311401d9a2
Refs #32902 -- Added CSRF test when rotate_token() is called between resetting the token and processing response.
2021-07-23 06:56:53 +02:00
43d1ea6e2f
Refs #32885 -- Used _read_csrf_cookie()/_set_csrf_cookie() in more CSRF tests.
2021-06-30 07:48:15 +02:00
abc8795632
Fixed #32885 -- Removed cookie-based token specific logic from CsrfViewMiddlewareTestMixin.
2021-06-30 07:48:15 +02:00
594d6e9407
Refs #32843 -- Added CsrfViewMiddlewareTestMixin._get_csrf_cookie_request() hook.
2021-06-29 08:56:13 +02:00
c8439d1dba
Refs #32843 -- Added method/cookie arguments to CsrfViewMiddlewareTestMixin._get_request().
...
This also removes unnecessary test hooks.
2021-06-29 08:56:13 +02:00
6bccb64347
Refs #32843 -- Moved _get_GET_csrf_cookie_request() to CsrfViewMiddlewareTestMixin.
2021-06-29 08:56:05 +02:00
4397d2bd6b
Fixed #32843 -- Ensured the CSRF tests' _get_GET_csrf_cookie_request() sets the request method.
2021-06-29 08:14:25 +02:00
5e60c3943b
Refs #32800 -- Added CsrfViewMiddleware tests for all combinations of masked/unmasked cookies and tokens.
2021-06-28 08:31:30 +02:00
defa8d3d87
Refs #32800 -- Made CsrfViewMiddlewareTestMixin._csrf_id_cookie and _csrf_id_token different.
...
This also renames CsrfViewMiddlewareTestMixin._csrf_id to _csrf_id_token.
2021-06-28 08:09:53 +02:00
2523c32d50
Refs #32800 -- Eliminated the need for separate _get_POST_bare_secret() methods.
2021-06-28 08:08:43 +02:00
c8108591b9
Refs #32800 -- Added to csrf_tests/tests.py the unmasked version of the secret.
...
This also adds tests that the secret is correct, and updates existing
tests to use the value.
2021-06-28 07:59:22 +02:00
fcb75651f9
Fixed #32817 -- Added the token source to CsrfViewMiddleware's bad token error messages.
2021-06-23 16:07:15 +02:00
1a284afb07
Refs #32817 -- Added tests for bad CSRF token provided via X-CSRFToken or custom header.
2021-06-23 16:07:07 +02:00
6837bd68a4
Refs #32817 -- Added post_token/meta_token/token_header arguments to _get_POST_csrf_cookie_request().
2021-06-23 16:07:07 +02:00
999402f142
Refs #32817 -- Combined the bad-or-missing CSRF token tests.
2021-06-23 16:07:07 +02:00
cd19db10df
Fixed #32796 -- Changed CsrfViewMiddleware to fail earlier on badly formatted cookie tokens.
2021-06-01 09:02:27 +02:00
623cec0879
Refs #32796 -- Added CsrfViewMiddleware tests for incorrectly formatted cookie tokens.
2021-06-01 09:02:23 +02:00
55775891fb
Fixed #32795 -- Changed CsrfViewMiddleware to fail earlier on badly formatted tokens.
2021-05-31 21:12:21 +02:00
ffdee8d264
Refs #32795 -- Added CsrfViewMiddleware tests for rejecting invalid or missing tokens.
...
This also improves test names for test_process_request_no_csrf_cookie
and test_process_request_csrf_cookie_no_token. The logic being tested
is actually in process_view() rather than process_request(), and it's
not necessary to include the method name.
2021-05-31 21:12:17 +02:00
71179a6124
Fixed #32596 -- Added CsrfViewMiddleware._check_referer().
...
This encapsulates CsrfViewMiddleware's referer logic into a method and
updates existing tests to check the "seam" introduced by the refactor,
when doing so would improve the test.
2021-05-28 07:31:56 +02:00
02c59b7a43
Refs #32596 -- Added extra tests for CsrfViewMiddleware's referer logic.
2021-05-27 10:53:20 +02:00
ff514309e1
Fixed #32578 -- Fixed crash in CsrfViewMiddleware when a request with Origin header has an invalid host.
2021-03-25 10:34:58 +01:00
717b5e633a
Made CsrfViewMiddlewareTestMixin._get_GET_no_csrf_cookie_request() return GET requests.
2021-03-22 08:22:58 +01:00
e49fdfa405
Fixed #32571 -- Made CsrfViewMiddleware handle invalid URLs in Referer header.
