Refs #16859 -- Allowed storing CSRF tokens in sessions.

Major thanks to Shai for helping to refactor the tests, and to
Shai, Tim, Florian, and others for extensive and helpful review.
This commit is contained in:
Raphael Michel 2016-06-30 18:42:11 +02:00 committed by Tim Graham
parent f24eea3b69
commit ddf169cdac
7 changed files with 407 additions and 218 deletions

View File

@ -548,6 +548,7 @@ CSRF_COOKIE_SECURE = False
CSRF_COOKIE_HTTPONLY = False CSRF_COOKIE_HTTPONLY = False
CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN' CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN'
CSRF_TRUSTED_ORIGINS = [] CSRF_TRUSTED_ORIGINS = []
CSRF_USE_SESSIONS = False
############ ############
# MESSAGES # # MESSAGES #

View File

@ -11,6 +11,7 @@ import re
import string import string
from django.conf import settings from django.conf import settings
from django.core.exceptions import ImproperlyConfigured
from django.urls import get_callable from django.urls import get_callable
from django.utils.cache import patch_vary_headers from django.utils.cache import patch_vary_headers
from django.utils.crypto import constant_time_compare, get_random_string from django.utils.crypto import constant_time_compare, get_random_string
@ -32,6 +33,7 @@ REASON_INSECURE_REFERER = "Referer checking failed - Referer is insecure while h
CSRF_SECRET_LENGTH = 32 CSRF_SECRET_LENGTH = 32
CSRF_TOKEN_LENGTH = 2 * CSRF_SECRET_LENGTH CSRF_TOKEN_LENGTH = 2 * CSRF_SECRET_LENGTH
CSRF_ALLOWED_CHARS = string.ascii_letters + string.digits CSRF_ALLOWED_CHARS = string.ascii_letters + string.digits
CSRF_SESSION_KEY = '_csrftoken'
def _get_failure_view(): def _get_failure_view():
@ -160,20 +162,51 @@ class CsrfViewMiddleware(MiddlewareMixin):
) )
return _get_failure_view()(request, reason=reason) return _get_failure_view()(request, reason=reason)
def process_view(self, request, callback, callback_args, callback_kwargs): def _get_token(self, request):
if getattr(request, 'csrf_processing_done', False): if settings.CSRF_USE_SESSIONS:
return None try:
return request.session.get(CSRF_SESSION_KEY)
try: except AttributeError:
cookie_token = request.COOKIES[settings.CSRF_COOKIE_NAME] raise ImproperlyConfigured(
except KeyError: 'CSRF_USE_SESSIONS is enabled, but request.session is not '
csrf_token = None 'set. SessionMiddleware must appear before CsrfViewMiddleware '
'in MIDDLEWARE%s.' % ('_CLASSES' if settings.MIDDLEWARE is None else '')
)
else: else:
try:
cookie_token = request.COOKIES[settings.CSRF_COOKIE_NAME]
except KeyError:
return None
csrf_token = _sanitize_token(cookie_token) csrf_token = _sanitize_token(cookie_token)
if csrf_token != cookie_token: if csrf_token != cookie_token:
# Cookie token needed to be replaced; # Cookie token needed to be replaced;
# the cookie needs to be reset. # the cookie needs to be reset.
request.csrf_cookie_needs_reset = True request.csrf_cookie_needs_reset = True
return csrf_token
def _set_token(self, request, response):
if settings.CSRF_USE_SESSIONS:
request.session[CSRF_SESSION_KEY] = request.META['CSRF_COOKIE']
else:
response.set_cookie(
settings.CSRF_COOKIE_NAME,
request.META['CSRF_COOKIE'],
max_age=settings.CSRF_COOKIE_AGE,
domain=settings.CSRF_COOKIE_DOMAIN,
path=settings.CSRF_COOKIE_PATH,
secure=settings.CSRF_COOKIE_SECURE,
httponly=settings.CSRF_COOKIE_HTTPONLY,
)
# Set the Vary header since content varies with the CSRF cookie.
patch_vary_headers(response, ('Cookie',))
def process_view(self, request, callback, callback_args, callback_kwargs):
if getattr(request, 'csrf_processing_done', False):
return None
csrf_token = self._get_token(request)
if csrf_token is not None:
# Use same token next time. # Use same token next time.
request.META['CSRF_COOKIE'] = csrf_token request.META['CSRF_COOKIE'] = csrf_token
@ -226,16 +259,21 @@ class CsrfViewMiddleware(MiddlewareMixin):
if referer.scheme != 'https': if referer.scheme != 'https':
return self._reject(request, REASON_INSECURE_REFERER) return self._reject(request, REASON_INSECURE_REFERER)
# If there isn't a CSRF_COOKIE_DOMAIN, assume we need an exact # If there isn't a CSRF_COOKIE_DOMAIN, require an exact match
# match on host:port. If not, obey the cookie rules. # match on host:port. If not, obey the cookie rules (or those
if settings.CSRF_COOKIE_DOMAIN is None: # for the session cookie, if CSRF_USE_SESSIONS).
