innov
/
django1
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Fixed bug causing CSRF token not to rotate on login. 

Thanks Gavin McQuillan for the report.
This commit is contained in:
Tim Graham 2013-10-17 19:51:45 -04:00
parent a800036981
commit ac4fec5ca2
2 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
django/contrib/auth/tests/test_views.py
View File

@ -531,7 +531,6 @@ class LoginTest(AuthViewsTestCase):
CsrfViewMiddleware().process_view(req, login_view, (), {}) CsrfViewMiddleware().process_view(req, login_view, (), {})
req.META["SERVER_NAME"] = "testserver" # Required to have redirect work in login view req.META["SERVER_NAME"] = "testserver" # Required to have redirect work in login view
req.META["SERVER_PORT"] = 80 req.META["SERVER_PORT"] = 80
req.META["CSRF_COOKIE_USED"] = True
resp = login_view(req) resp = login_view(req)
resp2 = CsrfViewMiddleware().process_response(req, resp) resp2 = CsrfViewMiddleware().process_response(req, resp)
csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, None) csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, None)

5
django/middleware/csrf.py
View File

@ -56,7 +56,10 @@ def rotate_token(request):
Changes the CSRF token in use for a request - should be done on login Changes the CSRF token in use for a request - should be done on login
for security purposes. for security purposes.
""" """
request.META["CSRF_COOKIE"] = _get_new_csrf_key() request.META.update({
"CSRF_COOKIE_USED": True,
"CSRF_COOKIE": _get_new_csrf_key(),
})
def _sanitize_token(token): def _sanitize_token(token):