← Back to branch summary

~ubuntu-branches/ubuntu/quantal/python-django/quantal-security

« back to all changes in this revision

Viewing changes to django/views/csrf.py

  • Committer: Bazaar Package Importer
  • Author(s): Jamie Strandboge
  • Date: 2010-10-12 11:34:35 UTC
  • mfrom: (4.4.9 sid)
  • mto: This revision was merged to the branch mainline in revision 30.
  • Revision ID: james.westby@ubuntu.com-20101012113435-5rk3p18nyanuhj6g
* SECURITY UPDATE: XSS in CSRF protections. New upstream release
  - CVE-2010-3082
* debian/patches/01_disable_url_verify_regression_tests.diff:
  - updated to disable another test that fails without internet connection
  - patch based on work by Kai Kasurinen and Krzysztof Klimonda
* debian/control: don't Build-Depends on locales-all, which doesn't exist
  in maverick

Show diffs side-by-side

added added

removed removed

Lines of Context:
django/views/csrf.py
23
23
    h1 span { font-size:60%; color:#666; font-weight:normal; }
24
24
    #info { background:#f6f6f6; }
25
25
    #info ul { margin: 0.5em 4em; }
26
 
    #info p { padding-top:10px; }
 
26
    #info p, #summary p { padding-top:10px; }
27
27
    #summary { background: #ffc; }
28
28
    #explanation { background:#eee; border-bottom: 0px none; }
29
29
  </style>
32
32
<div id="summary">
33
33
  <h1>Forbidden <span>(403)</span></h1>
34
34
  <p>CSRF verification failed. Request aborted.</p>
 
35
{% if no_referer %}
 
36
  <p>You are seeing this message because this HTTPS site requires a 'Referer
 
37
   header' to be sent by your web browser, but none was sent. This header is
 
38
   required for security reasons, to ensure that your browser is not being
 
39
   hijacked by third parties.</p>
 
40
 
 
41
  <p>If you have configured your browser to disable 'Referer' headers, please
 
42
   re-enable them, at least for this site, or for HTTPS connections, or for
 
43
   'same-origin' requests.</p>
 
44
{% endif %}
35
45
</div>
36
46
{% if DEBUG %}
37
47
<div id="info">
83
93
    """
84
94
    Default view used when request fails CSRF protection
85
95
    """
 
96
    from django.middleware.csrf import REASON_NO_REFERER
86
97
    t = Template(CSRF_FAILRE_TEMPLATE)
87
98
    c = Context({'DEBUG': settings.DEBUG,
88
 
                 'reason': reason})
 
99
                 'reason': reason,
 
100
                 'no_referer': reason == REASON_NO_REFERER
 
101
                 })
89
102
    return HttpResponseForbidden(t.render(c), mimetype='text/html')