Fixed #9163 - CsrfMiddleware needs to reset ETag header

Thanks to carljm for report and patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11650 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-24 10:45:58 +00:00 · 2009-10-24 10:45:58 +00:00 · a02a6fab66
parent c44fdf6a1e
commit a02a6fab66
2 changed files with 13 additions and 7 deletions
--- a/django/contrib/csrf/middleware.py
+++ b/django/contrib/csrf/middleware.py
@ -101,7 +101,13 @@ class CsrfResponseMiddleware(object):
                "' /></div>")

            # Modify any POST forms
-            response.content = _POST_FORM_RE.sub(add_csrf_field, response.content)
+            response.content, n = _POST_FORM_RE.subn(add_csrf_field, response.content)
+            if n > 0:
+                # Since the content has been modified, any Etag will now be
+                # incorrect.  We could recalculate, but only is we assume that
+                # the Etag was set by CommonMiddleware. The safest thing is just
+                # to delete. See bug #9163
+                del response['ETag']
        return response

 class CsrfMiddleware(CsrfViewMiddleware, CsrfResponseMiddleware):
--- a/docs/ref/contrib/csrf.txt
+++ b/docs/ref/contrib/csrf.txt
@ -22,12 +22,12 @@ middleware into your list of installed middleware.
 How to use it
 =============

-Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to
-your list of middleware classes, :setting:`MIDDLEWARE_CLASSES`. It needs to process
-the response after the SessionMiddleware, so must come before it in the
-list. It also must process the response before things like compression
-happen to the response, so it must come after GZipMiddleware in the
-list.
+Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to your
+list of middleware classes, :setting:`MIDDLEWARE_CLASSES`. It needs to process
+the response after the SessionMiddleware, so must come before it in the list. It
+also must process the response before things like compression or setting of
+ETags happen to the response, so it must come after GZipMiddleware,
+CommonMiddleware and ConditionalGetMiddleware in the list.

 The ``CsrfMiddleware`` class is actually composed of two middleware:
 ``CsrfViewMiddleware`` which performs the checks on incoming requests,