mirror of https://github.com/django/django.git
Refs #32778 -- Improved the name of the regex object detecting invalid CSRF token characters.
This also improves the comments near where the variable is used.
This commit is contained in:
parent
5685b7cd73
commit
d270dd584e
|
@ -21,7 +21,8 @@ from django.utils.log import log_response
|
||||||
from django.utils.regex_helper import _lazy_re_compile
|
from django.utils.regex_helper import _lazy_re_compile
|
||||||
|
|
||||||
logger = logging.getLogger('django.security.csrf')
|
logger = logging.getLogger('django.security.csrf')
|
||||||
token_re = _lazy_re_compile('[^a-zA-Z0-9]')
|
# This matches if any character is not in CSRF_ALLOWED_CHARS.
|
||||||
|
invalid_token_chars_re = _lazy_re_compile('[^a-zA-Z0-9]')
|
||||||
|
|
||||||
REASON_BAD_ORIGIN = "Origin checking failed - %s does not match any trusted origins."
|
REASON_BAD_ORIGIN = "Origin checking failed - %s does not match any trusted origins."
|
||||||
REASON_NO_REFERER = "Referer checking failed - no Referer."
|
REASON_NO_REFERER = "Referer checking failed - no Referer."
|
||||||
|
@ -107,8 +108,8 @@ def rotate_token(request):
|
||||||
|
|
||||||
|
|
||||||
def _sanitize_token(token):
|
def _sanitize_token(token):
|
||||||
# Allow only ASCII alphanumerics
|
# Make sure all characters are in CSRF_ALLOWED_CHARS.
|
||||||
if token_re.search(token):
|
if invalid_token_chars_re.search(token):
|
||||||
return _get_new_csrf_token()
|
return _get_new_csrf_token()
|
||||||
elif len(token) == CSRF_TOKEN_LENGTH:
|
elif len(token) == CSRF_TOKEN_LENGTH:
|
||||||
return token
|
return token
|
||||||
|
|
Loading…
Reference in New Issue