Commit Graph

92 Commits

Author SHA1 Message Date
Mariusz Felisiak 7119f40c98 Refs #33476 -- Refactored code to strictly match 88 characters line length. 2022-02-07 20:37:05 +01:00
django-bot 9c19aff7c7 Refs #33476 -- Reformatted code with Black. 2022-02-07 20:37:05 +01:00
Chris Jerdonek 3ff7f6cf07 Refs #32800 -- Renamed _sanitize_token() to _check_token_format(). 2021-11-29 10:48:31 +01:00
Chris Jerdonek 5d80843ebc Fixed #32800 -- Changed CsrfViewMiddleware not to mask the CSRF secret.
This also adds CSRF_COOKIE_MASKED transitional setting helpful in
migrating multiple instance of the same project to Django 4.1+.

Thanks Florian Apolloner and Shai Berger for reviews.

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-11-29 10:47:39 +01:00
Chris Jerdonek 3f0025c18a Refs #32800 -- Avoided use of _does_token_match() in some CSRF tests. 2021-11-16 11:21:30 +01:00
Chris Jerdonek 0820175d81 Refs #32800 -- Added CSRF tests for masked and unmasked secrets during GET. 2021-11-16 11:02:32 +01:00
Chris Jerdonek be1fd6645d Refs #32800 -- Added test_masked_secret_accepted_and_not_replaced().
This improves test_bare_secret_accepted_and_replaced() by adding a stronger
assertion. It also adds a parallel test for the non-bare (masked) case.
2021-08-17 12:23:54 +02:00
Chris Jerdonek 7aba820aca Refs #32800 -- Improved CsrfViewMiddlewareTestMixin._check_token_present().
This changes CsrfViewMiddlewareTestMixin._check_token_present() to give more
detailed information if the check fails, and in particular why it failed. It
also moves CsrfFunctionTests.assertMaskedSecretCorrect() to a separate
CsrfFunctionTestMixin so the helper can be used in CsrfViewMiddlewareTestMixin.
2021-08-17 12:23:54 +02:00
Chris Jerdonek 26d8e3f302 Refs #32800 -- Used the cookie argument to CsrfViewMiddlewareTestMixin._get_request() in more tests. 2021-08-17 12:23:54 +02:00
Chris Jerdonek 795051b2b0 Refs #32800 -- Added tests of more CSRF functions. 2021-08-03 07:16:31 +02:00
Chris Jerdonek 7132341255 Refs #32800 -- Renamed _compare_masked_tokens() to _does_token_match(). 2021-08-03 07:10:31 +02:00
Virtosu Bogdan 00ea883ef5 Fixed #32329 -- Made CsrfViewMiddleware catch more specific UnreadablePostError.
Thanks Chris Jerdonek for the review.
2021-07-23 13:10:41 +02:00
Virtosu Bogdan 852fa7617e Refs #32329 -- Allowed specifying request class in csrf_tests test hooks. 2021-07-23 12:13:31 +02:00
Chris Jerdonek 3cfcb8cbc8 Refs #32902 -- Moved ensure_csrf_cookie_view after protected_view. 2021-07-23 07:09:36 +02:00
Chris Jerdonek a2e1f1e295 Fixed #32902 -- Fixed CsrfViewMiddleware.process_response()'s cookie reset logic.
Thanks Florian Apolloner and Shai Berger for reviews.
2021-07-23 07:08:45 +02:00
Chris Jerdonek 311401d9a2 Refs #32902 -- Added CSRF test when rotate_token() is called between resetting the token and processing response. 2021-07-23 06:56:53 +02:00
Chris Jerdonek 43d1ea6e2f Refs #32885 -- Used _read_csrf_cookie()/_set_csrf_cookie() in more CSRF tests. 2021-06-30 07:48:15 +02:00
Chris Jerdonek abc8795632 Fixed #32885 -- Removed cookie-based token specific logic from CsrfViewMiddlewareTestMixin. 2021-06-30 07:48:15 +02:00
Chris Jerdonek 594d6e9407 Refs #32843 -- Added CsrfViewMiddlewareTestMixin._get_csrf_cookie_request() hook. 2021-06-29 08:56:13 +02:00
Chris Jerdonek c8439d1dba Refs #32843 -- Added method/cookie arguments to CsrfViewMiddlewareTestMixin._get_request().
This also removes unnecessary test hooks.
2021-06-29 08:56:13 +02:00
Chris Jerdonek 6bccb64347 Refs #32843 -- Moved _get_GET_csrf_cookie_request() to CsrfViewMiddlewareTestMixin. 2021-06-29 08:56:05 +02:00
Chris Jerdonek 4397d2bd6b Fixed #32843 -- Ensured the CSRF tests' _get_GET_csrf_cookie_request() sets the request method. 2021-06-29 08:14:25 +02:00
Chris Jerdonek 5e60c3943b Refs #32800 -- Added CsrfViewMiddleware tests for all combinations of masked/unmasked cookies and tokens. 2021-06-28 08:31:30 +02:00
Chris Jerdonek defa8d3d87 Refs #32800 -- Made CsrfViewMiddlewareTestMixin._csrf_id_cookie and _csrf_id_token different.
This also renames CsrfViewMiddlewareTestMixin._csrf_id to _csrf_id_token.
2021-06-28 08:09:53 +02:00
Chris Jerdonek 2523c32d50 Refs #32800 -- Eliminated the need for separate _get_POST_bare_secret() methods. 2021-06-28 08:08:43 +02:00
