innov
/
django1
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity
30,090 Commits 25 Branches 361 Tags 501 MiB
Commit Graph

91 Commits

Author SHA1 Message Date
Chris Jerdonek 231de683d8 Refs #32800 -- Added _add_new_csrf_cookie() helper function. 
This centralizes the logic to use when setting a new cookie. It also
eliminates the need for the _get_new_csrf_token() function, which is now
removed.
 2021-08-17 12:23:54 +02:00
Chris Jerdonek f10553ec93 Refs #32800 -- Renamed _set_token() to _set_csrf_cookie(). 2021-08-17 12:23:54 +02:00
Chris Jerdonek 7132341255 Refs #32800 -- Renamed _compare_masked_tokens() to _does_token_match(). 2021-08-03 07:10:31 +02:00
Chris Jerdonek 7c30bdbdb1 Refs #32916 -- Replaced request.csrf_cookie_needs_reset with request.META['CSRF_COOKIE_NEEDS_UPDATE']. 2021-07-29 11:55:36 +02:00
Chris Jerdonek 6ebf931de8 Fixed #32916 -- Combined request.META['CSRF_COOKIE_USED'] and request.csrf_cookie_needs_reset. 2021-07-29 11:55:36 +02:00
Virtosu Bogdan 00ea883ef5 Fixed #32329 -- Made CsrfViewMiddleware catch more specific UnreadablePostError. 
Thanks Chris Jerdonek for the review.
 2021-07-23 13:10:41 +02:00
Chris Jerdonek a2e1f1e295 Fixed #32902 -- Fixed CsrfViewMiddleware.process_response()'s cookie reset logic. 
Thanks Florian Apolloner and Shai Berger for reviews.
 2021-07-23 07:08:45 +02:00
Chris Jerdonek fcb75651f9 Fixed #32817 -- Added the token source to CsrfViewMiddleware's bad token error messages. 2021-06-23 16:07:15 +02:00
Chris Jerdonek ee408309d2
Fixed #32842 -- Refactored out CsrfViewMiddleware._check_token(). 2021-06-22 07:42:28 +02:00
Chris Jerdonek 316cc34d04 Fixed comment in CsrfViewMiddleware to say _reject instead of reject. 2021-06-12 16:46:42 +02:00
Chris Jerdonek cd19db10df Fixed #32796 -- Changed CsrfViewMiddleware to fail earlier on badly formatted cookie tokens. 2021-06-01 09:02:27 +02:00
Chris Jerdonek 55775891fb Fixed #32795 -- Changed CsrfViewMiddleware to fail earlier on badly formatted tokens. 2021-05-31 21:12:21 +02:00
Chris Jerdonek d270dd584e
Refs #32778 -- Improved the name of the regex object detecting invalid CSRF token characters. 
This also improves the comments near where the variable is used.
 2021-05-29 12:53:50 +02:00
Chris Jerdonek 214b36f50a Refs #32596 -- Added early return on safe methods in CsrfViewMiddleware.process_view(). 2021-05-28 07:32:01 +02:00
Chris Jerdonek cfd8c91839 Refs #32596 -- Optimized CsrfViewMiddleware._check_referer() to delay computing good_referer. 2021-05-28 07:32:01 +02:00
Chris Jerdonek 71179a6124 Fixed #32596 -- Added CsrfViewMiddleware._check_referer(). 
This encapsulates CsrfViewMiddleware's referer logic into a method and
updates existing tests to check the "seam" introduced by the refactor,
when doing so would improve the test.
 2021-05-28 07:31:56 +02:00
abhiabhi94 866dccb650 Fixed #32778 -- Avoided unnecessary recompilation of token regex in _sanitize_token(). 2021-05-25 09:56:09 +02:00
Chris Jerdonek ff514309e1 Fixed #32578 -- Fixed crash in CsrfViewMiddleware when a request with Origin header has an invalid host. 2021-03-25 10:34:58 +01:00
Chris Jerdonek f3825248a2 Refs #32579 -- Fixed cookie domain comment in CsrfViewMiddleware.process_view(). 2021-03-25 06:48:36 +01:00
Chris Jerdonek 70332e6c43 Refs #32579 -- Optimized good_hosts creation in CsrfViewMiddleware.process_view(). 2021-03-25 06:39:35 +01:00
Adam Donaghy e49fdfa405 Fixed #32571 -- Made CsrfViewMiddleware handle invalid URLs in Referer header. 2021-03-19 11:19:19 +01:00
Tim Graham 2411b8b5eb Fixed #16010 -- Added Origin header checking to CSRF middleware. 
Thanks David Benjamin for the original patch, and Florian
Apolloner, Chris Jerdonek, and Adam Johnson for reviews.
 2021-03-18 20:25:20 +01:00
Tim Graham dba44a7a7a Refs #16010 -- Required CSRF_TRUSTED_ORIGINS setting to include the scheme. 2021-03-18 20:00:22 +01:00
Colton Hicks f283ffaa84 Fixed #28699 -- Fixed CSRF validation with remote user middleware. 
Ensured process_view() always accesses the CSRF token from the session
or cookie, rather than the request, as rotate_token() may have been called
by an authentication middleware during the process_request() phase.
 2020-02-26 17:25:20 +01:00
Ram Rachum 5b09354954
Fixed #31291 -- Renamed salt to mask for CSRF tokens. 2020-02-25 14:16:19 +01:00
Sergey Fedoseev 0315c18fe1 Refs #26601 -- Removed obsolete workarounds for MIDDLEWARE_CLASSES setting. 2019-10-23 08:18:48 +02:00
Jon Dufresne 8b3f1c35dd Removed unnecessary assignments in various code. 2019-04-24 13:09:29 +02:00
Jon Dufresne 7785e03ba8 Fixed #30137 -- Replaced OSError aliases with the canonical OSError. 
Used more specific errors (e.g. FileExistsError) as appropriate.
 2019-01-28 11:15:06 -05:00
Michal Čihař 22e8ab0286 Fixed #29728 -- Prevented session resaving if CSRF cookie is unchanged. 2018-09-08 11:46:13 -04:00
Samir Shah 10b44e4525 Fixed #26688 -- Fixed HTTP request logging inconsistencies. 
* Added logging of 500 responses for instantiated responses.
* Added logging of all 4xx and 5xx responses.
 2018-05-04 20:55:03 -04:00
Alex Gaynor 9a56b4b13e Fixed #27863 -- Added support for the SameSite cookie flag. 
Thanks Alex Gaynor for contributing to the patch.
 2018-04-13 20:58:31 -04:00
Tomer Chachamu 7ec0fdf62a Fixed #28693 -- Fixed crash in CsrfViewMiddleware when an HTTPS request has an invalid host. 2018-02-14 20:24:01 -05:00
Florian Apolloner c4c128d67c Fixed #28488 -- Reallowed error handlers to access CSRF tokens. 
Regression in eef95ea96f.
 2017-09-20 16:22:18 -04:00
Anton Samarchyan 86de930f41 Refs #27656 -- Updated remaining docstring verbs according to PEP 257. 2017-03-04 10:02:06 -05:00
Claude Paroz c688336ebc Refs #23919 -- Assumed request COOKIES and META are str 2017-01-30 14:13:29 +01:00
Claude Paroz 2b281cc35e Refs #23919 -- Removed most of remaining six usage 
Thanks Tim Graham for the review.
 2017-01-18 21:33:28 +01:00
Claude Paroz d7b9aaa366 Refs #23919 -- Removed encoding preambles and future imports 2017-01-18 09:55:19 +01:00
Raphael Michel ddf169cdac Refs #16859 -- Allowed storing CSRF tokens in sessions. 
Major thanks to Shai for helping to refactor the tests, and to
Shai, Tim, Florian, and others for extensive and helpful review.
 2016-11-30 08:57:27 -05:00
Holly Becker 55fec16aaf Fixed #26628 -- Changed CSRF logger to django.security.csrf. 2016-06-04 10:17:06 -04:00
Tim Graham 546649f2d6 Fixed some newlines in imports per isort. 2016-05-19 11:05:44 -04:00
Shai Berger 5112e65ef2 Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them 
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).

