Refs #32916 -- Replaced request.csrf_cookie_needs_reset with request.META['CSRF_COOKIE_NEEDS_UPDATE'].

This commit is contained in:
Chris Jerdonek 2021-07-23 01:54:57 -04:00 committed by Mariusz Felisiak
parent 6ebf931de8
commit 7c30bdbdb1
2 changed files with 20 additions and 12 deletions

View File

@ -101,7 +101,7 @@ def get_token(request):
# Since the cookie is being used, flag to send the cookie in # Since the cookie is being used, flag to send the cookie in
# process_response() (even if the client already has it) in order to renew # process_response() (even if the client already has it) in order to renew
# the expiry timer. # the expiry timer.
request.csrf_cookie_needs_reset = True request.META['CSRF_COOKIE_NEEDS_UPDATE'] = True
return _mask_cipher_secret(csrf_secret) return _mask_cipher_secret(csrf_secret)
@ -110,8 +110,10 @@ def rotate_token(request):
Change the CSRF token in use for a request - should be done on login Change the CSRF token in use for a request - should be done on login
for security purposes. for security purposes.
""" """
request.META["CSRF_COOKIE"] = _get_new_csrf_token() request.META.update({
request.csrf_cookie_needs_reset = True 'CSRF_COOKIE': _get_new_csrf_token(),
'CSRF_COOKIE_NEEDS_UPDATE': True,
})
class InvalidTokenFormat(Exception): class InvalidTokenFormat(Exception):
@ -224,7 +226,7 @@ class CsrfViewMiddleware(MiddlewareMixin):
if csrf_token != cookie_token: if csrf_token != cookie_token:
# Then the cookie token had length CSRF_SECRET_LENGTH, so flag # Then the cookie token had length CSRF_SECRET_LENGTH, so flag
# to replace it with the masked version. # to replace it with the masked version.
request.csrf_cookie_needs_reset = True request.META['CSRF_COOKIE_NEEDS_UPDATE'] = True
return csrf_token return csrf_token
def _set_token(self, request, response): def _set_token(self, request, response):
@ -376,7 +378,7 @@ class CsrfViewMiddleware(MiddlewareMixin):
csrf_token = self._get_token(request) csrf_token = self._get_token(request)
except InvalidTokenFormat: except InvalidTokenFormat:
csrf_token = _get_new_csrf_token() csrf_token = _get_new_csrf_token()
request.csrf_cookie_needs_reset = True request.META["CSRF_COOKIE_NEEDS_UPDATE"] = True
if csrf_token is not None: if csrf_token is not None:
# Use same token next time. # Use same token next time.
@ -438,15 +440,15 @@ class CsrfViewMiddleware(MiddlewareMixin):
return self._accept(request) return self._accept(request)
def process_response(self, request, response): def process_response(self, request, response):
if getattr(request, 'csrf_cookie_needs_reset', False): if request.META.get('CSRF_COOKIE_NEEDS_UPDATE'):
self._set_token(request, response) self._set_token(request, response)
# Unset the flag to prevent _set_token() from being unnecessarily # Unset the flag to prevent _set_token() from being unnecessarily
# called again in process_response() by other instances of # called again in process_response() by other instances of
# CsrfViewMiddleware. This can happen e.g. when both a decorator # CsrfViewMiddleware. This can happen e.g. when both a decorator and
# and middleware are used. However, the csrf_cookie_needs_reset # middleware are used. However, CSRF_COOKIE_NEEDS_UPDATE is still
# attribute is still respected in subsequent calls e.g. in case # respected in subsequent calls e.g. in case rotate_token() is
# rotate_token() is called in process_response() later by custom # called in process_response() later by custom middleware but before
# middleware but before those subsequent calls. # those subsequent calls.
request.csrf_cookie_needs_reset = False request.META['CSRF_COOKIE_NEEDS_UPDATE'] = False
return response return response

View File

@ -520,6 +520,12 @@ Miscellaneous
method is replaced by two positional arguments ``filter_lhs`` and method is replaced by two positional arguments ``filter_lhs`` and
``filter_rhs``. ``filter_rhs``.
* :class:`~django.middleware.csrf.CsrfViewMiddleware` now uses
``request.META['CSRF_COOKIE_NEEDS_UPDATE']`` in place of
``request.META['CSRF_COOKIE_USED']``, ``request.csrf_cookie_needs_reset``,
and ``response.csrf_cookie_set`` to track whether the CSRF cookie should be
sent. This is an undocumented, private API.
.. _deprecated-features-4.0: .. _deprecated-features-4.0:
Features deprecated in 4.0 Features deprecated in 4.0