Patch CSRF-protection system to deal with reported security issue. Announcement and details to follow.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13698 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
ef4b29a001
commit
9e3b327aca
|
@ -13,6 +13,7 @@ from django.conf import settings
|
||||||
from django.core.urlresolvers import get_callable
|
from django.core.urlresolvers import get_callable
|
||||||
from django.utils.cache import patch_vary_headers
|
from django.utils.cache import patch_vary_headers
|
||||||
from django.utils.hashcompat import md5_constructor
|
from django.utils.hashcompat import md5_constructor
|
||||||
|
from django.utils.html import escape
|
||||||
from django.utils.safestring import mark_safe
|
from django.utils.safestring import mark_safe
|
||||||
|
|
||||||
_POST_FORM_RE = \
|
_POST_FORM_RE = \
|
||||||
|
@ -52,7 +53,8 @@ def _make_legacy_session_token(session_id):
|
||||||
|
|
||||||
def get_token(request):
|
def get_token(request):
|
||||||
"""
|
"""
|
||||||
Returns the the CSRF token required for a POST form.
|
Returns the the CSRF token required for a POST form. No assumptions should
|
||||||
|
be made about what characters might be in the CSRF token.
|
||||||
|
|
||||||
A side effect of calling this function is to make the the csrf_protect
|
A side effect of calling this function is to make the the csrf_protect
|
||||||
decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie'
|
decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie'
|
||||||
|
@ -247,7 +249,7 @@ class CsrfResponseMiddleware(object):
|
||||||
"""Returns the matched <form> tag plus the added <input> element"""
|
"""Returns the matched <form> tag plus the added <input> element"""
|
||||||
return mark_safe(match.group() + "<div style='display:none;'>" + \
|
return mark_safe(match.group() + "<div style='display:none;'>" + \
|
||||||
"<input type='hidden' " + idattributes.next() + \
|
"<input type='hidden' " + idattributes.next() + \
|
||||||
" name='csrfmiddlewaretoken' value='" + csrf_token + \
|
" name='csrfmiddlewaretoken' value='" + escape(csrf_token) + \
|
||||||
"' /></div>")
|
"' /></div>")
|
||||||
|
|
||||||
# Modify any POST forms
|
# Modify any POST forms
|
||||||
|
|
|
@ -9,6 +9,7 @@ from django.template import TemplateSyntaxError, VariableDoesNotExist, BLOCK_TAG
|
||||||
from django.template import get_library, Library, InvalidTemplateLibrary
|
from django.template import get_library, Library, InvalidTemplateLibrary
|
||||||
from django.template.smartif import IfParser, Literal
|
from django.template.smartif import IfParser, Literal
|
||||||
from django.conf import settings
|
from django.conf import settings
|
||||||
|
from django.utils.html import escape
|
||||||
from django.utils.encoding import smart_str, smart_unicode
|
from django.utils.encoding import smart_str, smart_unicode
|
||||||
from django.utils.safestring import mark_safe
|
from django.utils.safestring import mark_safe
|
||||||
|
|
||||||
|
@ -42,7 +43,7 @@ class CsrfTokenNode(Node):
|
||||||
if csrf_token == 'NOTPROVIDED':
|
if csrf_token == 'NOTPROVIDED':
|
||||||
return mark_safe(u"")
|
return mark_safe(u"")
|
||||||
else:
|
else:
|
||||||
return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % (csrf_token))
|
return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % escape(csrf_token))
|
||||||
else:
|
else:
|
||||||
# It's very probable that the token is missing because of
|
# It's very probable that the token is missing because of
|
||||||
# misconfiguration, so we raise a warning
|
# misconfiguration, so we raise a warning
|
||||||
|
|
|
@ -6,6 +6,7 @@ from django.middleware.csrf import CsrfMiddleware, CsrfViewMiddleware
|
||||||
from django.views.decorators.csrf import csrf_exempt, csrf_view_exempt
|
from django.views.decorators.csrf import csrf_exempt, csrf_view_exempt
|
||||||
from django.core.context_processors import csrf
|
from django.core.context_processors import csrf
|
||||||
from django.contrib.sessions.middleware import SessionMiddleware
|
from django.contrib.sessions.middleware import SessionMiddleware
|
||||||
|
from django.utils.html import escape
|
||||||
from django.utils.importlib import import_module
|
from django.utils.importlib import import_module
|
||||||
from django.conf import settings
|
from django.conf import settings
|
||||||
from django.template import RequestContext, Template
|
from django.template import RequestContext, Template
|
||||||
|
@ -56,7 +57,9 @@ class TestingHttpRequest(HttpRequest):
|
||||||
return getattr(self, '_is_secure', False)
|
return getattr(self, '_is_secure', False)
|
||||||
|
|
||||||
class CsrfMiddlewareTest(TestCase):
|
class CsrfMiddlewareTest(TestCase):
|
||||||
_csrf_id = "1"
|
# The csrf token is potentially from an untrusted source, so could have
|
||||||
|
# characters that need escaping
|
||||||
|
_csrf_id = "<1>"
|
||||||
|
|
||||||
# This is a valid session token for this ID and secret key. This was generated using
|
# This is a valid session token for this ID and secret key. This was generated using
|
||||||
# the old code that we're to be backwards-compatible with. Don't use the CSRF code
|
# the old code that we're to be backwards-compatible with. Don't use the CSRF code
|
||||||
|
@ -101,7 +104,7 @@ class CsrfMiddlewareTest(TestCase):
|
||||||
return req
|
return req
|
||||||
|
|
||||||
def _check_token_present(self, response, csrf_id=None):
|
def _check_token_present(self, response, csrf_id=None):
|
||||||
self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % (csrf_id or self._csrf_id))
|
self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % escape(csrf_id or self._csrf_id))
|
||||||
|
|
||||||
# Check the post processing and outgoing cookie
|
# Check the post processing and outgoing cookie
|
||||||
def test_process_response_no_csrf_cookie(self):
|
def test_process_response_no_csrf_cookie(self):
|
||||||
|
|
Loading…
Reference in New Issue