| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788 |
- import logging
- import re
- from django.conf import settings
- from django.core.exceptions import ImproperlyConfigured
- from django.http import HttpRequest
- from django.middleware.csrf import (
- CSRF_SESSION_KEY, CSRF_TOKEN_LENGTH, REASON_BAD_TOKEN,
- REASON_NO_CSRF_COOKIE, CsrfViewMiddleware,
- _compare_salted_tokens as equivalent_tokens, get_token,
- )
- from django.test import SimpleTestCase, override_settings
- from django.test.utils import patch_logger
- from django.views.decorators.csrf import csrf_exempt, requires_csrf_token
- from .views import (
- ensure_csrf_cookie_view, non_token_view_using_request_processor,
- post_form_view, token_view,
- )
- class TestingHttpRequest(HttpRequest):
- """
- A version of HttpRequest that allows us to change some things
- more easily
- """
- def __init__(self):
- super().__init__()
- # A real session backend isn't needed.
- self.session = {}
- def is_secure(self):
- return getattr(self, '_is_secure_override', False)
- class CsrfViewMiddlewareTestMixin:
- """
- Shared methods and tests for session-based and cookie-based tokens.
- """
- _csrf_id = _csrf_id_cookie = '1bcdefghij2bcdefghij3bcdefghij4bcdefghij5bcdefghij6bcdefghijABCD'
- mw = CsrfViewMiddleware()
- def _get_GET_no_csrf_cookie_request(self):
- return TestingHttpRequest()
- def _get_GET_csrf_cookie_request(self):
- raise NotImplementedError('This method must be implemented by a subclass.')
- def _get_POST_csrf_cookie_request(self):
- req = self._get_GET_csrf_cookie_request()
- req.method = "POST"
- return req
- def _get_POST_no_csrf_cookie_request(self):
- req = self._get_GET_no_csrf_cookie_request()
- req.method = "POST"
- return req
- def _get_POST_request_with_token(self):
- req = self._get_POST_csrf_cookie_request()
- req.POST['csrfmiddlewaretoken'] = self._csrf_id
- return req
- def _check_token_present(self, response, csrf_id=None):
- text = str(response.content, response.charset)
- match = re.search("name='csrfmiddlewaretoken' value='(.*?)'", text)
- csrf_token = csrf_id or self._csrf_id
- self.assertTrue(
- match and equivalent_tokens(csrf_token, match.group(1)),
- "Could not find csrfmiddlewaretoken to match %s" % csrf_token
- )
- def test_process_response_get_token_not_used(self):
- """
- If get_token() is not called, the view middleware does not
- add a cookie.
- """
- # This is important to make pages cacheable. Pages which do call
- # get_token(), assuming they use the token, are not cacheable because
- # the token is specific to the user
- req = self._get_GET_no_csrf_cookie_request()
- # non_token_view_using_request_processor does not call get_token(), but
- # does use the csrf request processor. By using this, we are testing
- # that the view processor is properly lazy and doesn't call get_token()
- # until needed.
- self.mw.process_request(req)
- self.mw.process_view(req, non_token_view_using_request_processor, (), {})
- resp = non_token_view_using_request_processor(req)
- resp2 = self.mw.process_response(req, resp)
- csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
- self.assertIs(csrf_cookie, False)
- # Check the request processing
- def test_process_request_no_csrf_cookie(self):
- """
- If no CSRF cookies is present, the middleware rejects the incoming
- request. This will stop login CSRF.
- """
- with patch_logger('django.security.csrf', 'warning') as logger_calls:
- req = self._get_POST_no_csrf_cookie_request()
- self.mw.process_request(req)
- req2 = self.mw.process_view(req, post_form_view, (), {})
- self.assertEqual(403, req2.status_code)
- self.assertEqual(logger_calls[0], 'Forbidden (%s): ' % REASON_NO_CSRF_COOKIE)
- def test_process_request_csrf_cookie_no_token(self):
- """
- If a CSRF cookie is present but no token, the middleware rejects
- the incoming request.
