diff options
author | Shai Berger <shai@platonix.com> | 2015-11-07 18:35:45 +0200 |
---|---|---|
committer | Shai Berger <shai@platonix.com> | 2016-05-19 05:02:19 +0300 |
commit | 5112e65ef2df1dbb95ff83026b6a962fb2688661 (patch) | |
tree | 4a657b0b1ac93e8b269890374caccdf495b45160 /tests/template_backends | |
parent | 6d9c5d46e644a8ef93b0227fc710e09394a03992 (diff) | |
download | django-5112e65ef2df1dbb95ff83026b6a962fb2688661.tar.gz |
Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).
While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).
Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
Diffstat (limited to 'tests/template_backends')
-rw-r--r-- | tests/template_backends/test_dummy.py | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/tests/template_backends/test_dummy.py b/tests/template_backends/test_dummy.py index e6e60e71a2..83b42c7eb4 100644 --- a/tests/template_backends/test_dummy.py +++ b/tests/template_backends/test_dummy.py @@ -2,9 +2,13 @@ from __future__ import unicode_literals +import re + from django.forms import CharField, Form, Media from django.http import HttpRequest -from django.middleware.csrf import CsrfViewMiddleware, get_token +from django.middleware.csrf import ( + CsrfViewMiddleware, _compare_salted_tokens as equivalent_tokens, get_token, +) from django.template import TemplateDoesNotExist, TemplateSyntaxError from django.template.backends.dummy import TemplateStrings from django.test import SimpleTestCase @@ -81,11 +85,10 @@ class TemplateStringsTests(SimpleTestCase): template = self.engine.get_template('template_backends/csrf.html') content = template.render(request=request) - expected = ( - '<input type="hidden" name="csrfmiddlewaretoken" ' - 'value="{}" />'.format(get_token(request))) - - self.assertHTMLEqual(content, expected) + expected = '<input type="hidden" name="csrfmiddlewaretoken" value="([^"]+)" />' + match = re.match(expected, content) or re.match(expected.replace('"', "'"), content) + self.assertTrue(match, "hidden csrftoken field not found in output") + self.assertTrue(equivalent_tokens(match.group(1), get_token(request))) def test_no_directory_traversal(self): with self.assertRaises(TemplateDoesNotExist): |