# request.get_host() includes the port. good_referer = (
good_referer = request.get_host() settings.SESSION_COOKIE_DOMAIN
else: if settings.CSRF_USE_SESSIONS
good_referer = settings.CSRF_COOKIE_DOMAIN else settings.CSRF_COOKIE_DOMAIN
)
if good_referer is not None:
server_port = request.get_port() server_port = request.get_port()
if server_port not in ('443', '80'): if server_port not in ('443', '80'):
good_referer = '%s:%s' % (good_referer, server_port) good_referer = '%s:%s' % (good_referer, server_port)
else:
# request.get_host() includes the port.
good_referer = request.get_host()
# Here we generate a list of all acceptable HTTP referers, # Here we generate a list of all acceptable HTTP referers,
# including the current host since that has been validated # including the current host since that has been validated
@ -287,15 +325,6 @@ class CsrfViewMiddleware(MiddlewareMixin):
# Set the CSRF cookie even if it's already set, so we renew # Set the CSRF cookie even if it's already set, so we renew
# the expiry timer. # the expiry timer.
response.set_cookie(settings.CSRF_COOKIE_NAME, self._set_token(request, response)
request.META["CSRF_COOKIE"],
max_age=settings.CSRF_COOKIE_AGE,
domain=settings.CSRF_COOKIE_DOMAIN,
path=settings.CSRF_COOKIE_PATH,
secure=settings.CSRF_COOKIE_SECURE,
httponly=settings.CSRF_COOKIE_HTTPONLY
)
# Content varies with the CSRF cookie, so set the Vary header.
patch_vary_headers(response, ('Cookie',))
response.csrf_cookie_set = True response.csrf_cookie_set = True
return response return response

View File

@ -64,9 +64,14 @@ XMLHttpRequest, set a custom ``X-CSRFToken`` header to the value of the CSRF
token. This is often easier, because many JavaScript frameworks provide hooks token. This is often easier, because many JavaScript frameworks provide hooks
that allow headers to be set on every request. that allow headers to be set on every request.
As a first step, you must get the CSRF token itself. The recommended source for First, you must get the CSRF token. How to do that depends on whether or not
the token is the ``csrftoken`` cookie, which will be set if you've enabled CSRF the :setting:`CSRF_USE_SESSIONS` setting is enabled.
protection for your views as outlined above.
Acquiring the token if :setting:`CSRF_USE_SESSIONS` is ``False``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The recommended source for the token is the ``csrftoken`` cookie, which will be
set if you've enabled CSRF protection for your views as outlined above.
.. note:: .. note::
@ -121,6 +126,23 @@ The above code could be simplified by using the `JavaScript Cookie library
Django provides a view decorator which forces setting of the cookie: Django provides a view decorator which forces setting of the cookie:
:func:`~django.views.decorators.csrf.ensure_csrf_cookie`. :func:`~django.views.decorators.csrf.ensure_csrf_cookie`.
Acquiring the token if :setting:`CSRF_USE_SESSIONS` is ``True``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you activate :setting:`CSRF_USE_SESSIONS`, you must include the CSRF token
in your HTML and read the token from the DOM with JavaScript:
.. code-block:: html+django
{% csrf_token %}
<script type="text/javascript">
// using jQuery
var csrftoken = jQuery("[name=csrfmiddlewaretoken]").val();
</script>
Setting the token on the AJAX request
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Finally, you'll have to actually set the header on your AJAX request, while Finally, you'll have to actually set the header on your AJAX request, while
protecting the CSRF token from being sent to other domains using protecting the CSRF token from being sent to other domains using
`settings.crossDomain <https://api.jquery.com/jQuery.ajax>`_ in jQuery 1.5.1 and `settings.crossDomain <https://api.jquery.com/jQuery.ajax>`_ in jQuery 1.5.1 and
@ -493,6 +515,7 @@ A number of settings can be used to control Django's CSRF behavior:
* :setting:`CSRF_FAILURE_VIEW` * :setting:`CSRF_FAILURE_VIEW`
* :setting:`CSRF_HEADER_NAME` * :setting:`CSRF_HEADER_NAME`
* :setting:`CSRF_TRUSTED_ORIGINS` * :setting:`CSRF_TRUSTED_ORIGINS`
* :setting:`CSRF_USE_SESSIONS`
Frequently Asked Questions Frequently Asked Questions
========================== ==========================

View File

@ -512,6 +512,9 @@ Here are some hints about the ordering of various Django middleware classes:
Before any view middleware that assumes that CSRF attacks have been dealt Before any view middleware that assumes that CSRF attacks have been dealt
with. with.
