Commit Graph

45 Commits

Author SHA1 Message Date
Matt Robenolt b0c56b895f Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
2015-09-16 12:21:50 -04:00
Joshua Kehn ab26b65b2f Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS.
Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other
domains that are included during the CSRF Referer header verification
for secure (HTTPS) requests.
2015-09-05 09:19:57 -04:00
Jay Cox eef95ea96f Fixed #24696 -- Made CSRF_COOKIE computation lazy.
Only compute the CSRF_COOKIE when it is actually used. This is a
significant speedup for clients not using cookies.

Changed result of the “test_token_node_no_csrf_cookie” test:  It gets
a valid CSRF token now which seems like the correct behavior.

Changed auth_tests.test_views.LoginTest.test_login_csrf_rotate to
use get_token() to trigger CSRF cookie inclusion instead of changing
request.META["CSRF_COOKIE_USED"] directly.
2015-05-02 19:45:14 -04:00
Grzegorz Slusarek 668d53cd12 Fixed #21495 -- Added settings.CSRF_HEADER_NAME 2015-03-05 15:03:40 -05:00
Tim Graham 0ed7d15563 Sorted imports with isort; refs #23860. 2015-02-06 08:16:28 -05:00
Claude Paroz 27dd7e7271 Fixed #23815 -- Prevented UnicodeDecodeError in CSRF middleware
Thanks codeitloadit for the report, living180 for investigations
and Tim Graham for the review.
2015-01-06 08:42:58 +01:00
Tim Graham 815e7a5721 Fixed #20128 -- Made CsrfViewMiddleware ignore IOError when reading POST data.
Thanks Walter Doekes.
2014-06-25 07:08:16 -04:00
Roger Hu 9b729ddd8f Fixed #22185 -- Added settings.CSRF_COOKIE_AGE
Thanks Paul McMillan for the review.
2014-03-06 08:28:43 -05:00
Milton Mazzarri cbc7cbbc5b Fixed flake8 E251 violations 2013-11-03 03:22:11 -06:00
Alex Gaynor 7548aa8ffd More attacking E302 violators 2013-11-02 13:12:09 -07:00
Bouke Haarsma 6107435386 Fixed #21324 -- Translate CSRF failure view
Thanks to Claude Paroz for the original patch.
2013-11-02 11:22:30 +01:00
Tim Graham ac4fec5ca2 Fixed bug causing CSRF token not to rotate on login.
Thanks Gavin McQuillan for the report.
2013-10-18 08:31:19 -04:00
Aymeric Augustin ffcf24c9ce Removed several unused imports. 2013-06-19 17:18:40 +02:00
Andrew Godwin 1514f17aa6 Rotate CSRF token on login 2013-05-24 22:15:08 +01:00
Olivier Sels 63a9555d57 Fixed #19436 -- Don't log warnings in ensure_csrf_cookie. 2013-05-18 16:17:46 +02:00
Aymeric Augustin 720888a146 Fixed #15808 -- Added optional HttpOnly flag to the CSRF Cookie.
Thanks Samuel Lavitt for the report and Sascha Peilicke for the patch.
2013-02-07 09:48:08 +01:00
Tim Graham ee26797cff Fixed typos in docs and comments 2013-01-29 10:55:55 -07:00
Claude Paroz 26ff2be787 Imported getLogger directly from logging module
This was a remainder of some 2.4 compatibility code.
2012-09-20 21:03:24 +02:00
Collin Anderson f416ea9c8d fixed rfc comment typo in middleware/csrf.py 2012-09-10 12:11:24 -03:00
Claude Paroz d774ad752d [py3] Made csrf context processor return Unicode 2012-08-13 11:54:21 +02:00
Adrian Holovaty 7981efe04f Documentation (and some small source code) edits from [17432] - [17537]
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17540 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-17 20:04:11 +00:00
Paul McMillan a77679dfaa Fixes #16827. Adds a length check to CSRF tokens before applying the santizing regex. Thanks to jedie for the report and zsiciarz for the initial patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17500 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-11 04:18:15 +00:00
Jannis Leidel f0a1633425 Fixed #17358 -- Updated logging calls to use official syntax for arguments instead of string interpolation. Thanks, spulec.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17480 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-09 18:58:36 +00:00
Luke Plant cb060f0f34 Fixed #15258 - Ajax CSRF protection doesn't apply to PUT or DELETE requests
Thanks to brodie for the report, and further input from tow21