- """
- with patch_logger('django.security.csrf', 'warning') as logger_calls:
- req = self._get_POST_csrf_cookie_request()
- self.mw.process_request(req)
- req2 = self.mw.process_view(req, post_form_view, (), {})
- self.assertEqual(403, req2.status_code)
- self.assertEqual(logger_calls[0], 'Forbidden (%s): ' % REASON_BAD_TOKEN)
- def test_process_request_csrf_cookie_and_token(self):
- """
- If both a cookie and a token is present, the middleware lets it through.
- """
- req = self._get_POST_request_with_token()
- self.mw.process_request(req)
- req2 = self.mw.process_view(req, post_form_view, (), {})
- self.assertIsNone(req2)
- def test_process_request_csrf_cookie_no_token_exempt_view(self):
- """
- If a CSRF cookie is present and no token, but the csrf_exempt decorator
- has been applied to the view, the middleware lets it through
- """
- req = self._get_POST_csrf_cookie_request()
- self.mw.process_request(req)
- req2 = self.mw.process_view(req, csrf_exempt(post_form_view), (), {})
- self.assertIsNone(req2)
- def test_csrf_token_in_header(self):
- """
- The token may be passed in a header instead of in the form.
- """
- req = self._get_POST_csrf_cookie_request()
- req.META['HTTP_X_CSRFTOKEN'] = self._csrf_id
- self.mw.process_request(req)
- req2 = self.mw.process_view(req, post_form_view, (), {})
- self.assertIsNone(req2)
- @override_settings(CSRF_HEADER_NAME='HTTP_X_CSRFTOKEN_CUSTOMIZED')
- def test_csrf_token_in_header_with_customized_name(self):
- """
- settings.CSRF_HEADER_NAME can be used to customize the CSRF header name
- """
- req = self._get_POST_csrf_cookie_request()
- req.META['HTTP_X_CSRFTOKEN_CUSTOMIZED'] = self._csrf_id
- self.mw.process_request(req)
- req2 = self.mw.process_view(req, post_form_view, (), {})
- self.assertIsNone(req2)
- def test_put_and_delete_rejected(self):
- """
- HTTP PUT and DELETE methods have protection
- """
- req = TestingHttpRequest()
- req.method = 'PUT'
- with patch_logger('django.security.csrf', 'warning') as logger_calls:
- req2 = self.mw.process_view(req, post_form_view, (), {})
- self.assertEqual(403, req2.status_code)
- self.assertEqual(logger_calls[0], 'Forbidden (%s): ' % REASON_NO_CSRF_COOKIE)
- req = TestingHttpRequest()
- req.method = 'DELETE'
- with patch_logger('django.security.csrf', 'warning') as logger_calls:
- req2 = self.mw.process_view(req, post_form_view, (), {})
- self.assertEqual(403, req2.status_code)
- self.assertEqual(logger_calls[0], 'Forbidden (%s): ' % REASON_NO_CSRF_COOKIE)
- def test_put_and_delete_allowed(self):
- """
- HTTP PUT and DELETE can get through with X-CSRFToken and a cookie.
- """
- req = self._get_GET_csrf_cookie_request()
- req.method = 'PUT'
- req.META['HTTP_X_CSRFTOKEN'] = self._csrf_id
- self.mw.process_request(req)
- req2 = self.mw.process_view(req, post_form_view, (), {})
- self.assertIsNone(req2)
- req = self._get_GET_csrf_cookie_request()
- req.method = 'DELETE'
- req.META['HTTP_X_CSRFTOKEN'] = self._csrf_id
- self.mw.process_request(req)
- req2 = self.mw.process_view(req, post_form_view, (), {})
- self.assertIsNone(req2)
- # Tests for the template tag method
- def test_token_node_no_csrf_cookie(self):
- """
- CsrfTokenNode works when no CSRF cookie is set.
