diff options
Diffstat (limited to 'django/contrib/csrf/middleware.py')
| -rw-r--r-- | django/contrib/csrf/middleware.py | 53 |
1 files changed, 27 insertions, 26 deletions
diff --git a/django/contrib/csrf/middleware.py b/django/contrib/csrf/middleware.py index 1a75a5d6ab..24c1511c91 100644 --- a/django/contrib/csrf/middleware.py +++ b/django/contrib/csrf/middleware.py @@ -2,44 +2,45 @@ Cross Site Request Forgery Middleware. This module provides a middleware that implements protection -against request forgeries from other sites. - +against request forgeries from other sites. """ + +import re +import itertools + from django.conf import settings from django.http import HttpResponseForbidden +from django.utils.hashcompat import md5_constructor from django.utils.safestring import mark_safe -import md5 -import re -import itertools _ERROR_MSG = mark_safe('<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>') _POST_FORM_RE = \ re.compile(r'(<form\W[^>]*\bmethod=(\'|"|)POST(\'|"|)\b[^>]*>)', re.IGNORECASE) - -_HTML_TYPES = ('text/html', 'application/xhtml+xml') + +_HTML_TYPES = ('text/html', 'application/xhtml+xml') def _make_token(session_id): - return md5.new(settings.SECRET_KEY + session_id).hexdigest() + return md5_constructor(settings.SECRET_KEY + session_id).hexdigest() class CsrfMiddleware(object): """Django middleware that adds protection against Cross Site - Request Forgeries by adding hidden form fields to POST forms and - checking requests for the correct value. - - In the list of middlewares, SessionMiddleware is required, and must come - after this middleware. CsrfMiddleWare must come after compression + Request Forgeries by adding hidden form fields to POST forms and + checking requests for the correct value. + + In the list of middlewares, SessionMiddleware is required, and must come + after this middleware. CsrfMiddleWare must come after compression middleware. - - If a session ID cookie is present, it is hashed with the SECRET_KEY - setting to create an authentication token. This token is added to all - outgoing POST forms and is expected on all incoming POST requests that + + If a session ID cookie is present, it is hashed with the SECRET_KEY + setting to create an authentication token. This token is added to all + outgoing POST forms and is expected on all incoming POST requests that have a session ID cookie. - - If you are setting cookies directly, instead of using Django's session + + If you are setting cookies directly, instead of using Django's session framework, this middleware will not work. """ - + def process_request(self, request): if request.method == 'POST': try: @@ -54,10 +55,10 @@ class CsrfMiddleware(object): request_csrf_token = request.POST['csrfmiddlewaretoken'] except KeyError: return HttpResponseForbidden(_ERROR_MSG) - + if request_csrf_token != csrf_token: return HttpResponseForbidden(_ERROR_MSG) - + return None def process_response(self, request, response): @@ -66,7 +67,7 @@ class CsrfMiddleware(object): cookie = response.cookies[settings.SESSION_COOKIE_NAME] csrf_token = _make_token(cookie.value) except KeyError: - # No outgoing cookie to set session, but + # No outgoing cookie to set session, but # a session might already exist. try: session_id = request.COOKIES[settings.SESSION_COOKIE_NAME] @@ -74,12 +75,12 @@ class CsrfMiddleware(object): except KeyError: # no incoming or outgoing cookie pass - + if csrf_token is not None and \ response['Content-Type'].split(';')[0] in _HTML_TYPES: - + # ensure we don't add the 'id' attribute twice (HTML validity) - idattributes = itertools.chain(("id='csrfmiddlewaretoken'",), + idattributes = itertools.chain(("id='csrfmiddlewaretoken'",), itertools.repeat('')) def add_csrf_field(match): """Returns the matched <form> tag plus the added <input> element""" |