1
# -*- coding: utf-8 -*-
2
from __future__ import unicode_literals
4
from django.conf import settings
5
from django.core.context_processors import csrf
6
from django.http import HttpRequest, HttpResponse
7
from django.middleware.csrf import CsrfViewMiddleware, CSRF_KEY_LENGTH
8
from django.template import RequestContext, Template
9
from django.test import TestCase
10
from django.test.utils import override_settings
11
from django.views.decorators.csrf import csrf_exempt, requires_csrf_token, ensure_csrf_cookie
14
# Response/views used for CsrfResponseMiddleware and CsrfViewMiddleware tests
15
def post_form_response():
16
resp = HttpResponse(content="""
17
<html><body><h1>\u00a1Unicode!<form method="post"><input type="text" /></form></body></html>
18
""", mimetype="text/html")
21
def post_form_view(request):
22
"""A view that returns a POST form (without a token)"""
23
return post_form_response()
25
# Response/views used for template tag tests
27
def token_view(request):
28
"""A view that uses {% csrf_token %}"""
29
context = RequestContext(request, processors=[csrf])
30
template = Template("{% csrf_token %}")
31
return HttpResponse(template.render(context))
33
def non_token_view_using_request_processor(request):
35
A view that doesn't use the token, but does use the csrf view processor.
37
context = RequestContext(request, processors=[csrf])
38
template = Template("")
39
return HttpResponse(template.render(context))
41
class TestingHttpRequest(HttpRequest):
43
A version of HttpRequest that allows us to change some things
47
return getattr(self, '_is_secure_override', False)
49
class CsrfViewMiddlewareTest(TestCase):
50
# The csrf token is potentially from an untrusted source, so could have
51
# characters that need dealing with.
52
_csrf_id_cookie = b"<1>\xc2\xa1"
55
def _get_GET_no_csrf_cookie_request(self):
56
return TestingHttpRequest()
58
def _get_GET_csrf_cookie_request(self):
59
req = TestingHttpRequest()
60
req.COOKIES[settings.CSRF_COOKIE_NAME] = self._csrf_id_cookie
63
def _get_POST_csrf_cookie_request(self):
64
req = self._get_GET_csrf_cookie_request()
68
def _get_POST_no_csrf_cookie_request(self):
69
req = self._get_GET_no_csrf_cookie_request()
73
def _get_POST_request_with_token(self):
74
req = self._get_POST_csrf_cookie_request()
75
req.POST['csrfmiddlewaretoken'] = self._csrf_id
78
def _check_token_present(self, response, csrf_id=None):
79
self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % (csrf_id or self._csrf_id))
81
def test_process_view_token_too_long(self):
83
Check that if the token is longer than expected, it is ignored and
84
a new token is created.
86
req = self._get_GET_no_csrf_cookie_request()
87
req.COOKIES[settings.CSRF_COOKIE_NAME] = 'x' * 10000000
88
CsrfViewMiddleware().process_view(req, token_view, (), {})
89
resp = token_view(req)
90
resp2 = CsrfViewMiddleware().process_response(req, resp)
91
csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
92
self.assertEqual(len(csrf_cookie.value), CSRF_KEY_LENGTH)
94
def test_process_response_get_token_used(self):
96
When get_token is used, check that the cookie is created and headers
99
req = self._get_GET_no_csrf_cookie_request()
101
# Put tests for CSRF_COOKIE_* settings here
102
with self.settings(CSRF_COOKIE_NAME='myname',
103
CSRF_COOKIE_DOMAIN='.example.com',
104
CSRF_COOKIE_PATH='/test/',
105
CSRF_COOKIE_SECURE=True):
106
# token_view calls get_token() indirectly
107
CsrfViewMiddleware().process_view(req, token_view, (), {})
108
resp = token_view(req)
109
resp2 = CsrfViewMiddleware().process_response(req, resp)
110
csrf_cookie = resp2.cookies.get('myname', False)
111
self.assertNotEqual(csrf_cookie, False)
112
self.assertEqual(csrf_cookie['domain'], '.example.com')
113
self.assertEqual(csrf_cookie['secure'], True)
114
self.assertEqual(csrf_cookie['path'], '/test/')
115
self.assertTrue('Cookie' in resp2.get('Vary',''))
117
def test_process_response_get_token_not_used(self):
119
Check that if get_token() is not called, the view middleware does not
122
# This is important to make pages cacheable. Pages which do call
123
# get_token(), assuming they use the token, are not cacheable because
124
# the token is specific to the user
125
req = self._get_GET_no_csrf_cookie_request()
126
# non_token_view_using_request_processor does not call get_token(), but
127
# does use the csrf request processor. By using this, we are testing
128
# that the view processor is properly lazy and doesn't call get_token()
130
CsrfViewMiddleware().process_view(req, non_token_view_using_request_processor, (), {})
131
resp = non_token_view_using_request_processor(req)
132
resp2 = CsrfViewMiddleware().process_response(req, resp)
134
csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
135
self.assertEqual(csrf_cookie, False)
137
# Check the request processing
138
def test_process_request_no_csrf_cookie(self):
140
Check that if no CSRF cookies is present, the middleware rejects the
141
incoming request. This will stop login CSRF.