- """
- req = self._get_GET_no_csrf_cookie_request()
- resp = token_view(req)
- token = get_token(req)
- self.assertIsNotNone(token)
- self._check_token_present(resp, token)
- def test_token_node_empty_csrf_cookie(self):
- """
- A new token is sent if the csrf_cookie is the empty string.
- """
- req = self._get_GET_no_csrf_cookie_request()
- req.COOKIES[settings.CSRF_COOKIE_NAME] = ""
- self.mw.process_view(req, token_view, (), {})
- resp = token_view(req)
- token = get_token(req)
- self.assertIsNotNone(token)
- self._check_token_present(resp, token)
- def test_token_node_with_csrf_cookie(self):
- """
- CsrfTokenNode works when a CSRF cookie is set.
- """
- req = self._get_GET_csrf_cookie_request()
- self.mw.process_request(req)
- self.mw.process_view(req, token_view, (), {})
- resp = token_view(req)
- self._check_token_present(resp)
- def test_get_token_for_exempt_view(self):
- """
- get_token still works for a view decorated with 'csrf_exempt'.
- """
- req = self._get_GET_csrf_cookie_request()
- self.mw.process_request(req)
- self.mw.process_view(req, csrf_exempt(token_view), (), {})
- resp = token_view(req)
- self._check_token_present(resp)
- def test_get_token_for_requires_csrf_token_view(self):
- """
- get_token() works for a view decorated solely with requires_csrf_token.
- """
- req = self._get_GET_csrf_cookie_request()
- resp = requires_csrf_token(token_view)(req)
- self._check_token_present(resp)
- def test_token_node_with_new_csrf_cookie(self):
- """
- CsrfTokenNode works when a CSRF cookie is created by
- the middleware (when one was not already present)
- """
- req = self._get_GET_no_csrf_cookie_request()
- self.mw.process_view(req, token_view, (), {})
- resp = token_view(req)
- resp2 = self.mw.process_response(req, resp)
- csrf_cookie = resp2.cookies[settings.CSRF_COOKIE_NAME]
- self._check_token_present(resp, csrf_id=csrf_cookie.value)
- def test_cookie_not_reset_on_accepted_request(self):
- """
- The csrf token used in posts is changed on every request (although
- stays equivalent). The csrf cookie should not change on accepted
- requests. If it appears in the response, it should keep its value.
- """
- req = self._get_POST_request_with_token()
- self.mw.process_request(req)
- self.mw.process_view(req, token_view, (), {})
- resp = token_view(req)
- resp = self.mw.process_response(req, resp)
- csrf_cookie = resp.cookies.get(settings.CSRF_COOKIE_NAME, None)
- if csrf_cookie:
- self.assertEqual(
- csrf_cookie.value, self._csrf_id_cookie,
- "CSRF cookie was changed on an accepted request"
- )
- @override_settings(DEBUG=True, ALLOWED_HOSTS=['www.example.com'])
- def test_https_bad_referer(self):
- """
- A POST HTTPS request with a bad referer is rejected
- """
- req = self._get_POST_request_with_token()
- req._is_secure_override = True
- req.META['HTTP_HOST'] = 'www.example.com'
- req.META['HTTP_REFERER'] = 'https://www.evil.org/somepage'
- req.META['SERVER_PORT'] = '443'
- response = self.mw.process_view(req, post_form_view, (), {})
- self.assertContains(
- response,
- 'Referer checking failed - https://www.evil.org/somepage does not '
- 'match any trusted origins.',
- status_code=403,
- )
- def test_https_malformed_host(self):
- """
- CsrfViewMiddleware generates a 403 response if it receives an HTTPS
- request with a bad host.
- """
- req = self._get_GET_no_csrf_cookie_request()
- req._is_secure_override = True
- req.META['HTTP_HOST'] = '@malformed'
- req.META['HTTP_REFERER'] = 'https://www.evil.org/somepage'
- req.META['SERVER_PORT'] = '443'
- response = self.mw.process_view(req, token_view, (), {})
- self.assertEqual(response.status_code, 403)
- @override_settings(DEBUG=True)
- def test_https_malformed_referer(self):
- """
- A POST HTTPS request with a bad referer is rejected.
