innov
/
django1
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

[1.8.x] Fixed #24389 -- Isolated the CSRF view from the TEMPLATES setting. 

Thanks uranusjr for the report and analysis.

Backport of 88a5f17 from master
This commit is contained in:
Aymeric Augustin 2015-02-22 15:40:04 +01:00
parent f0780df608
commit c564033408
2 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
django/views/csrf.py
View File

@ -1,6 +1,6 @@
from django.conf import settings from django.conf import settings
from django.http import HttpResponseForbidden from django.http import HttpResponseForbidden
from django.template import Context, Template from django.template import Context, Engine
from django.utils.translation import ugettext as _ from django.utils.translation import ugettext as _
from django.utils.version import get_docs_version from django.utils.version import get_docs_version
@ -67,9 +67,9 @@ CSRF_FAILURE_TEMPLATE = """
<ul> <ul>
<li>Your browser is accepting cookies.</li> <li>Your browser is accepting cookies.</li>
<li>The view function uses <a <li>The view function passes a <code>request</code> to the template's <a
href="https://docs.djangoproject.com/en/{{ docs_version }}/ref/templates/api/#subclassing-context-requestcontext"><code>RequestContext</code></a> href="https://docs.djangoproject.com/en/dev/topics/templates/#django.template.backends.base.Template.render"><code>render</code></a>
for the template, instead of <code>Context</code>.</li> method.</li>
<li>In the template, there is a <code>{% templatetag openblock %} csrf_token <li>In the template, there is a <code>{% templatetag openblock %} csrf_token
{% templatetag closeblock %}</code> template tag inside each POST form that {% templatetag closeblock %}</code> template tag inside each POST form that
@ -102,7 +102,7 @@ def csrf_failure(request, reason=""):
Default view used when request fails CSRF protection Default view used when request fails CSRF protection
""" """
from django.middleware.csrf import REASON_NO_REFERER, REASON_NO_CSRF_COOKIE from django.middleware.csrf import REASON_NO_REFERER, REASON_NO_CSRF_COOKIE
t = Template(CSRF_FAILURE_TEMPLATE) t = Engine().from_string(CSRF_FAILURE_TEMPLATE)
c = Context({ c = Context({
'title': _("Forbidden"), 'title': _("Forbidden"),
'main': _("CSRF verification failed. Request aborted."), 'main': _("CSRF verification failed. Request aborted."),

13
tests/view_tests/tests/test_csrf.py
View File

@ -21,7 +21,6 @@ class CsrfViewTests(TestCase):
""" """
Test that an invalid request is rejected with a localized error message. Test that an invalid request is rejected with a localized error message.
""" """
response = self.client.post('/') response = self.client.post('/')
self.assertContains(response, "Forbidden", status_code=403) self.assertContains(response, "Forbidden", status_code=403)
self.assertContains(response, self.assertContains(response,
@ -63,3 +62,15 @@ class CsrfViewTests(TestCase):
"ensure that your browser is not being hijacked " "ensure that your browser is not being hijacked "
"by third parties.", "by third parties.",
status_code=403) status_code=403)
# In Django 2.0, this can be changed to TEMPLATES=[] because the code path
# that reads the TEMPLATE_* settings in that case will have been removed.
@override_settings(TEMPLATES=[{
'BACKEND': 'django.template.backends.dummy.TemplateStrings',
}])
def test_no_django_template_engine(self):
"""
The CSRF view doesn't depend on the TEMPLATES configuration (#24388).
"""
response = self.client.post('/')
self.assertContains(response, "Forbidden", status_code=403)