It must come after ``SessionMiddleware`` if you're using
:setting:`CSRF_USE_SESSIONS`.
#. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware` #. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware`
After ``SessionMiddleware``: uses session storage. After ``SessionMiddleware``: uses session storage.

View File

@ -377,6 +377,22 @@ Whether to use a secure cookie for the CSRF cookie. If this is set to ``True``,
the cookie will be marked as "secure," which means browsers may ensure that the the cookie will be marked as "secure," which means browsers may ensure that the
cookie is only sent with an HTTPS connection. cookie is only sent with an HTTPS connection.
.. setting:: CSRF_USE_SESSIONS
``CSRF_USE_SESSIONS``
---------------------
.. versionadded:: 1.11
Default: ``False``
Whether to store the CSRF token in the user's session instead of in a cookie.
It requires the use of :mod:`django.contrib.sessions`.
Storing the CSRF token in a cookie (Django's default) is safe, but storing it
in the session is common practice in other web frameworks and therefore
sometimes demanded by security auditors.
.. setting:: CSRF_FAILURE_VIEW .. setting:: CSRF_FAILURE_VIEW
``CSRF_FAILURE_VIEW`` ``CSRF_FAILURE_VIEW``
@ -3407,6 +3423,7 @@ Security
* :setting:`CSRF_FAILURE_VIEW` * :setting:`CSRF_FAILURE_VIEW`
* :setting:`CSRF_HEADER_NAME` * :setting:`CSRF_HEADER_NAME`
* :setting:`CSRF_TRUSTED_ORIGINS` * :setting:`CSRF_TRUSTED_ORIGINS`
* :setting:`CSRF_USE_SESSIONS`
* :setting:`SECRET_KEY` * :setting:`SECRET_KEY`
* :setting:`X_FRAME_OPTIONS` * :setting:`X_FRAME_OPTIONS`

View File

@ -231,7 +231,8 @@ Cache
CSRF CSRF
~~~~ ~~~~
* ... * Added the :setting:`CSRF_USE_SESSIONS` setting to allow storing the CSRF
token in the user's session rather than in a cookie.
Database backends Database backends
~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~

View File

@ -6,10 +6,12 @@ import re
import warnings import warnings
from django.conf import settings from django.conf import settings
from django.core.exceptions import ImproperlyConfigured
from django.http import HttpRequest, HttpResponse from django.http import HttpRequest, HttpResponse
from django.middleware.csrf import ( from django.middleware.csrf import (
CSRF_TOKEN_LENGTH, REASON_BAD_TOKEN, REASON_NO_CSRF_COOKIE, CSRF_SESSION_KEY, CSRF_TOKEN_LENGTH, REASON_BAD_TOKEN,
CsrfViewMiddleware, _compare_salted_tokens as equivalent_tokens, get_token, REASON_NO_CSRF_COOKIE, CsrfViewMiddleware,
_compare_salted_tokens as equivalent_tokens, get_token,
) )
from django.template import RequestContext, Template from django.template import RequestContext, Template
from django.template.context_processors import csrf from django.template.context_processors import csrf
@ -58,20 +60,27 @@ class TestingHttpRequest(HttpRequest):
A version of HttpRequest that allows us to change some things A version of HttpRequest that allows us to change some things
more easily more easily
""" """
def __init__(self):
super(TestingHttpRequest, self).__init__()
# A real session backend isn't needed.
self.session = {}
def is_secure(self): def is_secure(self):
return getattr(self, '_is_secure_override', False) return getattr(self, '_is_secure_override', False)
class CsrfViewMiddlewareTest(SimpleTestCase): class CsrfViewMiddlewareTestMixin(object):
"""
Shared methods and tests for session-based and cookie-based tokens.