- """
- malformed_referer_msg = 'Referer checking failed - Referer is malformed.'
- req = self._get_POST_request_with_token()
- req._is_secure_override = True
- req.META['HTTP_REFERER'] = 'http://http://www.example.com/'
- response = self.mw.process_view(req, post_form_view, (), {})
- self.assertContains(
- response,
- 'Referer checking failed - Referer is insecure while host is secure.',
- status_code=403,
- )
- # Empty
- req.META['HTTP_REFERER'] = ''
- response = self.mw.process_view(req, post_form_view, (), {})
- self.assertContains(response, malformed_referer_msg, status_code=403)
- # Non-ASCII
- req.META['HTTP_REFERER'] = 'ØBöIß'
- response = self.mw.process_view(req, post_form_view, (), {})
- self.assertContains(response, malformed_referer_msg, status_code=403)
- # missing scheme
- # >>> urlparse('//example.com/')
- # ParseResult(scheme='', netloc='example.com', path='/', params='', query='', fragment='')
- req.META['HTTP_REFERER'] = '//example.com/'
- response = self.mw.process_view(req, post_form_view, (), {})
- self.assertContains(response, malformed_referer_msg, status_code=403)
- # missing netloc
- # >>> urlparse('https://')
- # ParseResult(scheme='https', netloc='', path='', params='', query='', fragment='')
- req.META['HTTP_REFERER'] = 'https://'
- response = self.mw.process_view(req, post_form_view, (), {})
- self.assertContains(response, malformed_referer_msg, status_code=403)
- @override_settings(ALLOWED_HOSTS=['www.example.com'])
- def test_https_good_referer(self):
- """
- A POST HTTPS request with a good referer is accepted.
- """
- req = self._get_POST_request_with_token()
- req._is_secure_override = True
- req.META['HTTP_HOST'] = 'www.example.com'
- req.META['HTTP_REFERER'] = 'https://www.example.com/somepage'
- self.mw.process_request(req)
- req2 = self.mw.process_view(req, post_form_view, (), {})
- self.assertIsNone(req2)
- @override_settings(ALLOWED_HOSTS=['www.example.com'])
- def test_https_good_referer_2(self):
- """
- A POST HTTPS request with a good referer is accepted where the referer
- contains no trailing slash.
- """
- # See ticket #15617
- req = self._get_POST_request_with_token()
- req._is_secure_override = True
- req.META['HTTP_HOST'] = 'www.example.com'
- req.META['HTTP_REFERER'] = 'https://www.example.com'
- self.mw.process_request(req)
- req2 = self.mw.process_view(req, post_form_view, (), {})
- self.assertIsNone(req2)
- def _test_https_good_referer_behind_proxy(self):
- req = self._get_POST_request_with_token()
- req._is_secure_override = True
- req.META.update({
- 'HTTP_HOST': '10.0.0.2',
- 'HTTP_REFERER': 'https://www.example.com/somepage',
- 'SERVER_PORT': '8080',
- 'HTTP_X_FORWARDED_HOST': 'www.example.com',
- 'HTTP_X_FORWARDED_PORT': '443',
- })
- self.mw.process_request(req)
- req2 = self.mw.process_view(req, post_form_view, (), {})
- self.assertIsNone(req2)
- @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_TRUSTED_ORIGINS=['dashboard.example.com'])
- def test_https_csrf_trusted_origin_allowed(self):
- """
- A POST HTTPS request with a referer added to the CSRF_TRUSTED_ORIGINS
- setting is accepted.
- """
- req = self._get_POST_request_with_token()
- req._is_secure_override = True
- req.META['HTTP_HOST'] = 'www.example.com'
- req.META['HTTP_REFERER'] = 'https://dashboard.example.com'
- self.mw.process_request(req)
- req2 = self.mw.process_view(req, post_form_view, (), {})
- self.assertIsNone(req2)
- @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_TRUSTED_ORIGINS=['.example.com'])
- def test_https_csrf_wildcard_trusted_origin_allowed(self):
- """
- A POST HTTPS request with a referer that matches a CSRF_TRUSTED_ORIGINS
- wildcard is accepted.
