[1.2.X] Patch CSRF-protection system to deal with reported security issue.... (7f84657b) · Commits · Dom Sekotill / django

django/middleware/csrf.py

+4 −2

Original line number	Diff line number	Diff line
		@@ -13,6 +13,7 @@ from django.conf import settings
		from django.core.urlresolvers import get_callable
		from django.utils.cache import patch_vary_headers
		from django.utils.hashcompat import md5_constructor
		from django.utils.html import escape
		from django.utils.safestring import mark_safe

		_POST_FORM_RE = \
		@@ -52,7 +53,8 @@ def _make_legacy_session_token(session_id):

		def get_token(request):
		"""
		Returns the the CSRF token required for a POST form.
		Returns the the CSRF token required for a POST form. No assumptions should
		be made about what characters might be in the CSRF token.

		A side effect of calling this function is to make the the csrf_protect
		decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie'
		@@ -233,7 +235,7 @@ class CsrfResponseMiddleware(object):
		"""Returns the matched <form> tag plus the added <input> element"""
		return mark_safe(match.group() + "<div style='display:none;'>" + \
		"<input type='hidden' " + idattributes.next() + \
		" name='csrfmiddlewaretoken' value='" + csrf_token + \
		" name='csrfmiddlewaretoken' value='" + escape(csrf_token) + \
		"' /></div>")

		# Modify any POST forms

+2 −1

Original line number	Diff line number	Diff line
		@@ -9,6 +9,7 @@ from django.template import TemplateSyntaxError, VariableDoesNotExist, BLOCK_TAG
		from django.template import get_library, Library, InvalidTemplateLibrary
		from django.template.smartif import IfParser, Literal
		from django.conf import settings
		from django.utils.html import escape
		from django.utils.encoding import smart_str, smart_unicode
		from django.utils.safestring import mark_safe

		@@ -42,7 +43,7 @@ class CsrfTokenNode(Node):
		if csrf_token == 'NOTPROVIDED':
		return mark_safe(u"")
		else:
		return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % (csrf_token))
		return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % escape(csrf_token))
		else:
		# It's very probable that the token is missing because of
		# misconfiguration, so we raise a warning

+5 −2

Original line number	Diff line number	Diff line
		@@ -6,6 +6,7 @@ from django.middleware.csrf import CsrfMiddleware, CsrfViewMiddleware
		from django.views.decorators.csrf import csrf_exempt, csrf_view_exempt
		from django.core.context_processors import csrf
		from django.contrib.sessions.middleware import SessionMiddleware
		from django.utils.html import escape
		from django.utils.importlib import import_module
		from django.conf import settings
		from django.template import RequestContext, Template
		@@ -56,7 +57,9 @@ class TestingHttpRequest(HttpRequest):
		return getattr(self, '_is_secure', False)

		class CsrfMiddlewareTest(TestCase):
		_csrf_id = "1"
		# The csrf token is potentially from an untrusted source, so could have
		# characters that need escaping
		_csrf_id = "<1>"

		# This is a valid session token for this ID and secret key. This was generated using
		# the old code that we're to be backwards-compatible with. Don't use the CSRF code
		@@ -101,7 +104,7 @@ class CsrfMiddlewareTest(TestCase):
		return req

		def _check_token_present(self, response, csrf_id=None):
		self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % (csrf_id or self._csrf_id))
		self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % escape(csrf_id or self._csrf_id))

		# Check the post processing and outgoing cookie
		def test_process_response_no_csrf_cookie(self):