"""
_csrf_id = _csrf_id_cookie = '1bcdefghij2bcdefghij3bcdefghij4bcdefghij5bcdefghij6bcdefghijABCD' _csrf_id = _csrf_id_cookie = '1bcdefghij2bcdefghij3bcdefghij4bcdefghij5bcdefghij6bcdefghijABCD'
def _get_GET_no_csrf_cookie_request(self): def _get_GET_no_csrf_cookie_request(self):
return TestingHttpRequest() return TestingHttpRequest()
def _get_GET_csrf_cookie_request(self): def _get_GET_csrf_cookie_request(self):
req = TestingHttpRequest() raise NotImplementedError('This method must be implemented by a subclass.')
req.COOKIES[settings.CSRF_COOKIE_NAME] = self._csrf_id_cookie
return req
def _get_POST_csrf_cookie_request(self): def _get_POST_csrf_cookie_request(self):
req = self._get_GET_csrf_cookie_request() req = self._get_GET_csrf_cookie_request()
@ -88,16 +97,6 @@ class CsrfViewMiddlewareTest(SimpleTestCase):
req.POST['csrfmiddlewaretoken'] = self._csrf_id req.POST['csrfmiddlewaretoken'] = self._csrf_id
return req return req
def _get_POST_bare_secret_csrf_cookie_request(self):
req = self._get_POST_no_csrf_cookie_request()
req.COOKIES[settings.CSRF_COOKIE_NAME] = self._csrf_id_cookie[:32]
return req
def _get_POST_bare_secret_csrf_cookie_request_with_token(self):
req = self._get_POST_bare_secret_csrf_cookie_request()
req.POST['csrfmiddlewaretoken'] = self._csrf_id_cookie[:32]
return req
def _check_token_present(self, response, csrf_id=None): def _check_token_present(self, response, csrf_id=None):
text = text_type(response.content, response.charset) text = text_type(response.content, response.charset)
match = re.search("name='csrfmiddlewaretoken' value='(.*?)'", text) match = re.search("name='csrfmiddlewaretoken' value='(.*?)'", text)
@ -107,77 +106,6 @@ class CsrfViewMiddlewareTest(SimpleTestCase):
"Could not find csrfmiddlewaretoken to match %s" % csrf_token "Could not find csrfmiddlewaretoken to match %s" % csrf_token
) )
def test_process_view_token_too_long(self):
"""
If the token is longer than expected, it is ignored and a new token is
created.
"""
req = self._get_GET_no_csrf_cookie_request()
req.COOKIES[settings.CSRF_COOKIE_NAME] = 'x' * 100000
CsrfViewMiddleware().process_view(req, token_view, (), {})
resp = token_view(req)
resp2 = CsrfViewMiddleware().process_response(req, resp)
csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH)
def test_process_view_token_invalid_chars(self):
"""
If the token contains non-alphanumeric characters, it is ignored and a
new token is created.
"""
token = ('!@#' + self._csrf_id)[:CSRF_TOKEN_LENGTH]
req = self._get_GET_no_csrf_cookie_request()
req.COOKIES[settings.CSRF_COOKIE_NAME] = token
CsrfViewMiddleware().process_view(req, token_view, (), {})
resp = token_view(req)
resp2 = CsrfViewMiddleware().process_response(req, resp)
csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH)
self.assertNotEqual(csrf_cookie.value, token)
def test_process_view_token_invalid_bytes(self):
"""
If the token contains improperly encoded unicode, it is ignored and a
new token is created.
"""
token = (b"<1>\xc2\xa1" + force_bytes(self._csrf_id, 'ascii'))[:CSRF_TOKEN_LENGTH]
req = self._get_GET_no_csrf_cookie_request()
req.COOKIES[settings.CSRF_COOKIE_NAME] = token
# We expect a UnicodeWarning here, because we used broken utf-8 on purpose
with warnings.catch_warnings():
warnings.filterwarnings("ignore", category=UnicodeWarning)
CsrfViewMiddleware().process_view(req, token_view, (), {})
resp = token_view(req)
resp2 = CsrfViewMiddleware().process_response(req, resp)
csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH)
self.assertNotEqual(csrf_cookie.value, token)
def test_process_response_get_token_used(self):
"""
When get_token is used, check that the cookie is created and headers
patched.
"""
req = self._get_GET_no_csrf_cookie_request()
# Put tests for CSRF_COOKIE_* settings here
with self.settings(CSRF_COOKIE_NAME='myname',
CSRF_COOKIE_DOMAIN='.example.com',
CSRF_COOKIE_PATH='/test/',
CSRF_COOKIE_SECURE=True,
CSRF_COOKIE_HTTPONLY=True):
# token_view calls get_token() indirectly
CsrfViewMiddleware().process_view(req, token_view, (), {})
resp = token_view(req)
resp2 = CsrfViewMiddleware().process_response(req, resp)
csrf_cookie = resp2.cookies.get('myname', False)
self.assertIsNot(csrf_cookie, False)
self.assertEqual(csrf_cookie['domain'], '.example.com')
self.assertIs(csrf_cookie['secure'], True)
self.assertIs(csrf_cookie['httponly'], True)
self.assertEqual(csrf_cookie['path'], '/test/')
self.assertIn('Cookie', resp2.get('Vary', ''))
def test_process_response_get_token_not_used(self): def test_process_response_get_token_not_used(self):
""" """
If get_token() is not called, the view middleware does not If get_token() is not called, the view middleware does not
@ -371,20 +299,6 @@ class CsrfViewMiddlewareTest(SimpleTestCase):
"CSRF cookie was changed on an accepted request" "CSRF cookie was changed on an accepted request"
) )
def test_bare_secret_accepted_and_replaced(self):
"""
The csrf token is reset from a bare secret.
