From a02a6fab66afc9462c79cc4914f4624b640165f4 Mon Sep 17 00:00:00 2001 From: Luke Plant Date: Sat, 24 Oct 2009 10:45:58 +0000 Subject: [PATCH] Fixed #9163 - CsrfMiddleware needs to reset ETag header Thanks to carljm for report and patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11650 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/contrib/csrf/middleware.py | 8 +++++++- docs/ref/contrib/csrf.txt | 12 ++++++------ 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/django/contrib/csrf/middleware.py b/django/contrib/csrf/middleware.py index 0d0a8eca9e..40cbcf502b 100644 --- a/django/contrib/csrf/middleware.py +++ b/django/contrib/csrf/middleware.py @@ -101,7 +101,13 @@ class CsrfResponseMiddleware(object): "' />") # Modify any POST forms - response.content = _POST_FORM_RE.sub(add_csrf_field, response.content) + response.content, n = _POST_FORM_RE.subn(add_csrf_field, response.content) + if n > 0: + # Since the content has been modified, any Etag will now be + # incorrect. We could recalculate, but only is we assume that + # the Etag was set by CommonMiddleware. The safest thing is just + # to delete. See bug #9163 + del response['ETag'] return response class CsrfMiddleware(CsrfViewMiddleware, CsrfResponseMiddleware): diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt index 1b6b6102de..cbe55dc38a 100644 --- a/docs/ref/contrib/csrf.txt +++ b/docs/ref/contrib/csrf.txt @@ -22,12 +22,12 @@ middleware into your list of installed middleware. How to use it ============= -Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to -your list of middleware classes, :setting:`MIDDLEWARE_CLASSES`. It needs to process -the response after the SessionMiddleware, so must come before it in the -list. It also must process the response before things like compression -happen to the response, so it must come after GZipMiddleware in the -list. +Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to your +list of middleware classes, :setting:`MIDDLEWARE_CLASSES`. It needs to process +the response after the SessionMiddleware, so must come before it in the list. It +also must process the response before things like compression or setting of +ETags happen to the response, so it must come after GZipMiddleware, +CommonMiddleware and ConditionalGetMiddleware in the list. The ``CsrfMiddleware`` class is actually composed of two middleware: ``CsrfViewMiddleware`` which performs the checks on incoming requests,