- """
- req = self._get_POST_request_with_token()
- req._is_secure_override = True
- req.META['HTTP_HOST'] = 'www.example.com'
- req.META['HTTP_REFERER'] = 'https://dashboard.example.com'
- self.mw.process_request(req)
- response = self.mw.process_view(req, post_form_view, (), {})
- self.assertIsNone(response)
- def _test_https_good_referer_matches_cookie_domain(self):
- req = self._get_POST_request_with_token()
- req._is_secure_override = True
- req.META['HTTP_REFERER'] = 'https://foo.example.com/'
- req.META['SERVER_PORT'] = '443'
- self.mw.process_request(req)
- response = self.mw.process_view(req, post_form_view, (), {})
- self.assertIsNone(response)
- def _test_https_good_referer_matches_cookie_domain_with_different_port(self):
- req = self._get_POST_request_with_token()
- req._is_secure_override = True
- req.META['HTTP_HOST'] = 'www.example.com'
- req.META['HTTP_REFERER'] = 'https://foo.example.com:4443/'
- req.META['SERVER_PORT'] = '4443'
- self.mw.process_request(req)
- response = self.mw.process_view(req, post_form_view, (), {})
- self.assertIsNone(response)
- def test_ensures_csrf_cookie_no_logging(self):
- """
- ensure_csrf_cookie() doesn't log warnings (#19436).
- """
- class TestHandler(logging.Handler):
- def emit(self, record):
- raise Exception("This shouldn't have happened!")
- logger = logging.getLogger('django.request')
- test_handler = TestHandler()
- old_log_level = logger.level
- try:
- logger.addHandler(test_handler)
- logger.setLevel(logging.WARNING)
- req = self._get_GET_no_csrf_cookie_request()
- ensure_csrf_cookie_view(req)
- finally:
- logger.removeHandler(test_handler)
- logger.setLevel(old_log_level)
- def test_post_data_read_failure(self):
- """
- #20128 -- IOErrors during POST data reading should be caught and
- treated as if the POST data wasn't there.
- """
- class CsrfPostRequest(HttpRequest):
- """
- HttpRequest that can raise an IOError when accessing POST data
- """
- def __init__(self, token, raise_error):
- super().__init__()
- self.method = 'POST'
- self.raise_error = False
- self.COOKIES[settings.CSRF_COOKIE_NAME] = token
- # Handle both cases here to prevent duplicate code in the
- # session tests.
- self.session = {}
- self.session[CSRF_SESSION_KEY] = token
- self.POST['csrfmiddlewaretoken'] = token
- self.raise_error = raise_error
- def _load_post_and_files(self):
- raise IOError('error reading input data')
- def _get_post(self):
- if self.raise_error:
- self._load_post_and_files()
- return self._post
- def _set_post(self, post):
- self._post = post
- POST = property(_get_post, _set_post)
- token = ('ABC' + self._csrf_id)[:CSRF_TOKEN_LENGTH]
- req = CsrfPostRequest(token, raise_error=False)
- self.mw.process_request(req)
- resp = self.mw.process_view(req, post_form_view, (), {})
- self.assertIsNone(resp)
- req = CsrfPostRequest(token, raise_error=True)
- with patch_logger('django.security.csrf', 'warning') as logger_calls:
- self.mw.process_request(req)
- resp = self.mw.process_view(req, post_form_view, (), {})
- self.assertEqual(resp.status_code, 403)
- self.assertEqual(logger_calls[0], 'Forbidden (%s): ' % REASON_BAD_TOKEN)
- class CsrfViewMiddlewareTests(CsrfViewMiddlewareTestMixin, SimpleTestCase):
- def _get_GET_csrf_cookie_request(self):
- req = TestingHttpRequest()
- req.COOKIES[settings.CSRF_COOKIE_NAME] = self._csrf_id_cookie
- return req
- def _get_POST_bare_secret_csrf_cookie_request(self):
- req = self._get_POST_no_csrf_cookie_request()
- req.COOKIES[settings.CSRF_COOKIE_NAME] = self._csrf_id_cookie[:32]
- return req
- def _get_POST_bare_secret_csrf_cookie_request_with_token(self):
- req = self._get_POST_bare_secret_csrf_cookie_request()
- req.POST['csrfmiddlewaretoken'] = self._csrf_id_cookie[:32]
- return req
- def test_ensures_csrf_cookie_no_middleware(self):
- """
- The ensure_csrf_cookie() decorator works without middleware.
