From c688336ebcc1bddc65f2d48e15b981b6caa7ef1a Mon Sep 17 00:00:00 2001 From: Claude Paroz Date: Sun, 29 Jan 2017 14:58:20 +0100 Subject: [PATCH] Refs #23919 -- Assumed request COOKIES and META are str --- django/middleware/common.py | 5 ++--- django/middleware/csrf.py | 9 ++------- django/template/context_processors.py | 3 +-- tests/csrf_tests/tests.py | 24 ++---------------------- 4 files changed, 7 insertions(+), 34 deletions(-) diff --git a/django/middleware/common.py b/django/middleware/common.py index 304e6318c4..9d1a868245 100644 --- a/django/middleware/common.py +++ b/django/middleware/common.py @@ -11,7 +11,6 @@ from django.utils.cache import ( cc_delim_re, get_conditional_response, set_response_etag, ) from django.utils.deprecation import MiddlewareMixin, RemovedInDjango21Warning -from django.utils.encoding import force_text class CommonMiddleware(MiddlewareMixin): @@ -157,10 +156,10 @@ class BrokenLinkEmailsMiddleware(MiddlewareMixin): if response.status_code == 404 and not settings.DEBUG: domain = request.get_host() path = request.get_full_path() - referer = force_text(request.META.get('HTTP_REFERER', ''), errors='replace') + referer = request.META.get('HTTP_REFERER', '') if not self.is_ignorable_request(request, path, domain, referer): - ua = force_text(request.META.get('HTTP_USER_AGENT', ''), errors='replace') + ua = request.META.get('HTTP_USER_AGENT', '') ip = request.META.get('REMOTE_ADDR', '') mail_managers( "Broken %slink on %s" % ( diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py index f6584cbea8..44fe892229 100644 --- a/django/middleware/csrf.py +++ b/django/middleware/csrf.py @@ -15,7 +15,6 @@ from django.urls import get_callable from django.utils.cache import patch_vary_headers from django.utils.crypto import constant_time_compare, get_random_string from django.utils.deprecation import MiddlewareMixin -from django.utils.encoding import force_text from django.utils.http import is_same_domain logger = logging.getLogger('django.security.csrf') @@ -107,7 +106,7 @@ def rotate_token(request): def _sanitize_token(token): # Allow only ASCII alphanumerics - if re.search('[^a-zA-Z0-9]', force_text(token)): + if re.search('[^a-zA-Z0-9]', token): return _get_new_csrf_token() elif len(token) == CSRF_TOKEN_LENGTH: return token @@ -238,11 +237,7 @@ class CsrfViewMiddleware(MiddlewareMixin): # Barth et al. found that the Referer header is missing for # same-domain requests in only about 0.2% of cases or less, so # we can use strict Referer checking. - referer = force_text( - request.META.get('HTTP_REFERER'), - strings_only=True, - errors='replace' - ) + referer = request.META.get('HTTP_REFERER') if referer is None: return self._reject(request, REASON_NO_REFERER) diff --git a/django/template/context_processors.py b/django/template/context_processors.py index 85cd3eaa5f..3e73d176ea 100644 --- a/django/template/context_processors.py +++ b/django/template/context_processors.py @@ -11,7 +11,6 @@ import itertools from django.conf import settings from django.middleware.csrf import get_token -from django.utils.encoding import force_text from django.utils.functional import SimpleLazyObject, lazy @@ -28,7 +27,7 @@ def csrf(request): # instead of returning an empty dict. return 'NOTPROVIDED' else: - return force_text(token) + return token return {'csrf_token': SimpleLazyObject(_get_val)} diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py index 3531939a73..d0c56721fc 100644 --- a/tests/csrf_tests/tests.py +++ b/tests/csrf_tests/tests.py @@ -1,6 +1,5 @@ import logging import re -import warnings from django.conf import settings from django.core.exceptions import ImproperlyConfigured @@ -12,7 +11,6 @@ from django.middleware.csrf import ( ) from django.test import SimpleTestCase, override_settings from django.test.utils import patch_logger -from django.utils.encoding import force_bytes from django.views.decorators.csrf import csrf_exempt, requires_csrf_token from .views import ( @@ -202,7 +200,7 @@ class CsrfViewMiddlewareTestMixin: A new token is sent if the csrf_cookie is the empty string. """ req = self._get_GET_no_csrf_cookie_request() - req.COOKIES[settings.CSRF_COOKIE_NAME] = b"" + req.COOKIES[settings.CSRF_COOKIE_NAME] = "" CsrfViewMiddleware().process_view(req, token_view, (), {}) resp = token_view(req) @@ -303,7 +301,7 @@ class CsrfViewMiddlewareTestMixin: response = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) self.assertContains(response, malformed_referer_msg, status_code=403) # Non-ASCII - req.META['HTTP_REFERER'] = b'\xd8B\xf6I\xdf' + req.META['HTTP_REFERER'] = 'ØBöIß' response = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) self.assertContains(response, malformed_referer_msg, status_code=403) # missing scheme @@ -566,24 +564,6 @@ class CsrfViewMiddlewareTests(CsrfViewMiddlewareTestMixin, SimpleTestCase): csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False) self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH) - def test_process_view_token_invalid_bytes(self): - """ - If the token contains improperly encoded unicode, it is ignored and a - new token is created. - """ - token = (b"<1>\xc2\xa1" + force_bytes(self._csrf_id, 'ascii'))[:CSRF_TOKEN_LENGTH] - req = self._get_GET_no_csrf_cookie_request() - req.COOKIES[settings.CSRF_COOKIE_NAME] = token - # We expect a UnicodeWarning here, because we used broken utf-8 on purpose - with warnings.catch_warnings(): - warnings.filterwarnings("ignore", category=UnicodeWarning) - CsrfViewMiddleware().process_view(req, token_view, (), {}) - resp = token_view(req) - resp2 = CsrfViewMiddleware().process_response(req, resp) - csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False) - self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH) - self.assertNotEqual(csrf_cookie.value, token) - def test_process_view_token_invalid_chars(self): """ If the token contains non-alphanumeric characters, it is ignored and a