diff options
author | Chris Jerdonek <chris.jerdonek@gmail.com> | 2021-04-05 16:51:53 -0700 |
---|---|---|
committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-05-27 10:53:20 +0200 |
commit | 02c59b7a4355fda8c99224b5de9c0a3929bffe22 (patch) | |
tree | ef7dc85ab512692a1c26c614e6431192f2c8ca3c /tests/csrf_tests | |
parent | e513fb0e77baf2ebcbf2cbe366bdf0228d01119f (diff) | |
download | django-02c59b7a4355fda8c99224b5de9c0a3929bffe22.tar.gz |
Refs #32596 -- Added extra tests for CsrfViewMiddleware's referer logic.
Diffstat (limited to 'tests/csrf_tests')
-rw-r--r-- | tests/csrf_tests/tests.py | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py index 810c869690..5425c50fca 100644 --- a/tests/csrf_tests/tests.py +++ b/tests/csrf_tests/tests.py @@ -305,6 +305,19 @@ class CsrfViewMiddlewareTestMixin: status_code=403, ) + @override_settings(DEBUG=True) + def test_https_no_referer(self): + """A POST HTTPS request with a missing referer is rejected.""" + req = self._get_POST_request_with_token() + req._is_secure_override = True + mw = CsrfViewMiddleware(post_form_view) + response = mw.process_view(req, post_form_view, (), {}) + self.assertContains( + response, + 'Referer checking failed - no Referer.', + status_code=403, + ) + def test_https_malformed_host(self): """ CsrfViewMiddleware generates a 403 response if it receives an HTTPS @@ -416,6 +429,21 @@ class CsrfViewMiddlewareTestMixin: resp = mw.process_view(req, post_form_view, (), {}) self.assertIsNone(resp) + @override_settings(CSRF_TRUSTED_ORIGINS=['https://dashboard.example.com']) + def test_https_good_referer_malformed_host(self): + """ + A POST HTTPS request is accepted if it receives a good referer with + a bad host. + """ + req = self._get_POST_request_with_token() + req._is_secure_override = True + req.META['HTTP_HOST'] = '@malformed' + req.META['HTTP_REFERER'] = 'https://dashboard.example.com/somepage' + mw = CsrfViewMiddleware(post_form_view) + mw.process_request(req) + resp = mw.process_view(req, post_form_view, (), {}) + self.assertIsNone(resp) + @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_TRUSTED_ORIGINS=['https://dashboard.example.com']) def test_https_csrf_trusted_origin_allowed(self): """ |