← Back to branch summary

~ubuntu-branches/ubuntu/quantal/python-django/quantal-security

« back to all changes in this revision

Viewing changes to tests/regressiontests/csrf_tests/tests.py

  • Committer: Bazaar Package Importer
  • Author(s): Jamie Strandboge
  • Date: 2010-10-12 11:34:35 UTC
  • mfrom: (1.2.7 upstream)
  • mto: This revision was merged to the branch mainline in revision 30.
  • Revision ID: james.westby@ubuntu.com-20101012113435-9lnsrh0i3mxozbt0
Tags: upstream-1.2.3
ImportĀ upstreamĀ versionĀ 1.2.3

Show diffs side-by-side

added added

removed removed

Lines of Context:
tests/regressiontests/csrf_tests/tests.py
3
3
from django.test import TestCase
4
4
from django.http import HttpRequest, HttpResponse
5
5
from django.middleware.csrf import CsrfMiddleware, CsrfViewMiddleware
6
 
from django.views.decorators.csrf import csrf_exempt
 
6
from django.views.decorators.csrf import csrf_exempt, csrf_view_exempt
7
7
from django.core.context_processors import csrf
8
8
from django.contrib.sessions.middleware import SessionMiddleware
9
9
from django.utils.importlib import import_module
12
12
 
13
13
# Response/views used for CsrfResponseMiddleware and CsrfViewMiddleware tests
14
14
def post_form_response():
15
 
    resp = HttpResponse(content="""
16
 
<html><body><form method="post"><input type="text" /></form></body></html>
 
15
    resp = HttpResponse(content=u"""
 
16
<html><body><h1>\u00a1Unicode!<form method="post"><input type="text" /></form></body></html>
17
17
""", mimetype="text/html")
18
18
    return resp
19
19
 
56
56
        return getattr(self, '_is_secure', False)
57
57
 
58
58
class CsrfMiddlewareTest(TestCase):
 
59
    # The csrf token is potentially from an untrusted source, so could have
 
60
    # characters that need dealing with.
 
61
    _csrf_id_cookie = "<1>\xc2\xa1"
59
62
    _csrf_id = "1"
60
63
 
61
64
    # This is a valid session token for this ID and secret key.  This was generated using
71
74
 
72
75
    def _get_GET_csrf_cookie_request(self):
73
76
        req = TestingHttpRequest()
74
 
        req.COOKIES[settings.CSRF_COOKIE_NAME] = self._csrf_id
 
77
        req.COOKIES[settings.CSRF_COOKIE_NAME] = self._csrf_id_cookie
75
78
        return req
76
79
 
77
80
    def _get_POST_csrf_cookie_request(self):
123
126
        # Check the Vary header got patched correctly
124
127
        self.assert_('Cookie' in resp2.get('Vary',''))
125
128
 
 
129
    def test_process_response_for_exempt_view(self):
 
130
        """
 
131
        Check that a view decorated with 'csrf_view_exempt' is still
 
132
        post-processed to add the CSRF token.
 
133
        """
 
134
        req = self._get_GET_no_csrf_cookie_request()
 
135
        CsrfMiddleware().process_view(req, csrf_view_exempt(post_form_view), (), {})
 
136
 
 
137
        resp = post_form_response()
 
138
        resp_content = resp.content # needed because process_response modifies resp
 
139
        resp2 = CsrfMiddleware().process_response(req, resp)
 
140
 
 
141
        csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
 
142
        self.assertNotEqual(csrf_cookie, False)
 
143
        self.assertNotEqual(resp_content, resp2.content)
 
144
        self._check_token_present(resp2, csrf_cookie.value)
 
145
 
126
146
    def test_process_response_no_csrf_cookie_view_only_get_token_used(self):
127
147
        """
128
148
        When no prior CSRF cookie exists, check that the cookie is created, even
187
207
        """
188
208
        Check that no post processing is done for an exempt view
189
209
        """
190
 
        req = self._get_POST_csrf_cookie_request()
191
 
        resp = csrf_exempt(post_form_view)(req)
 
210
        req = self._get_GET_csrf_cookie_request()
 
211
        view = csrf_exempt(post_form_view)
 
212
        CsrfMiddleware().process_view(req, view, (), {})
 
213
 
 
214
        resp = view(req)
192
215
        resp_content = resp.content
193
216
        resp2 = CsrfMiddleware().process_response(req, resp)
194
217
        self.assertEquals(resp_content, resp2.content)
270
293
        resp = token_view(req)
271
294
        self.assertEquals(u"", resp.content)
272
295
 
 
296
    def test_token_node_empty_csrf_cookie(self):
 
297
        """
 
298
        Check that we get a new token if the csrf_cookie is the empty string
 
299
        """
 
300
        req = self._get_GET_no_csrf_cookie_request()
 
301
        req.COOKIES[settings.CSRF_COOKIE_NAME] = ""
 
302
        CsrfViewMiddleware().process_view(req, token_view, (), {})
 
303
        resp = token_view(req)
 
304
 
 
305
        self.assertNotEqual(u"", resp.content)
 
306
 
273
307
    def test_token_node_with_csrf_cookie(self):
274
308
        """
275
309
        Check that CsrfTokenNode works when a CSRF cookie is set
279
313
        resp = token_view(req)
280
314
        self._check_token_present(resp)
281
315
 
 
316
    def test_get_token_for_exempt_view(self):
 
317
        """
 
318
        Check that get_token still works for a view decorated with 'csrf_view_exempt'.
 
319
        """
 
320
        req = self._get_GET_csrf_cookie_request()
 
321
        CsrfViewMiddleware().process_view(req, csrf_view_exempt(token_view), (), {})
 
322
        resp = token_view(req)
 
323
        self._check_token_present(resp)
 
324
 
282
325
    def test_token_node_with_new_csrf_cookie(self):
283
326
        """
284
327
        Check that CsrfTokenNode works when a CSRF cookie is created by