143
req = self._get_POST_no_csrf_cookie_request()
144
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
145
self.assertEqual(403, req2.status_code)
147
def test_process_request_csrf_cookie_no_token(self):
149
Check that if a CSRF cookie is present but no token, the middleware
150
rejects the incoming request.
152
req = self._get_POST_csrf_cookie_request()
153
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
154
self.assertEqual(403, req2.status_code)
156
def test_process_request_csrf_cookie_and_token(self):
158
Check that if both a cookie and a token is present, the middleware lets it through.
160
req = self._get_POST_request_with_token()
161
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
162
self.assertEqual(None, req2)
164
def test_process_request_csrf_cookie_no_token_exempt_view(self):
166
Check that if a CSRF cookie is present and no token, but the csrf_exempt
167
decorator has been applied to the view, the middleware lets it through
169
req = self._get_POST_csrf_cookie_request()
170
req2 = CsrfViewMiddleware().process_view(req, csrf_exempt(post_form_view), (), {})
171
self.assertEqual(None, req2)
173
def test_csrf_token_in_header(self):
175
Check that we can pass in the token in a header instead of in the form
177
req = self._get_POST_csrf_cookie_request()
178
req.META['HTTP_X_CSRFTOKEN'] = self._csrf_id
179
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
180
self.assertEqual(None, req2)
182
def test_put_and_delete_rejected(self):
184
Tests that HTTP PUT and DELETE methods have protection
186
req = TestingHttpRequest()
188
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
189
self.assertEqual(403, req2.status_code)
191
req = TestingHttpRequest()
192
req.method = 'DELETE'
193
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
194
self.assertEqual(403, req2.status_code)
196
def test_put_and_delete_allowed(self):
198
Tests that HTTP PUT and DELETE methods can get through with
199
X-CSRFToken and a cookie
201
req = self._get_GET_csrf_cookie_request()
203
req.META['HTTP_X_CSRFTOKEN'] = self._csrf_id
204
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
205
self.assertEqual(None, req2)
207
req = self._get_GET_csrf_cookie_request()
208
req.method = 'DELETE'
209
req.META['HTTP_X_CSRFTOKEN'] = self._csrf_id
210
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
211
self.assertEqual(None, req2)
213
# Tests for the template tag method
214
def test_token_node_no_csrf_cookie(self):
216
Check that CsrfTokenNode works when no CSRF cookie is set
218
req = self._get_GET_no_csrf_cookie_request()
219
resp = token_view(req)
220
self.assertEqual(resp.content, b'')
222
def test_token_node_empty_csrf_cookie(self):
224
Check that we get a new token if the csrf_cookie is the empty string
226
req = self._get_GET_no_csrf_cookie_request()
227
req.COOKIES[settings.CSRF_COOKIE_NAME] = b""
228
CsrfViewMiddleware().process_view(req, token_view, (), {})
229
resp = token_view(req)
231
self.assertNotEqual("", resp.content)
233
def test_token_node_with_csrf_cookie(self):
235
Check that CsrfTokenNode works when a CSRF cookie is set
237
req = self._get_GET_csrf_cookie_request()
238
CsrfViewMiddleware().process_view(req, token_view, (), {})
239
resp = token_view(req)
240
self._check_token_present(resp)
242
def test_get_token_for_exempt_view(self):
244
Check that get_token still works for a view decorated with 'csrf_exempt'.