2021-03-19 11:19:19 +01:00
2411b8b5eb
Fixed #16010 -- Added Origin header checking to CSRF middleware.
...
Thanks David Benjamin for the original patch, and Florian
Apolloner, Chris Jerdonek, and Adam Johnson for reviews.
2021-03-18 20:25:20 +01:00
dba44a7a7a
Refs #16010 -- Required CSRF_TRUSTED_ORIGINS setting to include the scheme.
2021-03-18 20:00:22 +01:00
7ca7f4495b
Refs #21429 -- Added SimpleTestCase.assertNoLogs() on Python < 3.10.
2021-03-02 20:35:33 +01:00
d6aff369ad
Refs #30116 -- Simplified regex match group access with Match.__getitem__().
...
The method has been available since Python 3.6. The shorter syntax is
also marginally faster.
2020-05-11 12:01:28 +02:00
5b09354954
Fixed #31291 -- Renamed salt to mask for CSRF tokens.
2020-02-25 14:16:19 +01:00
4d973f5939
Refs #26601 -- Deprecated passing None as get_response arg to middleware classes.
...
This is the new contract since middleware refactoring in Django 1.10.
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-02-18 20:03:44 +01:00
7785e03ba8
Fixed #30137 -- Replaced OSError aliases with the canonical OSError.
...
Used more specific errors (e.g. FileExistsError) as appropriate.
2019-01-28 11:15:06 -05:00
22e8ab0286
Fixed #29728 -- Prevented session resaving if CSRF cookie is unchanged.
2018-09-08 11:46:13 -04:00
607970f31c
Replaced django.test.utils.patch_logger() with assertLogs().
...
Thanks Tim Graham for the review.
2018-05-07 09:34:00 -04:00
98019df855
Used double quotation marks for csrf form element.
2018-05-03 08:57:18 +02:00
9a56b4b13e
Fixed #27863 -- Added support for the SameSite cookie flag.
...
Thanks Alex Gaynor for contributing to the patch.
2018-04-13 20:58:31 -04:00
7ec0fdf62a
Fixed #28693 -- Fixed crash in CsrfViewMiddleware when an HTTPS request has an invalid host.
2018-02-14 20:24:01 -05:00
c4c128d67c
Fixed #28488 -- Reallowed error handlers to access CSRF tokens.
...
Regression in eef95ea96f
2017-09-20 16:22:18 -04:00
77f82c4bf1
Initialized CsrfViewMiddleware once in csrf_tests.
2017-09-20 16:22:12 -04:00
c688336ebc
Refs #23919 -- Assumed request COOKIES and META are str
2017-01-30 14:13:29 +01:00
d6eaf7c018
Refs #23919 -- Replaced super(ClassName, self) with super().
2017-01-25 12:23:46 -05:00
cecc079168
Refs #23919 -- Stopped inheriting from object to define new style classes.
2017-01-19 08:39:46 +01:00
7b2f2e74ad
Refs #23919 -- Removed six.<various>_types usage
...
Thanks Tim Graham and Simon Charette for the reviews.
2017-01-18 20:18:46 +01:00
d7b9aaa366
Refs #23919 -- Removed encoding preambles and future imports
2017-01-18 09:55:19 +01:00
78500102b7
Moved csrf_tests views to a spearate file.
2016-11-30 18:24:29 -05:00
ddf169cdac
Refs #16859 -- Allowed storing CSRF tokens in sessions.
...
Major thanks to Shai for helping to refactor the tests, and to
Shai, Tim, Florian, and others for extensive and helpful review.
2016-11-30 08:57:27 -05:00
321e94fa41
Refs #27392 -- Removed "Tests that", "Ensures that", etc. from test docstrings.
2016-11-10 21:30:21 -05:00
7fe2d8d940
Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True.
...
This is a security fix.
2016-11-01 09:30:57 -04:00
4f336f6652
Fixed #26747 -- Used more specific assertions in the Django test suite.
2016-06-16 14:19:18 -04:00
55fec16aaf
Fixed #26628 -- Changed CSRF logger to django.security.csrf.
2016-06-04 10:17:06 -04:00
5112e65ef2
Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
...
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).
While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).
Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2016-05-19 05:02:19 +03:00
Chris Jerdonek
Mariusz Felisiak
Adam Donaghy
Tim Graham
François Freitag
Jon Dufresne
Ram Rachum
Claude Paroz
Michal Čihař
CHI Cheng
Alex Gaynor
Tomer Chachamu
Florian Apolloner
chillaranand
Simon Charette
Raphael Michel
za
Holly Becker
Shai Berger