While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).

Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
 2016-05-19 05:02:19 +03:00
Florian Apolloner 9baf692a58 Fixed #26601 -- Improved middleware per DEP 0005. 
Thanks Tim Graham for polishing the patch, updating the tests, and
writing documentation. Thanks Carl Meyer for shepherding the DEP.
 2016-05-17 07:22:22 -04:00
Vasiliy Faronov ac77c55bc5 Fixed #26567 -- Updated references to obsolete RFC2616. 
Didn't touch comments where it wasn't obvious that the code adhered to
the newer standard.
 2016-05-03 11:14:40 -04:00
Tim Graham df8d8d4292 Fixed E128 flake8 warnings in django/. 2016-04-08 09:51:06 -04:00
chemary 2d28144c95 Fixed #26094 -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True). 2016-01-20 18:19:24 -05:00
Marten Kenbeek 16411b8400 Fixed #26013 -- Moved django.core.urlresolvers to django.urls. 
Thanks to Tim Graham for the review.
 2015-12-31 14:21:29 -05:00
Matt Robenolt b0c56b895f Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN. 
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
 2015-09-16 12:21:50 -04:00
Joshua Kehn ab26b65b2f Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS. 
Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other
domains that are included during the CSRF Referer header verification
for secure (HTTPS) requests.
 2015-09-05 09:19:57 -04:00
Jay Cox eef95ea96f Fixed #24696 -- Made CSRF_COOKIE computation lazy. 
Only compute the CSRF_COOKIE when it is actually used. This is a
significant speedup for clients not using cookies.

Changed result of the “test_token_node_no_csrf_cookie” test:  It gets
a valid CSRF token now which seems like the correct behavior.

Changed auth_tests.test_views.LoginTest.test_login_csrf_rotate to
use get_token() to trigger CSRF cookie inclusion instead of changing
request.META["CSRF_COOKIE_USED"] directly.
 2015-05-02 19:45:14 -04:00
Grzegorz Slusarek 668d53cd12 Fixed #21495 -- Added settings.CSRF_HEADER_NAME 2015-03-05 15:03:40 -05:00