Refs #32596 -- Added extra tests for CsrfViewMiddleware's referer logic.

2021-04-05 16:51:53 -07:00 · 2021-04-05 16:51:53 -07:00 · 02c59b7a43
parent e513fb0e77
commit 02c59b7a43
1 changed files with 28 additions and 0 deletions
--- a/tests/csrf_tests/tests.py
+++ b/tests/csrf_tests/tests.py
@ -305,6 +305,19 @@ class CsrfViewMiddlewareTestMixin:
            status_code=403,
        )

+    @override_settings(DEBUG=True)
+    def test_https_no_referer(self):
+        """A POST HTTPS request with a missing referer is rejected."""
+        req = self._get_POST_request_with_token()
+        req._is_secure_override = True
+        mw = CsrfViewMiddleware(post_form_view)
+        response = mw.process_view(req, post_form_view, (), {})
+        self.assertContains(
+            response,
+            'Referer checking failed - no Referer.',
+            status_code=403,
+        )
+
    def test_https_malformed_host(self):
        """
        CsrfViewMiddleware generates a 403 response if it receives an HTTPS
@ -416,6 +429,21 @@ class CsrfViewMiddlewareTestMixin:
        resp = mw.process_view(req, post_form_view, (), {})
        self.assertIsNone(resp)

+    @override_settings(CSRF_TRUSTED_ORIGINS=['https://dashboard.example.com'])
+    def test_https_good_referer_malformed_host(self):
+        """
+        A POST HTTPS request is accepted if it receives a good referer with
+        a bad host.
+        """
+        req = self._get_POST_request_with_token()
+        req._is_secure_override = True
+        req.META['HTTP_HOST'] = '@malformed'
+        req.META['HTTP_REFERER'] = 'https://dashboard.example.com/somepage'
+        mw = CsrfViewMiddleware(post_form_view)
+        mw.process_request(req)
+        resp = mw.process_view(req, post_form_view, (), {})
+        self.assertIsNone(resp)
+
    @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_TRUSTED_ORIGINS=['https://dashboard.example.com'])
    def test_https_csrf_trusted_origin_allowed(self):
        """