- """
- req = self._get_GET_no_csrf_cookie_request()
- resp = ensure_csrf_cookie_view(req)
- self.assertTrue(resp.cookies.get(settings.CSRF_COOKIE_NAME, False))
- self.assertIn('Cookie', resp.get('Vary', ''))
- def test_ensures_csrf_cookie_with_middleware(self):
- """
- The ensure_csrf_cookie() decorator works with the CsrfViewMiddleware
- enabled.
- """
- req = self._get_GET_no_csrf_cookie_request()
- self.mw.process_view(req, ensure_csrf_cookie_view, (), {})
- resp = ensure_csrf_cookie_view(req)
- resp2 = self.mw.process_response(req, resp)
- self.assertTrue(resp2.cookies.get(settings.CSRF_COOKIE_NAME, False))
- self.assertIn('Cookie', resp2.get('Vary', ''))
- def test_csrf_cookie_age(self):
- """
- CSRF cookie age can be set using settings.CSRF_COOKIE_AGE.
- """
- req = self._get_GET_no_csrf_cookie_request()
- MAX_AGE = 123
- with self.settings(CSRF_COOKIE_NAME='csrfcookie',
- CSRF_COOKIE_DOMAIN='.example.com',
- CSRF_COOKIE_AGE=MAX_AGE,
- CSRF_COOKIE_PATH='/test/',
- CSRF_COOKIE_SECURE=True,
- CSRF_COOKIE_HTTPONLY=True):
- # token_view calls get_token() indirectly
- self.mw.process_view(req, token_view, (), {})
- resp = token_view(req)
- resp2 = self.mw.process_response(req, resp)
- max_age = resp2.cookies.get('csrfcookie').get('max-age')
- self.assertEqual(max_age, MAX_AGE)
- def test_csrf_cookie_age_none(self):
- """
- CSRF cookie age does not have max age set and therefore uses
- session-based cookies.
- """
- req = self._get_GET_no_csrf_cookie_request()
- MAX_AGE = None
- with self.settings(CSRF_COOKIE_NAME='csrfcookie',
- CSRF_COOKIE_DOMAIN='.example.com',
- CSRF_COOKIE_AGE=MAX_AGE,
- CSRF_COOKIE_PATH='/test/',
- CSRF_COOKIE_SECURE=True,
- CSRF_COOKIE_HTTPONLY=True):
- # token_view calls get_token() indirectly
- self.mw.process_view(req, token_view, (), {})
- resp = token_view(req)
- resp2 = self.mw.process_response(req, resp)
- max_age = resp2.cookies.get('csrfcookie').get('max-age')
- self.assertEqual(max_age, '')
- def test_csrf_cookie_samesite(self):
- req = self._get_GET_no_csrf_cookie_request()
- with self.settings(CSRF_COOKIE_NAME='csrfcookie', CSRF_COOKIE_SAMESITE='Strict'):
- self.mw.process_view(req, token_view, (), {})
- resp = token_view(req)
- resp2 = self.mw.process_response(req, resp)
- self.assertEqual(resp2.cookies['csrfcookie']['samesite'], 'Strict')
- def test_process_view_token_too_long(self):
- """
- If the token is longer than expected, it is ignored and a new token is
- created.
