c4c128d67c
Fixed #28488 -- Reallowed error handlers to access CSRF tokens.
...
Regression in eef95ea96f
2017-09-20 16:22:18 -04:00
77f82c4bf1
Initialized CsrfViewMiddleware once in csrf_tests.
2017-09-20 16:22:12 -04:00
c688336ebc
Refs #23919 -- Assumed request COOKIES and META are str
2017-01-30 14:13:29 +01:00
d6eaf7c018
Refs #23919 -- Replaced super(ClassName, self) with super().
2017-01-25 12:23:46 -05:00
2366100872
Removed unneeded force_text calls in the test suite
2017-01-24 18:45:54 +01:00
cecc079168
Refs #23919 -- Stopped inheriting from object to define new style classes.
2017-01-19 08:39:46 +01:00
7b2f2e74ad
Refs #23919 -- Removed six.<various>_types usage
...
Thanks Tim Graham and Simon Charette for the reviews.
2017-01-18 20:18:46 +01:00
d7b9aaa366
Refs #23919 -- Removed encoding preambles and future imports
2017-01-18 09:55:19 +01:00
78500102b7
Moved csrf_tests views to a spearate file.
2016-11-30 18:24:29 -05:00
ddf169cdac
Refs #16859 -- Allowed storing CSRF tokens in sessions.
...
Major thanks to Shai for helping to refactor the tests, and to
Shai, Tim, Florian, and others for extensive and helpful review.
2016-11-30 08:57:27 -05:00
321e94fa41
Refs #27392 -- Removed "Tests that", "Ensures that", etc. from test docstrings.
2016-11-10 21:30:21 -05:00
7fe2d8d940
Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True.
...
This is a security fix.
2016-11-01 09:30:57 -04:00
4f336f6652
Fixed #26747 -- Used more specific assertions in the Django test suite.
2016-06-16 14:19:18 -04:00
55fec16aaf
Fixed #26628 -- Changed CSRF logger to django.security.csrf.
2016-06-04 10:17:06 -04:00
5112e65ef2
Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
...
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).
While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).
Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2016-05-19 05:02:19 +03:00
2d28144c95
Fixed #26094 -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True).
2016-01-20 18:19:24 -05:00
93452a70e8
Fixed many spelling mistakes in code, comments, and docs.
2015-12-03 12:48:24 -05:00
b0c56b895f
Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.
...
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
2015-09-16 12:21:50 -04:00
e687794f6b
Cleaned up docstrings in csrf_tests/tests.py.
2015-09-05 09:20:57 -04:00
ab26b65b2f
Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS.
...
Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other
domains that are included during the CSRF Referer header verification
for secure (HTTPS) requests.
2015-09-05 09:19:57 -04:00
70be31bba7
Fixed #24836 -- Made force_text() resolve lazy objects.
2015-05-27 09:48:53 -04:00
be67400b47
Refs #24652 -- Used SimpleTestCase where appropriate.
2015-05-20 13:46:13 -04:00
eef95ea96f
Fixed #24696 -- Made CSRF_COOKIE computation lazy.
...
Only compute the CSRF_COOKIE when it is actually used. This is a
significant speedup for clients not using cookies.
Changed result of the “test_token_node_no_csrf_cookie” test: It gets
a valid CSRF token now which seems like the correct behavior.
Changed auth_tests.test_views.LoginTest.test_login_csrf_rotate to
use get_token() to trigger CSRF cookie inclusion instead of changing
request.META["CSRF_COOKIE_USED"] directly.
2015-05-02 19:45:14 -04:00
668d53cd12
Fixed #21495 -- Added settings.CSRF_HEADER_NAME
2015-03-05 15:03:40 -05:00
0ed7d15563
Sorted imports with isort; refs #23860 .
2015-02-06 08:16:28 -05:00
011f21b4fa
Used None-related assertions in CSRF tests
...
Thanks Markus Holtermann for spotting this.
2015-01-06 08:48:01 +01:00
27dd7e7271
Fixed #23815 -- Prevented UnicodeDecodeError in CSRF middleware
...
Thanks codeitloadit for the report, living180 for investigations
and Tim Graham for the review.
2015-01-06 08:42:58 +01:00
92e8f1f302
Moved context_processors from django.core to django.template.
2014-12-28 17:00:07 +01:00
f7969b0920
Fixed #23620 -- Used more specific assertions in the Django test suite.
2014-11-03 11:56:37 -05:00
815e7a5721
Fixed #20128 -- Made CsrfViewMiddleware ignore IOError when reading POST data.
...
Thanks Walter Doekes.
2014-06-25 07:08:16 -04:00
9b729ddd8f
Fixed #22185 -- Added settings.CSRF_COOKIE_AGE
...
Thanks Paul McMillan for the review.
2014-03-06 08:28:43 -05:00
e32095616c
Imported override_settings from its new location.
2013-12-23 21:37:56 +01:00
6e895f9e06
Removed superfluous models.py files.
...
Added comments in the three empty models.py files that are still needed.
Adjusted the test runner to add applications corresponding to test
labels to INSTALLED_APPS even when they don't have a models module.
2013-12-17 11:16:48 +01:00
7a61c68c50
PEP8 cleanup
...
Signed-off-by: Jason Myers <jason@jasonamyers.com>
2013-11-02 23:50:49 -05:00
9d740eb8b1
Fix all violators of E231
2013-10-26 12:15:03 -07:00
9d11522599
Removed some more unused local vars
2013-09-08 12:20:01 -07:00
63a9555d57
Fixed #19436 -- Don't log warnings in ensure_csrf_cookie.
2013-05-18 16:17:46 +02:00
051cb1f4c6
Fixed #20411 -- Don't let invalid referers blow up CSRF same origin checks.
...
Thanks to edevil for the report and saz for the patch.
2013-05-18 12:32:47 +02:00
89f40e3624
Merged regressiontests and modeltests into the test root.
2013-02-26 14:36:57 +01:00
Florian Apolloner
Claude Paroz
chillaranand
Simon Charette
Tim Graham
Raphael Michel
za
Jon Dufresne
Holly Becker
Shai Berger
chemary
Josh Soref
Matt Robenolt
Joshua Kehn
Simon Charette
Jay Cox
Grzegorz Slusarek
Aymeric Augustin
Berker Peksag
Roger Hu
Jason Myers
Alex Gaynor
Olivier Sels