"""
req = self._get_POST_bare_secret_csrf_cookie_request_with_token()
req2 = CsrfViewMiddleware().process_view(req, token_view, (), {})
self.assertIsNone(req2)
resp = token_view(req)
resp = CsrfViewMiddleware().process_response(req, resp)
self.assertIn(settings.CSRF_COOKIE_NAME, resp.cookies, "Cookie was not reset from bare secret")
csrf_cookie = resp.cookies[settings.CSRF_COOKIE_NAME]
self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH)
self._check_token_present(resp, csrf_id=csrf_cookie.value)
@override_settings(DEBUG=True, ALLOWED_HOSTS=['www.example.com']) @override_settings(DEBUG=True, ALLOWED_HOSTS=['www.example.com'])
def test_https_bad_referer(self): def test_https_bad_referer(self):
""" """
@ -465,11 +379,7 @@ class CsrfViewMiddlewareTest(SimpleTestCase):
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
self.assertIsNone(req2) self.assertIsNone(req2)
@override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_COOKIE_DOMAIN='.example.com', USE_X_FORWARDED_PORT=True) def _test_https_good_referer_behind_proxy(self):
def test_https_good_referer_behind_proxy(self):
"""
A POST HTTPS request is accepted when USE_X_FORWARDED_PORT=True.
"""
req = self._get_POST_request_with_token() req = self._get_POST_request_with_token()
req._is_secure_override = True req._is_secure_override = True
req.META.update({ req.META.update({
@ -508,12 +418,7 @@ class CsrfViewMiddlewareTest(SimpleTestCase):
response = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) response = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
self.assertIsNone(response) self.assertIsNone(response)
@override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_COOKIE_DOMAIN='.example.com') def _test_https_good_referer_matches_cookie_domain(self):
def test_https_good_referer_matches_cookie_domain(self):
"""
A POST HTTPS request with a good referer should be accepted from a
subdomain that's allowed by CSRF_COOKIE_DOMAIN.
"""
req = self._get_POST_request_with_token() req = self._get_POST_request_with_token()
req._is_secure_override = True req._is_secure_override = True
req.META['HTTP_REFERER'] = 'https://foo.example.com/' req.META['HTTP_REFERER'] = 'https://foo.example.com/'
@ -521,12 +426,7 @@ class CsrfViewMiddlewareTest(SimpleTestCase):
response = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) response = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
self.assertIsNone(response) self.assertIsNone(response)
@override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_COOKIE_DOMAIN='.example.com') def _test_https_good_referer_matches_cookie_domain_with_different_port(self):
def test_https_good_referer_matches_cookie_domain_with_different_port(self):
"""
A POST HTTPS request with a good referer should be accepted from a
subdomain that's allowed by CSRF_COOKIE_DOMAIN and a non-443 port.
"""
req = self._get_POST_request_with_token() req = self._get_POST_request_with_token()
req._is_secure_override = True req._is_secure_override = True
req.META['HTTP_HOST'] = 'www.example.com' req.META['HTTP_HOST'] = 'www.example.com'
@ -535,21 +435,98 @@ class CsrfViewMiddlewareTest(SimpleTestCase):
response = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) response = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
self.assertIsNone(response) self.assertIsNone(response)
@override_settings(CSRF_COOKIE_DOMAIN='.example.com', DEBUG=True) def test_ensures_csrf_cookie_no_logging(self):
def test_https_reject_insecure_referer(self):
""" """
A POST HTTPS request from an insecure referer should be rejected. ensure_csrf_cookie() doesn't log warnings (#19436).
