe(u"")
else: else:
return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % (csrf_token)) return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % escape(csrf_token))
else: else:
# It's very probable that the token is missing because of # It's very probable that the token is missing because of
# misconfiguration, so we raise a warning # misconfiguration, so we raise a warning

View File

@ -6,6 +6,7 @@ from django.middleware.csrf import CsrfMiddleware, CsrfViewMiddleware
from django.views.decorators.csrf import csrf_exempt, csrf_view_exempt from django.views.decorators.csrf import csrf_exempt, csrf_view_exempt
from django.core.context_processors import csrf from django.core.context_processors import csrf
from django.contrib.sessions.middleware import SessionMiddleware from django.contrib.sessions.middleware import SessionMiddleware
from django.utils.html import escape
from django.utils.importlib import import_module from django.utils.importlib import import_module
from django.conf import settings from django.conf import settings
from django.template import RequestContext, Template from django.template import RequestContext, Template
@ -56,7 +57,9 @@ class TestingHttpRequest(HttpRequest):
return getattr(self, '_is_secure', False) return getattr(self, '_is_secure', False)
class CsrfMiddlewareTest(TestCase): class CsrfMiddlewareTest(TestCase):
_csrf_id = "1" # The csrf token is potentially from an untrusted source, so could have
# characters that need escaping
_csrf_id = "<1>"
# This is a valid session token for this ID and secret key. This was generated using # This is a valid session token for this ID and secret key. This was generated using
# the old code that we're to be backwards-compatible with. Don't use the CSRF code # the old code that we're to be backwards-compatible with. Don't use the CSRF code
@ -101,7 +104,7 @@ class CsrfMiddlewareTest(TestCase):
return req return req
def _check_token_present(self, response, csrf_id=None): def _check_token_present(self, response, csrf_id=None):
self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % (csrf_id or self._csrf_id)) self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % escape(csrf_id or self._csrf_id))
# Check the post processing and outgoing cookie # Check the post processing and outgoing cookie
def test_process_response_no_csrf_cookie(self): def test_process_response_no_csrf_cookie(self):