Loading django/core/context_processors.py +7 −4 Original line number Diff line number Diff line Loading @@ -6,12 +6,15 @@ and returns a dictionary to add to the context. These are referenced from the setting TEMPLATE_CONTEXT_PROCESSORS and used by RequestContext. """ from __future__ import unicode_literals from django.conf import settings from django.middleware.csrf import get_token from django.utils.encoding import smart_bytes from django.utils import six from django.utils.encoding import smart_text from django.utils.functional import lazy def csrf(request): """ Context processor that provides a CSRF token, or the string 'NOTPROVIDED' if Loading @@ -23,10 +26,10 @@ def csrf(request): # In order to be able to provide debugging info in the # case of misconfiguration, we use a sentinel value # instead of returning an empty dict. return b'NOTPROVIDED' return 'NOTPROVIDED' else: return smart_bytes(token) _get_val = lazy(_get_val, str) return smart_text(token) _get_val = lazy(_get_val, six.text_type) return {'csrf_token': _get_val() } Loading django/middleware/csrf.py +4 −3 Original line number Diff line number Diff line Loading @@ -4,6 +4,7 @@ Cross Site Request Forgery Middleware. This module provides a middleware that implements protection against request forgeries from other sites. """ from __future__ import unicode_literals import hashlib import re Loading @@ -12,6 +13,7 @@ import random from django.conf import settings from django.core.urlresolvers import get_callable from django.utils.cache import patch_vary_headers from django.utils.encoding import force_text from django.utils.http import same_origin from django.utils.log import getLogger from django.utils.crypto import constant_time_compare, get_random_string Loading Loading @@ -51,11 +53,10 @@ def get_token(request): def _sanitize_token(token): # Allow only alphanum, and ensure we return a 'str' for the sake # of the post processing middleware. # Allow only alphanum if len(token) > CSRF_KEY_LENGTH: return _get_new_csrf_key() token = re.sub('[^a-zA-Z0-9]+', '', str(token.decode('ascii', 'ignore'))) token = re.sub('[^a-zA-Z0-9]+', '', force_text(token)) if token == "": # In case the cookie has been truncated to nothing at some point. return _get_new_csrf_key() Loading tests/regressiontests/csrf_tests/tests.py +1 −1 Original line number Diff line number Diff line Loading @@ -216,7 +216,7 @@ class CsrfViewMiddlewareTest(TestCase): """ req = self._get_GET_no_csrf_cookie_request() resp = token_view(req) self.assertEqual("", resp.content) self.assertEqual(resp.content, b'') def test_token_node_empty_csrf_cookie(self): """ Loading Loading
django/core/context_processors.py +7 −4 Original line number Diff line number Diff line Loading @@ -6,12 +6,15 @@ and returns a dictionary to add to the context. These are referenced from the setting TEMPLATE_CONTEXT_PROCESSORS and used by RequestContext. """ from __future__ import unicode_literals from django.conf import settings from django.middleware.csrf import get_token from django.utils.encoding import smart_bytes from django.utils import six from django.utils.encoding import smart_text from django.utils.functional import lazy def csrf(request): """ Context processor that provides a CSRF token, or the string 'NOTPROVIDED' if Loading @@ -23,10 +26,10 @@ def csrf(request): # In order to be able to provide debugging info in the # case of misconfiguration, we use a sentinel value # instead of returning an empty dict. return b'NOTPROVIDED' return 'NOTPROVIDED' else: return smart_bytes(token) _get_val = lazy(_get_val, str) return smart_text(token) _get_val = lazy(_get_val, six.text_type) return {'csrf_token': _get_val() } Loading
django/middleware/csrf.py +4 −3 Original line number Diff line number Diff line Loading @@ -4,6 +4,7 @@ Cross Site Request Forgery Middleware. This module provides a middleware that implements protection against request forgeries from other sites. """ from __future__ import unicode_literals import hashlib import re Loading @@ -12,6 +13,7 @@ import random from django.conf import settings from django.core.urlresolvers import get_callable from django.utils.cache import patch_vary_headers from django.utils.encoding import force_text from django.utils.http import same_origin from django.utils.log import getLogger from django.utils.crypto import constant_time_compare, get_random_string Loading Loading @@ -51,11 +53,10 @@ def get_token(request): def _sanitize_token(token): # Allow only alphanum, and ensure we return a 'str' for the sake # of the post processing middleware. # Allow only alphanum if len(token) > CSRF_KEY_LENGTH: return _get_new_csrf_key() token = re.sub('[^a-zA-Z0-9]+', '', str(token.decode('ascii', 'ignore'))) token = re.sub('[^a-zA-Z0-9]+', '', force_text(token)) if token == "": # In case the cookie has been truncated to nothing at some point. return _get_new_csrf_key() Loading
tests/regressiontests/csrf_tests/tests.py +1 −1 Original line number Diff line number Diff line Loading @@ -216,7 +216,7 @@ class CsrfViewMiddlewareTest(TestCase): """ req = self._get_GET_no_csrf_cookie_request() resp = token_view(req) self.assertEqual("", resp.content) self.assertEqual(resp.content, b'') def test_token_node_empty_csrf_cookie(self): """ Loading