""" """
req = self._get_POST_request_with_token() @ensure_csrf_cookie
req._is_secure_override = True def view(request):
req.META['HTTP_REFERER'] = 'http://example.com/' # Doesn't insert a token or anything
req.META['SERVER_PORT'] = '443' return HttpResponse(content="")
response = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
self.assertContains( class TestHandler(logging.Handler):
response, def emit(self, record):
'Referer checking failed - Referer is insecure while host is secure.', raise Exception("This shouldn't have happened!")
status_code=403,
) logger = logging.getLogger('django.request')
test_handler = TestHandler()
old_log_level = logger.level
try:
logger.addHandler(test_handler)
logger.setLevel(logging.WARNING)
req = self._get_GET_no_csrf_cookie_request()
view(req)
finally:
logger.removeHandler(test_handler)
logger.setLevel(old_log_level)
def test_post_data_read_failure(self):
"""
#20128 -- IOErrors during POST data reading should be caught and
treated as if the POST data wasn't there.
"""
class CsrfPostRequest(HttpRequest):
"""
HttpRequest that can raise an IOError when accessing POST data
"""
def __init__(self, token, raise_error):
super(CsrfPostRequest, self).__init__()
self.method = 'POST'
self.raise_error = False
self.COOKIES[settings.CSRF_COOKIE_NAME] = token
# Handle both cases here to prevent duplicate code in the
# session tests.
self.session = {}
self.session[CSRF_SESSION_KEY] = token
self.POST['csrfmiddlewaretoken'] = token
self.raise_error = raise_error
def _load_post_and_files(self):
raise IOError('error reading input data')
def _get_post(self):
if self.raise_error:
self._load_post_and_files()
return self._post
def _set_post(self, post):
self._post = post
POST = property(_get_post, _set_post)
token = ('ABC' + self._csrf_id)[:CSRF_TOKEN_LENGTH]
req = CsrfPostRequest(token, raise_error=False)
resp = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
self.assertIsNone(resp)
req = CsrfPostRequest(token, raise_error=True)
with patch_logger('django.security.csrf', 'warning') as logger_calls:
resp = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
self.assertEqual(resp.status_code, 403)
self.assertEqual(logger_calls[0], 'Forbidden (%s): ' % REASON_BAD_TOKEN)
class CsrfViewMiddlewareTests(CsrfViewMiddlewareTestMixin, SimpleTestCase):
def _get_GET_csrf_cookie_request(self):
req = TestingHttpRequest()
req.COOKIES[settings.CSRF_COOKIE_NAME] = self._csrf_id_cookie
return req
def _get_POST_bare_secret_csrf_cookie_request(self):
req = self._get_POST_no_csrf_cookie_request()
req.COOKIES[settings.CSRF_COOKIE_NAME] = self._csrf_id_cookie[:32]
return req
def _get_POST_bare_secret_csrf_cookie_request_with_token(self):
req = self._get_POST_bare_secret_csrf_cookie_request()
req.POST['csrfmiddlewaretoken'] = self._csrf_id_cookie[:32]
return req
def test_ensures_csrf_cookie_no_middleware(self): def test_ensures_csrf_cookie_no_middleware(self):
""" """
@ -582,32 +559,6 @@ class CsrfViewMiddlewareTest(SimpleTestCase):
self.assertTrue(resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)) self.assertTrue(resp2.cookies.get(settings.CSRF_COOKIE_NAME, False))
self.assertIn('Cookie', resp2.get('Vary', '')) self.assertIn('Cookie', resp2.get('Vary', ''))
def test_ensures_csrf_cookie_no_logging(self):
"""
ensure_csrf_cookie() doesn't log warnings (#19436).
"""
@ensure_csrf_cookie
def view(request):
# Doesn't insert a token or anything
return HttpResponse(content="")
class TestHandler(logging.Handler):
def emit(self, record):
raise Exception("This shouldn't have happened!")
logger = logging.getLogger('django.request')
test_handler = TestHandler()
old_log_level = logger.level
try:
logger.addHandler(test_handler)
logger.setLevel(logging.WARNING)
req = self._get_GET_no_csrf_cookie_request()
view(req)
finally:
logger.removeHandler(test_handler)
logger.setLevel(old_log_level)
def test_csrf_cookie_age(self): def test_csrf_cookie_age(self):
""" """
CSRF cookie age can be set using settings.CSRF_COOKIE_AGE. CSRF cookie age can be set using settings.CSRF_COOKIE_AGE.
@ -651,45 +602,209 @@ class CsrfViewMiddlewareTest(SimpleTestCase):
max_age = resp2.cookies.get('csrfcookie').get('max-age') max_age = resp2.cookies.get('csrfcookie').get('max-age')
self.assertEqual(max_age, '') self.assertEqual(max_age, '')
def test_post_data_read_failure(self): def test_process_view_token_too_long(self):
""" """
#20128 -- IOErrors during POST data reading should be caught and If the token is longer than expected, it is ignored and a new token is
treated as if the POST data wasn't there. created.
