← Back to branch summary

~ubuntu-branches/debian/sid/python-django/sid

« back to all changes in this revision

Viewing changes to django/middleware/csrf.py

  • Committer: Package Import Robot
  • Author(s): Luke Faraone
  • Date: 2013-11-07 15:33:49 UTC
  • mfrom: (1.3.12)
  • Revision ID: package-import@ubuntu.com-20131107153349-e31sc149l2szs3jb
Tags: 1.6-1
http://bugs.debian.org/557474
http://bugs.debian.org/724637
http://bugs.debian.org/636511
http://bugs.debian.org/686333
http://bugs.debian.org/704203
* New upstream version. Closes: #557474, #724637.
* python-django now also suggests the installation of ipython,
  bpython, python-django-doc, and libgdal1.
  Closes: #636511, #686333, #704203
* Set package maintainer to Debian Python Modules Team.
* Bump standards version to 3.9.5, no changes needed.

Show diffs side-by-side

added added

removed removed

Lines of Context:
django/middleware/csrf.py
6
6
"""
7
7
from __future__ import unicode_literals
8
8
 
9
 
import hashlib
10
9
import logging
11
10
import re
12
 
import random
13
11
 
14
12
from django.conf import settings
15
13
from django.core.urlresolvers import get_callable
58
56
    Changes the CSRF token in use for a request - should be done on login
59
57
    for security purposes.
60
58
    """
61
 
    request.META["CSRF_COOKIE"] = _get_new_csrf_key()
 
59
    request.META.update({
 
60
        "CSRF_COOKIE_USED": True,
 
61
        "CSRF_COOKIE": _get_new_csrf_key(),
 
62
    })
62
63
 
63
64
 
64
65
def _sanitize_token(token):
91
92
        return None
92
93
 
93
94
    def _reject(self, request, reason):
 
95
        logger.warning('Forbidden (%s): %s',
 
96
                       reason, request.path,
 
97
            extra={
 
98
                'status_code': 403,
 
99
                'request': request,
 
100
            }
 
101
        )
94
102
        return _get_failure_view()(request, reason=reason)
95
103
 
96
104
    def process_view(self, request, callback, callback_args, callback_kwargs):
142
150
                # we can use strict Referer checking.
143
151
                referer = request.META.get('HTTP_REFERER')
144
152
                if referer is None:
145
 
                    logger.warning('Forbidden (%s): %s',
146
 
                                   REASON_NO_REFERER, request.path,
147
 
                        extra={
148
 
                            'status_code': 403,
149
 
                            'request': request,
150
 
                        }
151
 
                    )
152
153
                    return self._reject(request, REASON_NO_REFERER)
153
154
 
154
155
                # Note that request.get_host() includes the port.
155
156
                good_referer = 'https://%s/' % request.get_host()
156
157
                if not same_origin(referer, good_referer):
157
158
                    reason = REASON_BAD_REFERER % (referer, good_referer)
158
 
                    logger.warning('Forbidden (%s): %s', reason, request.path,
159
 
                        extra={
160
 
                            'status_code': 403,
161
 
                            'request': request,
162
 
                        }
163
 
                    )
164
159
                    return self._reject(request, reason)
165
160
 
166
161
            if csrf_token is None:
167
162
                # No CSRF cookie. For POST requests, we insist on a CSRF cookie,
168
163
                # and in this way we can avoid all CSRF attacks, including login
169
164
                # CSRF.
170
 
                logger.warning('Forbidden (%s): %s',
171
 
                               REASON_NO_CSRF_COOKIE, request.path,
172
 
                    extra={
173
 
                        'status_code': 403,
174
 
                        'request': request,
175
 
                    }
176
 
                )
177
165
                return self._reject(request, REASON_NO_CSRF_COOKIE)
178
166
 
179
167
            # Check non-cookie token for match.
187
175
                request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')
188
176
 
189
177
            if not constant_time_compare(request_csrf_token, csrf_token):
190
 
                logger.warning('Forbidden (%s): %s',
191
 
                               REASON_BAD_TOKEN, request.path,
192
 
                    extra={
193
 
                        'status_code': 403,
194
 
                        'request': request,
195
 
                    }
196
 
                )
197
178
                return self._reject(request, REASON_BAD_TOKEN)
198
179
 
199
180
        return self._accept(request)
218
199
                            max_age = 60 * 60 * 24 * 7 * 52,
219
200
                            domain=settings.CSRF_COOKIE_DOMAIN,
220
201
                            path=settings.CSRF_COOKIE_PATH,
221
 
                            secure=settings.CSRF_COOKIE_SECURE
 
202
                            secure=settings.CSRF_COOKIE_SECURE,
 
203
                            httponly=settings.CSRF_COOKIE_HTTPONLY
222
204
                            )
223
205
        # Content varies with the CSRF cookie, so set the Vary header.
224
206
        patch_vary_headers(response, ('Cookie',))