mirror of https://github.com/django/django.git
Refs #32916 -- Replaced request.csrf_cookie_needs_reset with request.META['CSRF_COOKIE_NEEDS_UPDATE'].
This commit is contained in:
parent
6ebf931de8
commit
7c30bdbdb1
|
@ -101,7 +101,7 @@ def get_token(request):
|
||||||
# Since the cookie is being used, flag to send the cookie in
|
# Since the cookie is being used, flag to send the cookie in
|
||||||
# process_response() (even if the client already has it) in order to renew
|
# process_response() (even if the client already has it) in order to renew
|
||||||
# the expiry timer.
|
# the expiry timer.
|
||||||
request.csrf_cookie_needs_reset = True
|
request.META['CSRF_COOKIE_NEEDS_UPDATE'] = True
|
||||||
return _mask_cipher_secret(csrf_secret)
|
return _mask_cipher_secret(csrf_secret)
|
||||||
|
|
||||||
|
|
||||||
|
@ -110,8 +110,10 @@ def rotate_token(request):
|
||||||
Change the CSRF token in use for a request - should be done on login
|
Change the CSRF token in use for a request - should be done on login
|
||||||
for security purposes.
|
for security purposes.
|
||||||
"""
|
"""
|
||||||
request.META["CSRF_COOKIE"] = _get_new_csrf_token()
|
request.META.update({
|
||||||
request.csrf_cookie_needs_reset = True
|
'CSRF_COOKIE': _get_new_csrf_token(),
|
||||||
|
'CSRF_COOKIE_NEEDS_UPDATE': True,
|
||||||
|
})
|
||||||
|
|
||||||
|
|
||||||
class InvalidTokenFormat(Exception):
|
class InvalidTokenFormat(Exception):
|
||||||
|
@ -224,7 +226,7 @@ class CsrfViewMiddleware(MiddlewareMixin):
|
||||||
if csrf_token != cookie_token:
|
if csrf_token != cookie_token:
|
||||||
# Then the cookie token had length CSRF_SECRET_LENGTH, so flag
|
# Then the cookie token had length CSRF_SECRET_LENGTH, so flag
|
||||||
# to replace it with the masked version.
|
# to replace it with the masked version.
|
||||||
request.csrf_cookie_needs_reset = True
|
request.META['CSRF_COOKIE_NEEDS_UPDATE'] = True
|
||||||
return csrf_token
|
return csrf_token
|
||||||
|
|
||||||
def _set_token(self, request, response):
|
def _set_token(self, request, response):
|
||||||
|
@ -376,7 +378,7 @@ class CsrfViewMiddleware(MiddlewareMixin):
|
||||||
csrf_token = self._get_token(request)
|
csrf_token = self._get_token(request)
|
||||||
except InvalidTokenFormat:
|
except InvalidTokenFormat:
|
||||||
csrf_token = _get_new_csrf_token()
|
csrf_token = _get_new_csrf_token()
|
||||||
request.csrf_cookie_needs_reset = True
|
request.META["CSRF_COOKIE_NEEDS_UPDATE"] = True
|
||||||
|
|
||||||
if csrf_token is not None:
|
if csrf_token is not None:
|
||||||
# Use same token next time.
|
# Use same token next time.
|
||||||
|
@ -438,15 +440,15 @@ class CsrfViewMiddleware(MiddlewareMixin):
|
||||||
return self._accept(request)
|
return self._accept(request)
|
||||||
|
|
||||||
def process_response(self, request, response):
|
def process_response(self, request, response):
|
||||||
if getattr(request, 'csrf_cookie_needs_reset', False):
|
if request.META.get('CSRF_COOKIE_NEEDS_UPDATE'):
|
||||||
self._set_token(request, response)
|
self._set_token(request, response)
|
||||||
# Unset the flag to prevent _set_token() from being unnecessarily
|
# Unset the flag to prevent _set_token() from being unnecessarily
|
||||||
# called again in process_response() by other instances of
|
# called again in process_response() by other instances of
|
||||||
# CsrfViewMiddleware. This can happen e.g. when both a decorator
|
# CsrfViewMiddleware. This can happen e.g. when both a decorator and
|
||||||
# and middleware are used. However, the csrf_cookie_needs_reset
|
# middleware are used. However, CSRF_COOKIE_NEEDS_UPDATE is still
|
||||||
# attribute is still respected in subsequent calls e.g. in case
|
# respected in subsequent calls e.g. in case rotate_token() is
|
||||||
# rotate_token() is called in process_response() later by custom
|
# called in process_response() later by custom middleware but before
|
||||||
# middleware but before those subsequent calls.
|
# those subsequent calls.
|
||||||
request.csrf_cookie_needs_reset = False
|
request.META['CSRF_COOKIE_NEEDS_UPDATE'] = False
|
||||||
|
|
||||||
return response
|
return response
|
||||||
|
|
|
@ -520,6 +520,12 @@ Miscellaneous
|
||||||
method is replaced by two positional arguments ``filter_lhs`` and
|
method is replaced by two positional arguments ``filter_lhs`` and
|
||||||
``filter_rhs``.
|
``filter_rhs``.
|
||||||
|
|
||||||
|
* :class:`~django.middleware.csrf.CsrfViewMiddleware` now uses
|
||||||
|
``request.META['CSRF_COOKIE_NEEDS_UPDATE']`` in place of
|
||||||
|
``request.META['CSRF_COOKIE_USED']``, ``request.csrf_cookie_needs_reset``,
|
||||||
|
and ``response.csrf_cookie_set`` to track whether the CSRF cookie should be
|
||||||
|
sent. This is an undocumented, private API.
|
||||||
|
|
||||||
.. _deprecated-features-4.0:
|
.. _deprecated-features-4.0:
|
||||||
|
|
||||||
Features deprecated in 4.0
|
Features deprecated in 4.0
|
||||||
|
|
Loading…
Reference in New Issue