Chris Jerdonek c8108591b9 Refs #32800 -- Added to csrf_tests/tests.py the unmasked version of the secret.
This also adds tests that the secret is correct, and updates existing
tests to use the value.
2021-06-28 07:59:22 +02:00
Chris Jerdonek fcb75651f9 Fixed #32817 -- Added the token source to CsrfViewMiddleware's bad token error messages. 2021-06-23 16:07:15 +02:00
Chris Jerdonek 1a284afb07 Refs #32817 -- Added tests for bad CSRF token provided via X-CSRFToken or custom header. 2021-06-23 16:07:07 +02:00
Chris Jerdonek 6837bd68a4 Refs #32817 -- Added post_token/meta_token/token_header arguments to _get_POST_csrf_cookie_request(). 2021-06-23 16:07:07 +02:00
Chris Jerdonek 999402f142 Refs #32817 -- Combined the bad-or-missing CSRF token tests. 2021-06-23 16:07:07 +02:00
Chris Jerdonek cd19db10df Fixed #32796 -- Changed CsrfViewMiddleware to fail earlier on badly formatted cookie tokens. 2021-06-01 09:02:27 +02:00
Chris Jerdonek 623cec0879 Refs #32796 -- Added CsrfViewMiddleware tests for incorrectly formatted cookie tokens. 2021-06-01 09:02:23 +02:00
Chris Jerdonek 55775891fb Fixed #32795 -- Changed CsrfViewMiddleware to fail earlier on badly formatted tokens. 2021-05-31 21:12:21 +02:00
Chris Jerdonek ffdee8d264 Refs #32795 -- Added CsrfViewMiddleware tests for rejecting invalid or missing tokens.
This also improves test names for test_process_request_no_csrf_cookie
and test_process_request_csrf_cookie_no_token. The logic being tested
is actually in process_view() rather than process_request(), and it's
not necessary to include the method name.
2021-05-31 21:12:17 +02:00
Chris Jerdonek 71179a6124 Fixed #32596 -- Added CsrfViewMiddleware._check_referer().
This encapsulates CsrfViewMiddleware's referer logic into a method and
updates existing tests to check the "seam" introduced by the refactor,
when doing so would improve the test.
2021-05-28 07:31:56 +02:00
Chris Jerdonek 02c59b7a43 Refs #32596 -- Added extra tests for CsrfViewMiddleware's referer logic. 2021-05-27 10:53:20 +02:00
Chris Jerdonek ff514309e1 Fixed #32578 -- Fixed crash in CsrfViewMiddleware when a request with Origin header has an invalid host. 2021-03-25 10:34:58 +01:00
Mariusz Felisiak 717b5e633a
Made CsrfViewMiddlewareTestMixin._get_GET_no_csrf_cookie_request() return GET requests. 2021-03-22 08:22:58 +01:00
Adam Donaghy e49fdfa405 Fixed #32571 -- Made CsrfViewMiddleware handle invalid URLs in Referer header. 2021-03-19 11:19:19 +01:00
Tim Graham 2411b8b5eb Fixed #16010 -- Added Origin header checking to CSRF middleware.
Thanks David Benjamin for the original patch, and Florian
Apolloner, Chris Jerdonek, and Adam Johnson for reviews.
2021-03-18 20:25:20 +01:00
Tim Graham dba44a7a7a Refs #16010 -- Required CSRF_TRUSTED_ORIGINS setting to include the scheme. 2021-03-18 20:00:22 +01:00
François Freitag 7ca7f4495b Refs #21429 -- Added SimpleTestCase.assertNoLogs() on Python < 3.10. 2021-03-02 20:35:33 +01:00
Jon Dufresne d6aff369ad Refs #30116 -- Simplified regex match group access with Match.__getitem__().
The method has been available since Python 3.6. The shorter syntax is
also marginally faster.
2020-05-11 12:01:28 +02:00
Ram Rachum 5b09354954
Fixed #31291 -- Renamed salt to mask for CSRF tokens. 2020-02-25 14:16:19 +01:00
Claude Paroz 4d973f5939 Refs #26601 -- Deprecated passing None as get_response arg to middleware classes.
This is the new contract since middleware refactoring in Django 1.10.

Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-02-18 20:03:44 +01:00
Claude Paroz 9d5a487f33 Dropped obsolete mimetype kwarg in csrf test view 2019-09-21 20:46:39 +02:00
Jon Dufresne 7785e03ba8 Fixed #30137 -- Replaced OSError aliases with the canonical OSError.
Used more specific errors (e.g. FileExistsError) as appropriate.
2019-01-28 11:15:06 -05:00
Michal Čihař 22e8ab0286 Fixed #29728 -- Prevented session resaving if CSRF cookie is unchanged. 2018-09-08 11:46:13 -04:00
Claude Paroz 607970f31c Replaced django.test.utils.patch_logger() with assertLogs().
Thanks Tim Graham for the review.
2018-05-07 09:34:00 -04:00
CHI Cheng 98019df855 Used double quotation marks for csrf form element. 2018-05-03 08:57:18 +02:00