mirror of https://github.com/django/django.git
Refs #32596 -- Added early return on safe methods in CsrfViewMiddleware.process_view().
This commit is contained in:
parent
cfd8c91839
commit
214b36f50a
|
@ -317,75 +317,74 @@ class CsrfViewMiddleware(MiddlewareMixin):
|
||||||
return None
|
return None
|
||||||
|
|
||||||
# Assume that anything not defined as 'safe' by RFC7231 needs protection
|
# Assume that anything not defined as 'safe' by RFC7231 needs protection
|
||||||
if request.method not in ('GET', 'HEAD', 'OPTIONS', 'TRACE'):
|
if request.method in ('GET', 'HEAD', 'OPTIONS', 'TRACE'):
|
||||||
if getattr(request, '_dont_enforce_csrf_checks', False):
|
return self._accept(request)
|
||||||
# Mechanism to turn off CSRF checks for test suite.
|
|
||||||
# It comes after the creation of CSRF cookies, so that
|
|
||||||
# everything else continues to work exactly the same
|
|
||||||
# (e.g. cookies are sent, etc.), but before any
|
|
||||||
# branches that call reject().
|
|
||||||
return self._accept(request)
|
|
||||||
|
|
||||||
# Reject the request if the Origin header doesn't match an allowed
|
if getattr(request, '_dont_enforce_csrf_checks', False):
|
||||||
# value.
|
# Mechanism to turn off CSRF checks for test suite. It comes after
|
||||||
if 'HTTP_ORIGIN' in request.META:
|
# the creation of CSRF cookies, so that everything else continues
|
||||||
if not self._origin_verified(request):
|
# to work exactly the same (e.g. cookies are sent, etc.), but
|
||||||
return self._reject(request, REASON_BAD_ORIGIN % request.META['HTTP_ORIGIN'])
|
# before any branches that call reject().
|
||||||
elif request.is_secure():
|
return self._accept(request)
|
||||||
# If the Origin header wasn't provided, reject HTTPS requests
|
|
||||||
# if the Referer header doesn't match an allowed value.
|
|
||||||
#
|
|
||||||
# Suppose user visits http://example.com/
|
|
||||||
# An active network attacker (man-in-the-middle, MITM) sends a
|
|
||||||
# POST form that targets https://example.com/detonate-bomb/ and
|
|
||||||
# submits it via JavaScript.
|
|
||||||
#
|
|
||||||
# The attacker will need to provide a CSRF cookie and token, but
|
|
||||||
# that's no problem for a MITM and the session-independent
|
|
||||||
# secret we're using. So the MITM can circumvent the CSRF
|
|
||||||
# protection. This is true for any HTTP connection, but anyone
|
|
||||||
# using HTTPS expects better! For this reason, for
|
|
||||||
# https://example.com/ we need additional protection that treats
|
|
||||||
# http://example.com/ as completely untrusted. Under HTTPS,
|
|
||||||
# Barth et al. found that the Referer header is missing for
|
|
||||||
# same-domain requests in only about 0.2% of cases or less, so
|
|
||||||
# we can use strict Referer checking.
|
|
||||||
try:
|
|
||||||
self._check_referer(request)
|
|
||||||
except RejectRequest as exc:
|
|
||||||
return self._reject(request, exc.reason)
|
|
||||||
|
|
||||||
# Access csrf_token via self._get_token() as rotate_token() may
|
# Reject the request if the Origin header doesn't match an allowed
|
||||||
# have been called by an authentication middleware during the
|
# value.
|
||||||
# process_request() phase.
|
if 'HTTP_ORIGIN' in request.META:
|
||||||
csrf_token = self._get_token(request)
|
if not self._origin_verified(request):
|
||||||
if csrf_token is None:
|
return self._reject(request, REASON_BAD_ORIGIN % request.META['HTTP_ORIGIN'])
|
||||||
# No CSRF cookie. For POST requests, we insist on a CSRF cookie,
|
elif request.is_secure():
