Refs #32778 -- Improved the name of the regex object detecting invalid CSRF token characters.

This also improves the comments near where the variable is used.
This commit is contained in:
Chris Jerdonek 2021-05-29 03:53:50 -07:00 committed by GitHub
parent 5685b7cd73
commit d270dd584e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 3 deletions

View File

@ -21,7 +21,8 @@ from django.utils.log import log_response
from django.utils.regex_helper import _lazy_re_compile from django.utils.regex_helper import _lazy_re_compile
logger = logging.getLogger('django.security.csrf') logger = logging.getLogger('django.security.csrf')
token_re = _lazy_re_compile('[^a-zA-Z0-9]') # This matches if any character is not in CSRF_ALLOWED_CHARS.
invalid_token_chars_re = _lazy_re_compile('[^a-zA-Z0-9]')
REASON_BAD_ORIGIN = "Origin checking failed - %s does not match any trusted origins." REASON_BAD_ORIGIN = "Origin checking failed - %s does not match any trusted origins."
REASON_NO_REFERER = "Referer checking failed - no Referer." REASON_NO_REFERER = "Referer checking failed - no Referer."
@ -107,8 +108,8 @@ def rotate_token(request):
def _sanitize_token(token): def _sanitize_token(token):
# Allow only ASCII alphanumerics # Make sure all characters are in CSRF_ALLOWED_CHARS.
if token_re.search(token): if invalid_token_chars_re.search(token):
return _get_new_csrf_token() return _get_new_csrf_token()
elif len(token) == CSRF_TOKEN_LENGTH: elif len(token) == CSRF_TOKEN_LENGTH:
return token return token