Refs #23919 -- Assumed request COOKIES and META are str

django/middleware/common.py

@@ -11,7 +11,6 @@ from django.utils.cache import (
     cc_delim_re, get_conditional_response, set_response_etag,
 )
 from django.utils.deprecation import MiddlewareMixin, RemovedInDjango21Warning
-from django.utils.encoding import force_text
 
 
 class CommonMiddleware(MiddlewareMixin):
@@ -157,10 +156,10 @@ class BrokenLinkEmailsMiddleware(MiddlewareMixin):
         if response.status_code == 404 and not settings.DEBUG:
             domain = request.get_host()
             path = request.get_full_path()
-            referer = force_text(request.META.get('HTTP_REFERER', ''), errors='replace')
+            referer = request.META.get('HTTP_REFERER', '')
 
             if not self.is_ignorable_request(request, path, domain, referer):
-                ua = force_text(request.META.get('HTTP_USER_AGENT', '<none>'), errors='replace')
+                ua = request.META.get('HTTP_USER_AGENT', '<none>')
                 ip = request.META.get('REMOTE_ADDR', '<none>')
                 mail_managers(
                     "Broken %slink on %s" % (

django/middleware/csrf.py

@@ -15,7 +15,6 @@ from django.urls import get_callable
 from django.utils.cache import patch_vary_headers
 from django.utils.crypto import constant_time_compare, get_random_string
 from django.utils.deprecation import MiddlewareMixin
-from django.utils.encoding import force_text
 from django.utils.http import is_same_domain
 
 logger = logging.getLogger('django.security.csrf')
@@ -107,7 +106,7 @@ def rotate_token(request):
 
 def _sanitize_token(token):
     # Allow only ASCII alphanumerics
-    if re.search('[^a-zA-Z0-9]', force_text(token)):
+    if re.search('[^a-zA-Z0-9]', token):
         return _get_new_csrf_token()
     elif len(token) == CSRF_TOKEN_LENGTH:
         return token
@@ -238,11 +237,7 @@ class CsrfViewMiddleware(MiddlewareMixin):
                 # Barth et al. found that the Referer header is missing for
                 # same-domain requests in only about 0.2% of cases or less, so
                 # we can use strict Referer checking.
-                referer = force_text(
-                    request.META.get('HTTP_REFERER'),
-                    strings_only=True,
-                    errors='replace'
-                )
+                referer = request.META.get('HTTP_REFERER')
                 if referer is None:
                     return self._reject(request, REASON_NO_REFERER)
 

django/template/context_processors.py

@@ -11,7 +11,6 @@ import itertools
 
 from django.conf import settings
 from django.middleware.csrf import get_token
-from django.utils.encoding import force_text
 from django.utils.functional import SimpleLazyObject, lazy
 
 
@@ -28,7 +27,7 @@ def csrf(request):
             # instead of returning an empty dict.
             return 'NOTPROVIDED'
         else:
-            return force_text(token)
+            return token
 
     return {'csrf_token': SimpleLazyObject(_get_val)}
 

tests/csrf_tests/tests.py

@@ -1,6 +1,5 @@
 import logging
 import re
-import warnings
 
 from django.conf import settings
 from django.core.exceptions import ImproperlyConfigured
@@ -12,7 +11,6 @@ from django.middleware.csrf import (
 )
 from django.test import SimpleTestCase, override_settings
 from django.test.utils import patch_logger
-from django.utils.encoding import force_bytes
 from django.views.decorators.csrf import csrf_exempt, requires_csrf_token
 
 from .views import (
@@ -202,7 +200,7 @@ class CsrfViewMiddlewareTestMixin:
         A new token is sent if the csrf_cookie is the empty string.
         """
         req = self._get_GET_no_csrf_cookie_request()
-        req.COOKIES[settings.CSRF_COOKIE_NAME] = b""
+        req.COOKIES[settings.CSRF_COOKIE_NAME] = ""
         CsrfViewMiddleware().process_view(req, token_view, (), {})
         resp = token_view(req)
 
@@ -303,7 +301,7 @@ class CsrfViewMiddlewareTestMixin:
         response = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
         self.assertContains(response, malformed_referer_msg, status_code=403)
         # Non-ASCII
-        req.META['HTTP_REFERER'] = b'\xd8B\xf6I\xdf'
+        req.META['HTTP_REFERER'] = 'ØBöIß'
         response = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
         self.assertContains(response, malformed_referer_msg, status_code=403)
         # missing scheme
@@ -566,24 +564,6 @@ class CsrfViewMiddlewareTests(CsrfViewMiddlewareTestMixin, SimpleTestCase):
         csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
         self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH)
 
-    def test_process_view_token_invalid_bytes(self):
-        """
-        If the token contains improperly encoded unicode, it is ignored and a
-        new token is created.
-        """
-        token = (b"<1>\xc2\xa1" + force_bytes(self._csrf_id, 'ascii'))[:CSRF_TOKEN_LENGTH]
-        req = self._get_GET_no_csrf_cookie_request()
-        req.COOKIES[settings.CSRF_COOKIE_NAME] = token
-        # We expect a UnicodeWarning here, because we used broken utf-8 on purpose
-        with warnings.catch_warnings():
-            warnings.filterwarnings("ignore", category=UnicodeWarning)
-            CsrfViewMiddleware().process_view(req, token_view, (), {})
-        resp = token_view(req)
-        resp2 = CsrfViewMiddleware().process_response(req, resp)
-        csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
-        self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH)
-        self.assertNotEqual(csrf_cookie.value, token)
-
     def test_process_view_token_invalid_chars(self):
         """
         If the token contains non-alphanumeric characters, it is ignored and a