""" """
class CsrfPostRequest(HttpRequest): req = self._get_GET_no_csrf_cookie_request()
""" req.COOKIES[settings.CSRF_COOKIE_NAME] = 'x' * 100000
HttpRequest that can raise an IOError when accessing POST data CsrfViewMiddleware().process_view(req, token_view, (), {})
""" resp = token_view(req)
def __init__(self, token, raise_error): resp2 = CsrfViewMiddleware().process_response(req, resp)
super(CsrfPostRequest, self).__init__() csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
self.method = 'POST' self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH)
self.raise_error = False def test_process_view_token_invalid_bytes(self):
self.COOKIES[settings.CSRF_COOKIE_NAME] = token """
self.POST['csrfmiddlewaretoken'] = token If the token contains improperly encoded unicode, it is ignored and a
self.raise_error = raise_error new token is created.
"""
token = (b"<1>\xc2\xa1" + force_bytes(self._csrf_id, 'ascii'))[:CSRF_TOKEN_LENGTH]
req = self._get_GET_no_csrf_cookie_request()
req.COOKIES[settings.CSRF_COOKIE_NAME] = token
# We expect a UnicodeWarning here, because we used broken utf-8 on purpose
with warnings.catch_warnings():
warnings.filterwarnings("ignore", category=UnicodeWarning)
CsrfViewMiddleware().process_view(req, token_view, (), {})
resp = token_view(req)
resp2 = CsrfViewMiddleware().process_response(req, resp)
csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH)
self.assertNotEqual(csrf_cookie.value, token)
def _load_post_and_files(self): def test_process_view_token_invalid_chars(self):
raise IOError('error reading input data') """
If the token contains non-alphanumeric characters, it is ignored and a
new token is created.
"""
token = ('!@#' + self._csrf_id)[:CSRF_TOKEN_LENGTH]
req = self._get_GET_no_csrf_cookie_request()
req.COOKIES[settings.CSRF_COOKIE_NAME] = token
CsrfViewMiddleware().process_view(req, token_view, (), {})
resp = token_view(req)
resp2 = CsrfViewMiddleware().process_response(req, resp)
csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH)
self.assertNotEqual(csrf_cookie.value, token)
def _get_post(self): def test_bare_secret_accepted_and_replaced(self):
if self.raise_error: """
self._load_post_and_files() The csrf token is reset from a bare secret.
return self._post """
req = self._get_POST_bare_secret_csrf_cookie_request_with_token()
req2 = CsrfViewMiddleware().process_view(req, token_view, (), {})
self.assertIsNone(req2)
resp = token_view(req)
resp = CsrfViewMiddleware().process_response(req, resp)
self.assertIn(settings.CSRF_COOKIE_NAME, resp.cookies, "Cookie was not reset from bare secret")
csrf_cookie = resp.cookies[settings.CSRF_COOKIE_NAME]
self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH)
self._check_token_present(resp, csrf_id=csrf_cookie.value)
def _set_post(self, post): @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_COOKIE_DOMAIN='.example.com', USE_X_FORWARDED_PORT=True)
self._post = post def test_https_good_referer_behind_proxy(self):
"""
A POST HTTPS request is accepted when USE_X_FORWARDED_PORT=True.
"""
self._test_https_good_referer_behind_proxy()
POST = property(_get_post, _set_post) @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_COOKIE_DOMAIN='.example.com')
def test_https_good_referer_matches_cookie_domain(self):
"""
A POST HTTPS request with a good referer should be accepted from a
subdomain that's allowed by CSRF_COOKIE_DOMAIN.
"""
self._test_https_good_referer_matches_cookie_domain()
token = ('ABC' + self._csrf_id)[:CSRF_TOKEN_LENGTH] @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_COOKIE_DOMAIN='.example.com')
def test_https_good_referer_matches_cookie_domain_with_different_port(self):
"""
A POST HTTPS request with a good referer should be accepted from a
subdomain that's allowed by CSRF_COOKIE_DOMAIN and a non-443 port.
"""
self._test_https_good_referer_matches_cookie_domain_with_different_port()
req = CsrfPostRequest(token, raise_error=False) @override_settings(CSRF_COOKIE_DOMAIN='.example.com', DEBUG=True)
resp = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) def test_https_reject_insecure_referer(self):
self.assertIsNone(resp) """
A POST HTTPS request from an insecure referer should be rejected.