- """
- req = self._get_GET_no_csrf_cookie_request()
- req.COOKIES[settings.CSRF_COOKIE_NAME] = 'x' * 100000
- self.mw.process_view(req, token_view, (), {})
- resp = token_view(req)
- resp2 = self.mw.process_response(req, resp)
- csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
- self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH)
- def test_process_view_token_invalid_chars(self):
- """
- If the token contains non-alphanumeric characters, it is ignored and a
- new token is created.
- """
- token = ('!@#' + self._csrf_id)[:CSRF_TOKEN_LENGTH]
- req = self._get_GET_no_csrf_cookie_request()
- req.COOKIES[settings.CSRF_COOKIE_NAME] = token
- self.mw.process_view(req, token_view, (), {})
- resp = token_view(req)
- resp2 = self.mw.process_response(req, resp)
- csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
- self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH)
- self.assertNotEqual(csrf_cookie.value, token)
- def test_bare_secret_accepted_and_replaced(self):
- """
- The csrf token is reset from a bare secret.
- """
- req = self._get_POST_bare_secret_csrf_cookie_request_with_token()
- self.mw.process_request(req)
- req2 = self.mw.process_view(req, token_view, (), {})
- self.assertIsNone(req2)
- resp = token_view(req)
- resp = self.mw.process_response(req, resp)
- self.assertIn(settings.CSRF_COOKIE_NAME, resp.cookies, "Cookie was not reset from bare secret")
- csrf_cookie = resp.cookies[settings.CSRF_COOKIE_NAME]
- self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH)
- self._check_token_present(resp, csrf_id=csrf_cookie.value)
- @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_COOKIE_DOMAIN='.example.com', USE_X_FORWARDED_PORT=True)
- def test_https_good_referer_behind_proxy(self):
- """
- A POST HTTPS request is accepted when USE_X_FORWARDED_PORT=True.
- """
- self._test_https_good_referer_behind_proxy()
- @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_COOKIE_DOMAIN='.example.com')
- def test_https_good_referer_matches_cookie_domain(self):
- """
- A POST HTTPS request with a good referer should be accepted from a
- subdomain that's allowed by CSRF_COOKIE_DOMAIN.
- """
- self._test_https_good_referer_matches_cookie_domain()
- @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_COOKIE_DOMAIN='.example.com')
- def test_https_good_referer_matches_cookie_domain_with_different_port(self):
- """
- A POST HTTPS request with a good referer should be accepted from a
- subdomain that's allowed by CSRF_COOKIE_DOMAIN and a non-443 port.
- """
- self._test_https_good_referer_matches_cookie_domain_with_different_port()
- @override_settings(CSRF_COOKIE_DOMAIN='.example.com', DEBUG=True)
- def test_https_reject_insecure_referer(self):
- """
- A POST HTTPS request from an insecure referer should be rejected.
- """
- req = self._get_POST_request_with_token()
- req._is_secure_override = True
- req.META['HTTP_REFERER'] = 'http://example.com/'
- req.META['SERVER_PORT'] = '443'
- response = self.mw.process_view(req, post_form_view, (), {})
- self.assertContains(
- response,
- 'Referer checking failed - Referer is insecure while host is secure.',
- status_code=403,
- )
- @override_settings(CSRF_USE_SESSIONS=True, CSRF_COOKIE_DOMAIN=None)
- class CsrfViewMiddlewareUseSessionsTests(CsrfViewMiddlewareTestMixin, SimpleTestCase):
- """
- CSRF tests with CSRF_USE_SESSIONS=True.
- """
- def _get_POST_bare_secret_csrf_cookie_request(self):
- req = self._get_POST_no_csrf_cookie_request()
- req.session[CSRF_SESSION_KEY] = self._csrf_id_cookie[:32]
- return req
- def _get_GET_csrf_cookie_request(self):
- req = TestingHttpRequest()
- req.session[CSRF_SESSION_KEY] = self._csrf_id_cookie
- return req
- def test_no_session_on_request(self):
- msg = (
- 'CSRF_USE_SESSIONS is enabled, but request.session is not set. '
- 'SessionMiddleware must appear before CsrfViewMiddleware in MIDDLEWARE.'
