Fixed #29728 -- Prevented session resaving if CSRF cookie is unchanged.

2018-09-01 16:32:35 +02:00 · 2018-09-01 16:32:35 +02:00 · 22e8ab0286
parent f315d0423a
commit 22e8ab0286
2 changed files with 17 additions and 3 deletions
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@ -181,7 +181,8 @@ class CsrfViewMiddleware(MiddlewareMixin):

    def _set_token(self, request, response):
        if settings.CSRF_USE_SESSIONS:
-            request.session[CSRF_SESSION_KEY] = request.META['CSRF_COOKIE']
+            if request.session.get(CSRF_SESSION_KEY) != request.META['CSRF_COOKIE']:
+                request.session[CSRF_SESSION_KEY] = request.META['CSRF_COOKIE']
        else:
            response.set_cookie(
                settings.CSRF_COOKIE_NAME,
--- a/tests/csrf_tests/tests.py
+++ b/tests/csrf_tests/tests.py
@ -1,6 +1,7 @@
 import re

 from django.conf import settings
+from django.contrib.sessions.backends.cache import SessionStore
 from django.core.exceptions import ImproperlyConfigured
 from django.http import HttpRequest
 from django.middleware.csrf import (
@ -24,8 +25,7 @@ class TestingHttpRequest(HttpRequest):
    """
    def __init__(self):
        super().__init__()
-        # A real session backend isn't needed.
-        self.session = {}
+        self.session = SessionStore()

    def is_secure(self):
        return getattr(self, '_is_secure_override', False)
@ -693,6 +693,19 @@ class CsrfViewMiddlewareUseSessionsTests(CsrfViewMiddlewareTestMixin, SimpleTest
        ensure_csrf_cookie_view(req)
        self.assertTrue(req.session.get(CSRF_SESSION_KEY, False))

+    def test_session_modify(self):
+        """The session isn't saved if the CSRF cookie is unchanged."""
+        req = self._get_GET_no_csrf_cookie_request()
+        self.mw.process_view(req, ensure_csrf_cookie_view, (), {})
+        resp = ensure_csrf_cookie_view(req)
+        self.mw.process_response(req, resp)
+        self.assertIsNotNone(req.session.get(CSRF_SESSION_KEY))
+        req.session.modified = False
+        self.mw.process_view(req, ensure_csrf_cookie_view, (), {})
+        resp = ensure_csrf_cookie_view(req)
+        self.mw.process_response(req, resp)
+        self.assertFalse(req.session.modified)
+
    def test_ensures_csrf_cookie_with_middleware(self):
        """
        The ensure_csrf_cookie() decorator works with the CsrfViewMiddleware