246
req = self._get_GET_csrf_cookie_request()
247
CsrfViewMiddleware().process_view(req, csrf_exempt(token_view), (), {})
248
resp = token_view(req)
249
self._check_token_present(resp)
251
def test_get_token_for_requires_csrf_token_view(self):
253
Check that get_token works for a view decorated solely with requires_csrf_token
255
req = self._get_GET_csrf_cookie_request()
256
resp = requires_csrf_token(token_view)(req)
257
self._check_token_present(resp)
259
def test_token_node_with_new_csrf_cookie(self):
261
Check that CsrfTokenNode works when a CSRF cookie is created by
262
the middleware (when one was not already present)
264
req = self._get_GET_no_csrf_cookie_request()
265
CsrfViewMiddleware().process_view(req, token_view, (), {})
266
resp = token_view(req)
267
resp2 = CsrfViewMiddleware().process_response(req, resp)
268
csrf_cookie = resp2.cookies[settings.CSRF_COOKIE_NAME]
269
self._check_token_present(resp, csrf_id=csrf_cookie.value)
271
@override_settings(ALLOWED_HOSTS=['www.example.com'])
272
def test_https_bad_referer(self):
274
Test that a POST HTTPS request with a bad referer is rejected
276
req = self._get_POST_request_with_token()
277
req._is_secure_override = True
278
req.META['HTTP_HOST'] = 'www.example.com'
279
req.META['HTTP_REFERER'] = 'https://www.evil.org/somepage'
280
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
281
self.assertNotEqual(None, req2)
282
self.assertEqual(403, req2.status_code)
284
@override_settings(ALLOWED_HOSTS=['www.example.com'])
285
def test_https_good_referer(self):
287
Test that a POST HTTPS request with a good referer is accepted
289
req = self._get_POST_request_with_token()
290
req._is_secure_override = True
291
req.META['HTTP_HOST'] = 'www.example.com'
292
req.META['HTTP_REFERER'] = 'https://www.example.com/somepage'
293
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
294
self.assertEqual(None, req2)
296
@override_settings(ALLOWED_HOSTS=['www.example.com'])
297
def test_https_good_referer_2(self):
299
Test that a POST HTTPS request with a good referer is accepted
300
where the referer contains no trailing slash
303
req = self._get_POST_request_with_token()
304
req._is_secure_override = True
305
req.META['HTTP_HOST'] = 'www.example.com'
306
req.META['HTTP_REFERER'] = 'https://www.example.com'
307
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
308
self.assertEqual(None, req2)
310
def test_ensures_csrf_cookie_no_middleware(self):
312
Tests that ensures_csrf_cookie decorator fulfils its promise
317
# Doesn't insert a token or anything
318
return HttpResponse(content="")
320
req = self._get_GET_no_csrf_cookie_request()
322
self.assertTrue(resp.cookies.get(settings.CSRF_COOKIE_NAME, False))
323
self.assertTrue('Cookie' in resp.get('Vary',''))
325
def test_ensures_csrf_cookie_with_middleware(self):
327
Tests that ensures_csrf_cookie decorator fulfils its promise
328
with the middleware enabled.
332
# Doesn't insert a token or anything
333
return HttpResponse(content="")
335
req = self._get_GET_no_csrf_cookie_request()
336
CsrfViewMiddleware().process_view(req, view, (), {})
338
resp2 = CsrfViewMiddleware().process_response(req, resp)
339
self.assertTrue(resp2.cookies.get(settings.CSRF_COOKIE_NAME, False))
340
self.assertTrue('Cookie' in resp2.get('Vary',''))