"""
req = self._get_POST_request_with_token()
req._is_secure_override = True
req.META['HTTP_REFERER'] = 'http://example.com/'
req.META['SERVER_PORT'] = '443'
response = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
self.assertContains(
response,
'Referer checking failed - Referer is insecure while host is secure.',
status_code=403,
)
req = CsrfPostRequest(token, raise_error=True)
with patch_logger('django.security.csrf', 'warning') as logger_calls: @override_settings(CSRF_USE_SESSIONS=True, CSRF_COOKIE_DOMAIN=None)
resp = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) class CsrfViewMiddlewareUseSessionsTests(CsrfViewMiddlewareTestMixin, SimpleTestCase):
self.assertEqual(resp.status_code, 403) """
self.assertEqual(logger_calls[0], 'Forbidden (%s): ' % REASON_BAD_TOKEN) CSRF tests with CSRF_USE_SESSIONS=True.
"""
def _get_POST_bare_secret_csrf_cookie_request(self):
req = self._get_POST_no_csrf_cookie_request()
req.session[CSRF_SESSION_KEY] = self._csrf_id_cookie[:32]
return req
def _get_GET_csrf_cookie_request(self):
req = TestingHttpRequest()
req.session[CSRF_SESSION_KEY] = self._csrf_id_cookie
return req
def test_no_session_on_request(self):
msg = (
'CSRF_USE_SESSIONS is enabled, but request.session is not set. '
'SessionMiddleware must appear before CsrfViewMiddleware in MIDDLEWARE.'
)
with self.assertRaisesMessage(ImproperlyConfigured, msg):
CsrfViewMiddleware().process_view(HttpRequest(), None, (), {})
def test_process_response_get_token_used(self):
"""The ensure_csrf_cookie() decorator works without middleware."""
@ensure_csrf_cookie
def view(request):
# Doesn't insert a token or anything
return HttpResponse(content="")
req = self._get_GET_no_csrf_cookie_request()
view(req)
self.assertTrue(req.session.get(CSRF_SESSION_KEY, False))
def test_ensures_csrf_cookie_with_middleware(self):
"""
The ensure_csrf_cookie() decorator works with the CsrfViewMiddleware
enabled.
"""
@ensure_csrf_cookie
def view(request):
# Doesn't insert a token or anything
return HttpResponse(content="")
req = self._get_GET_no_csrf_cookie_request()
CsrfViewMiddleware().process_view(req, view, (), {})
resp = view(req)
CsrfViewMiddleware().process_response(req, resp)
self.assertTrue(req.session.get(CSRF_SESSION_KEY, False))
def test_token_node_with_new_csrf_cookie(self):
"""
CsrfTokenNode works when a CSRF cookie is created by the middleware
(when one was not already present).
"""
req = self._get_GET_no_csrf_cookie_request()
CsrfViewMiddleware().process_view(req, token_view, (), {})
resp = token_view(req)
CsrfViewMiddleware().process_response(req, resp)
csrf_cookie = req.session[CSRF_SESSION_KEY]
self._check_token_present(resp, csrf_id=csrf_cookie)
@override_settings(
ALLOWED_HOSTS=['www.example.com'],
SESSION_COOKIE_DOMAIN='.example.com',
USE_X_FORWARDED_PORT=True,
DEBUG=True,
)
def test_https_good_referer_behind_proxy(self):
"""
A POST HTTPS request is accepted when USE_X_FORWARDED_PORT=True.
"""
self._test_https_good_referer_behind_proxy()
@override_settings(ALLOWED_HOSTS=['www.example.com'], SESSION_COOKIE_DOMAIN='.example.com')
def test_https_good_referer_matches_cookie_domain(self):
"""
A POST HTTPS request with a good referer should be accepted from a
subdomain that's allowed by SESSION_COOKIE_DOMAIN.
"""
self._test_https_good_referer_matches_cookie_domain()
@override_settings(ALLOWED_HOSTS=['www.example.com'], SESSION_COOKIE_DOMAIN='.example.com')
def test_https_good_referer_matches_cookie_domain_with_different_port(self):
"""
A POST HTTPS request with a good referer should be accepted from a
subdomain that's allowed by SESSION_COOKIE_DOMAIN and a non-443 port.
"""
self._test_https_good_referer_matches_cookie_domain_with_different_port()
@override_settings(SESSION_COOKIE_DOMAIN='.example.com', DEBUG=True)
def test_https_reject_insecure_referer(self):
"""
A POST HTTPS request from an insecure referer should be rejected.
"""
req = self._get_POST_request_with_token()
req._is_secure_override = True
req.META['HTTP_REFERER'] = 'http://example.com/'
req.META['SERVER_PORT'] = '443'
response = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
self.assertContains(
response,
'Referer checking failed - Referer is insecure while host is secure.',
status_code=403,
)