- )
- with self.assertRaisesMessage(ImproperlyConfigured, msg):
- self.mw.process_request(HttpRequest())
- def test_process_response_get_token_used(self):
- """The ensure_csrf_cookie() decorator works without middleware."""
- req = self._get_GET_no_csrf_cookie_request()
- ensure_csrf_cookie_view(req)
- self.assertTrue(req.session.get(CSRF_SESSION_KEY, False))
- def test_ensures_csrf_cookie_with_middleware(self):
- """
- The ensure_csrf_cookie() decorator works with the CsrfViewMiddleware
- enabled.
- """
- req = self._get_GET_no_csrf_cookie_request()
- self.mw.process_view(req, ensure_csrf_cookie_view, (), {})
- resp = ensure_csrf_cookie_view(req)
- self.mw.process_response(req, resp)
- self.assertTrue(req.session.get(CSRF_SESSION_KEY, False))
- def test_token_node_with_new_csrf_cookie(self):
- """
- CsrfTokenNode works when a CSRF cookie is created by the middleware
- (when one was not already present).
- """
- req = self._get_GET_no_csrf_cookie_request()
- self.mw.process_view(req, token_view, (), {})
- resp = token_view(req)
- self.mw.process_response(req, resp)
- csrf_cookie = req.session[CSRF_SESSION_KEY]
- self._check_token_present(resp, csrf_id=csrf_cookie)
- @override_settings(
- ALLOWED_HOSTS=['www.example.com'],
- SESSION_COOKIE_DOMAIN='.example.com',
- USE_X_FORWARDED_PORT=True,
- DEBUG=True,
- )
- def test_https_good_referer_behind_proxy(self):
- """
- A POST HTTPS request is accepted when USE_X_FORWARDED_PORT=True.
- """
- self._test_https_good_referer_behind_proxy()
- @override_settings(ALLOWED_HOSTS=['www.example.com'], SESSION_COOKIE_DOMAIN='.example.com')
- def test_https_good_referer_matches_cookie_domain(self):
- """
- A POST HTTPS request with a good referer should be accepted from a
- subdomain that's allowed by SESSION_COOKIE_DOMAIN.
- """
- self._test_https_good_referer_matches_cookie_domain()
- @override_settings(ALLOWED_HOSTS=['www.example.com'], SESSION_COOKIE_DOMAIN='.example.com')
- def test_https_good_referer_matches_cookie_domain_with_different_port(self):
- """
- A POST HTTPS request with a good referer should be accepted from a
- subdomain that's allowed by SESSION_COOKIE_DOMAIN and a non-443 port.
- """
- self._test_https_good_referer_matches_cookie_domain_with_different_port()
- @override_settings(SESSION_COOKIE_DOMAIN='.example.com', DEBUG=True)
- def test_https_reject_insecure_referer(self):
- """
- A POST HTTPS request from an insecure referer should be rejected.
- """
- req = self._get_POST_request_with_token()
- req._is_secure_override = True
- req.META['HTTP_REFERER'] = 'http://example.com/'
- req.META['SERVER_PORT'] = '443'
- response = self.mw.process_view(req, post_form_view, (), {})
- self.assertContains(
- response,
- 'Referer checking failed - Referer is insecure while host is secure.',
- status_code=403,
- )
- @override_settings(ROOT_URLCONF='csrf_tests.csrf_token_error_handler_urls', DEBUG=False)
- class CsrfInErrorHandlingViewsTests(SimpleTestCase):
- def test_csrf_token_on_404_stays_constant(self):
- response = self.client.get('/does not exist/')
- # The error handler returns status code 599.
- self.assertEqual(response.status_code, 599)
- token1 = response.content
- response = self.client.get('/does not exist/')
- self.assertEqual(response.status_code, 599)
- token2 = response.content
- self.assertTrue(equivalent_tokens(token1.decode('ascii'), token2.decode('ascii')))
|
