Refs #32817 -- Added tests for bad CSRF token provided via X-CSRFToken or custom header.

author: Chris Jerdonek <chris.jerdonek@gmail.com> 2021-06-08 02:19:24 -0700
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2021-06-23 16:07:07 +0200
commit: 1a284afb07ad8806b29044a8cdd0d0bb20165fa4 (patch)
tree: 0029a6ab48d859b315ef11ab1a17dc1a77a276e7 /tests/csrf_tests
parent: 6837bd68a44ee8676a522bfe6121bd3e82cea677 (diff)
download: django-1a284afb07ad8806b29044a8cdd0d0bb20165fa4.tar.gz
1 files changed, 35 insertions, 9 deletions
diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py
index 9b41b5bd8c..a028b56d08 100644
--- a/tests/csrf_tests/tests.py
+++ b/tests/csrf_tests/tests.py
@@ -125,8 +125,14 @@ class CsrfViewMiddlewareTestMixin:
         """
         self._check_bad_or_missing_cookie(None, REASON_NO_CSRF_COOKIE)
 
-    def _check_bad_or_missing_token(self, expected, token=None):
-        req = self._get_POST_csrf_cookie_request(post_token=token)
+    def _check_bad_or_missing_token(
+        self, expected, post_token=None, meta_token=None, token_header=None,
+    ):
+        req = self._get_POST_csrf_cookie_request(
+            post_token=post_token,
+            meta_token=meta_token,
+            token_header=token_header,
+        )
         mw = CsrfViewMiddleware(post_form_view)
         mw.process_request(req)
         with self.assertLogs('django.security.csrf', 'WARNING') as cm:
@@ -140,14 +146,34 @@ class CsrfViewMiddlewareTestMixin:
         middleware rejects the incoming request.
         """
         cases = [
-            (None, REASON_CSRF_TOKEN_MISSING),
-            (64 * '*', 'CSRF token has invalid characters.'),
-            (16 * 'a', 'CSRF token has incorrect length.'),
-            (64 * 'a', 'CSRF token incorrect.'),
+            (None, None, REASON_CSRF_TOKEN_MISSING),
+            (16 * 'a', None, 'CSRF token has incorrect length.'),
+            (64 * '*', None, 'CSRF token has invalid characters.'),
+            (64 * 'a', None, 'CSRF token incorrect.'),
+            (None, 16 * 'a', 'CSRF token has incorrect length.'),
+            (None, 64 * '*', 'CSRF token has invalid characters.'),
+            (None, 64 * 'a', 'CSRF token incorrect.'),
         ]
-        for token, expected in cases:
-            with self.subTest(token=token):
-                self._check_bad_or_missing_token(expected, token)
+        for post_token, meta_token, expected in cases:
+            with self.subTest(post_token=post_token, meta_token=meta_token):
+                self._check_bad_or_missing_token(
+                    expected,
+                    post_token=post_token,
+                    meta_token=meta_token,
+                )
+
+    @override_settings(CSRF_HEADER_NAME='HTTP_X_CSRFTOKEN_CUSTOMIZED')
+    def test_csrf_cookie_bad_token_custom_header(self):
+        """
+        If a CSRF cookie is present and an invalid token is passed via a
+        custom CSRF_HEADER_NAME, the middleware rejects the incoming request.
+        """
+        expected = 'CSRF token has incorrect length.'
+        self._check_bad_or_missing_token(
+            expected,
+            meta_token=16 * 'a',
+            token_header='HTTP_X_CSRFTOKEN_CUSTOMIZED',
+        )
 
     def test_process_request_csrf_cookie_and_token(self):
         """
author	Chris Jerdonek <chris.jerdonek@gmail.com>	2021-06-08 02:19:24 -0700
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2021-06-23 16:07:07 +0200
commit	1a284afb07ad8806b29044a8cdd0d0bb20165fa4 (patch)
tree	0029a6ab48d859b315ef11ab1a17dc1a77a276e7 /tests/csrf_tests
parent	6837bd68a44ee8676a522bfe6121bd3e82cea677 (diff)
download	django-1a284afb07ad8806b29044a8cdd0d0bb20165fa4.tar.gz