This is a potentially backwards incompatible change - if you were doing
PUT/DELETE requests and relying on the lack of protection, you will need to
update your code, as noted in the releaste notes.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16201 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 23:45:54 +00:00
Luke Plant 8cbcf1d3a6 Fixed #14134 - ability to set cookie 'path' and 'secure' attributes of CSRF cookie
Thanks to cfattarsi for the report and initial patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16200 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 23:00:22 +00:00
Luke Plant 8823021625 Removed deprecated CsrfResponseMiddleware, and corresponding tests and docs
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15949 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-30 17:34:26 +00:00
Luke Plant 21ef64e34c Removed Django 1.1 fallback for CSRF checks.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15948 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-30 17:34:14 +00:00
Adrian Holovaty 13864703bc Removed a bunch more Python 2.4 workarounds now that we don't support that version. Refs #15702 -- thanks to jonash for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15927 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-28 02:11:19 +00:00
Luke Plant 243d0bec19 Fixed #15617 - CSRF referer checking too strict
Thanks to adam for the report.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15840 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-15 20:37:09 +00:00
Luke Plant e57e296167 Corrected logging call in CSRF middleware
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15623 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-21 23:00:44 +00:00
Alex Gaynor 208630aa4b Fixed a security issue in the CSRF component. Disclosure and new release forthcoming.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15464 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-09 02:06:27 +00:00
Luke Plant 90ac02300e Fixed #14565 - No csrf_token on 404 page.
This solution doesn't have the negative side-effects of [14356].

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14377 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-28 11:47:15 +00:00
Luke Plant 45c7f427ce Fixed #14445 - Use HMAC and constant-time comparison functions where needed.
All adhoc MAC applications have been updated to use HMAC, using SHA1 to
generate unique keys for each application based on the SECRET_KEY, which is
common practice for this situation. In all cases, backwards compatibility
with existing hashes has been maintained, aiming to phase this out as per
the normal deprecation process. In this way, under most normal
circumstances the old hashes will have expired (e.g. by session expiration
etc.) before they become invalid.

In the case of the messages framework and the cookie backend, which was
already using HMAC, there is the possibility of a backwards incompatibility
if the SECRET_KEY is shorter than the default 50 bytes, but the low
likelihood and low impact meant compatibility code was not worth it.

All known instances where tokens/hashes were compared using simple string
equality, which could potentially open timing based attacks, have also been
fixed using a constant-time comparison function.

There are no known practical attacks against the existing implementations,
so these security improvements will not be backported.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-14 20:54:30 +00:00
Russell Keith-Magee 1070c57b83 Fixed #14436 -- Escalated 1.2 PendingDeprecationWarnings to DeprecationWarnings, and removed 1.1 deprecated code.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14138 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-11 12:20:07 +00:00
Russell Keith-Magee fea159282b Fixed #14406 -- Added a Python 2.4 compatibility to the logging interface. Thanks to Łukasz Rekucki for the report, and to Luke Plant for original patch this was based on.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13989 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-06 15:02:26 +00:00
Russell Keith-Magee 24acca4139 Fixed #12012 -- Added support for logging. Thanks to Vinay Sajip for his draft patch, and to the many people who gave feedback during development of the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13981 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 15:12:39 +00:00
Luke Plant 364583b894 Fixed #14235 - UnicodeDecodeError in CSRF middleware
Thanks to jbg for the report.

This changeset essentially backs out [13698] in favour of a method that
sanitizes the token rather than escaping it.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@13732 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-10 22:56:56 +00:00
James Bennett 9e3b327aca Patch CSRF-protection system to deal with reported security issue. Announcement and details to follow.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13698 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-09 00:34:54 +00:00
Luke Plant e8cff0b8f3 Added explanatory note on CSRF failure page for the case of a missing Referer header.
This is intended to help power users who have disabled Referer headers, or
installed add-ons which have done so, and to help web site administrators
with debugging, since this problem will be browser specific and not a
programming error.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@13680 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-03 16:28:10 +00:00
Luke Plant f92a21daa7 Added proper code comments for the HTTPS CSRF protection.
Refs #13489 which noticed a vague comment - thanks pmclanahan



git-svn-id: http://code.djangoproject.com/svn/django/trunk@13405 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-06-30 22:30:37 +00:00
Luke Plant ac8b7ff021 Fixed #13716 - the CSRF get_token function stopped working for views with csrf_view_exempt
This was a regression caused by the the CSRF changes in 1.2.

Thanks to edevil for the report.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@13336 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-06-08 14:35:48 +00:00
Luke Plant 905dba3694 Misc clarifications in csrf middleware comments
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11673 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 21:31:20 +00:00
Luke Plant d0b900e6f5 Slight change to CSRF error messages to make debugging easier.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11669 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 14:04:21 +00:00
Luke Plant c2ffe94d9a Removed unused import.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11664 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:49:33 +00:00
Luke Plant 7230a995ce Moved contrib.csrf.* to core code.
There is stub code for backwards compatiblity with Django 1.1 imports.

The documentation has been updated, but has been left in
docs/contrib/csrf.txt for now, in order to avoid dead links to
documentation on the website.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:36:34 +00:00