Refs #32596 -- Added extra tests for CsrfViewMiddleware's referer logic.

This commit is contained in:
Chris Jerdonek 2021-04-05 16:51:53 -07:00 committed by Mariusz Felisiak
parent e513fb0e77
commit 02c59b7a43
1 changed files with 28 additions and 0 deletions

View File

@ -305,6 +305,19 @@ class CsrfViewMiddlewareTestMixin:
status_code=403,
)
@override_settings(DEBUG=True)
def test_https_no_referer(self):
"""A POST HTTPS request with a missing referer is rejected."""
req = self._get_POST_request_with_token()
req._is_secure_override = True
mw = CsrfViewMiddleware(post_form_view)
response = mw.process_view(req, post_form_view, (), {})
self.assertContains(
response,
'Referer checking failed - no Referer.',
status_code=403,
)
def test_https_malformed_host(self):
"""
CsrfViewMiddleware generates a 403 response if it receives an HTTPS
@ -416,6 +429,21 @@ class CsrfViewMiddlewareTestMixin:
resp = mw.process_view(req, post_form_view, (), {})
self.assertIsNone(resp)
@override_settings(CSRF_TRUSTED_ORIGINS=['https://dashboard.example.com'])
def test_https_good_referer_malformed_host(self):
"""
A POST HTTPS request is accepted if it receives a good referer with
a bad host.
"""
req = self._get_POST_request_with_token()
req._is_secure_override = True
req.META['HTTP_HOST'] = '@malformed'
req.META['HTTP_REFERER'] = 'https://dashboard.example.com/somepage'
mw = CsrfViewMiddleware(post_form_view)
mw.process_request(req)
resp = mw.process_view(req, post_form_view, (), {})
self.assertIsNone(resp)
@override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_TRUSTED_ORIGINS=['https://dashboard.example.com'])
def test_https_csrf_trusted_origin_allowed(self):
"""