|
||||||
# and in this way we can avoid all CSRF attacks, including login
|
# If the Origin header wasn't provided, reject HTTPS requests if
|
||||||
# CSRF.
|
# the Referer header doesn't match an allowed value.
|
||||||
return self._reject(request, REASON_NO_CSRF_COOKIE)
|
#
|
||||||
|
# Suppose user visits http://example.com/
|
||||||
|
# An active network attacker (man-in-the-middle, MITM) sends a
|
||||||
|
# POST form that targets https://example.com/detonate-bomb/ and
|
||||||
|
# submits it via JavaScript.
|
||||||
|
#
|
||||||
|
# The attacker will need to provide a CSRF cookie and token, but
|
||||||
|
# that's no problem for a MITM and the session-independent secret
|
||||||
|
# we're using. So the MITM can circumvent the CSRF protection. This
|
||||||
|
# is true for any HTTP connection, but anyone using HTTPS expects
|
||||||
|
# better! For this reason, for https://example.com/ we need
|
||||||
|
# additional protection that treats http://example.com/ as
|
||||||
|
# completely untrusted. Under HTTPS, Barth et al. found that the
|
||||||
|
# Referer header is missing for same-domain requests in only about
|
||||||
|
# 0.2% of cases or less, so we can use strict Referer checking.
|
||||||
|
try:
|
||||||
|
self._check_referer(request)
|
||||||
|
except RejectRequest as exc:
|
||||||
|
return self._reject(request, exc.reason)
|
||||||
|
|
||||||
# Check non-cookie token for match.
|
# Access csrf_token via self._get_token() as rotate_token() may have
|
||||||
request_csrf_token = ""
|
# been called by an authentication middleware during the
|
||||||
if request.method == "POST":
|
# process_request() phase.
|
||||||
try:
|
csrf_token = self._get_token(request)
|
||||||
request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')
|
if csrf_token is None:
|
||||||
except OSError:
|
# No CSRF cookie. For POST requests, we insist on a CSRF cookie,
|
||||||
# Handle a broken connection before we've completed reading
|
# and in this way we can avoid all CSRF attacks, including login
|
||||||
# the POST data. process_view shouldn't raise any
|
# CSRF.
|
||||||
# exceptions, so we'll ignore and serve the user a 403
|
return self._reject(request, REASON_NO_CSRF_COOKIE)
|
||||||
# (assuming they're still listening, which they probably
|
|
||||||
# aren't because of the error).
|
|
||||||
pass
|
|
||||||
|
|
||||||
if request_csrf_token == "":
|
# Check non-cookie token for match.
|
||||||
# Fall back to X-CSRFToken, to make things easier for AJAX,
|
request_csrf_token = ''
|
||||||
# and possible for PUT/DELETE.
|
if request.method == 'POST':
|
||||||
request_csrf_token = request.META.get(settings.CSRF_HEADER_NAME, '')
|
try:
|
||||||
|
request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')
|
||||||
|
except OSError:
|
||||||
|
# Handle a broken connection before we've completed reading the
|
||||||
|
# POST data. process_view shouldn't raise any exceptions, so
|
||||||
|
# we'll ignore and serve the user a 403 (assuming they're still
|
||||||
|
# listening, which they probably aren't because of the error).
|
||||||
|
pass
|
||||||
|
|
||||||
request_csrf_token = _sanitize_token(request_csrf_token)
|
if request_csrf_token == '':
|
||||||
if not _compare_masked_tokens(request_csrf_token, csrf_token):
|
# Fall back to X-CSRFToken, to make things easier for AJAX, and
|
||||||
return self._reject(request, REASON_BAD_TOKEN)
|
# possible for PUT/DELETE.
|
||||||
|
request_csrf_token = request.META.get(settings.CSRF_HEADER_NAME, '')
|
||||||
|
|
||||||
|
request_csrf_token = _sanitize_token(request_csrf_token)
|
||||||
|
if not _compare_masked_tokens(request_csrf_token, csrf_token):
|
||||||
|
return self._reject(request, REASON_BAD_TOKEN)
|
||||||
|
|
||||||
return self._accept(request)
|
return self._accept(request)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue