innov
/
django1
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Refs #32778 -- Improved the name of the regex object detecting invalid CSRF token characters. 

This also improves the comments near where the variable is used.
This commit is contained in:
Chris Jerdonek 2021-05-29 03:53:50 -07:00 committed by GitHub
parent 5685b7cd73
commit d270dd584e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
django/middleware/csrf.py
View File

@ -21,7 +21,8 @@ from django.utils.log import log_response
from django.utils.regex_helper import _lazy_re_compile
logger = logging.getLogger('django.security.csrf')
token_re = _lazy_re_compile('[^a-zA-Z0-9]')
# This matches if any character is not in CSRF_ALLOWED_CHARS.
invalid_token_chars_re = _lazy_re_compile('[^a-zA-Z0-9]')
REASON_BAD_ORIGIN = "Origin checking failed - %s does not match any trusted origins."
REASON_NO_REFERER = "Referer checking failed - no Referer."
@ -107,8 +108,8 @@ def rotate_token(request):
def _sanitize_token(token):
# Allow only ASCII alphanumerics
if token_re.search(token):
# Make sure all characters are in CSRF_ALLOWED_CHARS.
if invalid_token_chars_re.search(token):
return _get_new_csrf_token()
elif len(token) == CSRF_TOKEN_LENGTH:
return token