Changeset 9553
- Timestamp:
- 12/02/08 18:31:31 (1 month ago)
- Files:
-
- django/trunk/django/contrib/csrf/middleware.py (modified) (3 diffs)
- django/trunk/django/contrib/csrf/tests.py (modified) (5 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
django/trunk/django/contrib/csrf/middleware.py
r8193 r9553 24 24 return md5_constructor(settings.SECRET_KEY + session_id).hexdigest() 25 25 26 class CsrfMiddleware(object): 27 """Django middleware that adds protection against Cross Site 28 Request Forgeries by adding hidden form fields to POST forms and 29 checking requests for the correct value. 30 31 In the list of middlewares, SessionMiddleware is required, and must come 32 after this middleware. CsrfMiddleWare must come after compression 33 middleware. 34 35 If a session ID cookie is present, it is hashed with the SECRET_KEY 36 setting to create an authentication token. This token is added to all 37 outgoing POST forms and is expected on all incoming POST requests that 38 have a session ID cookie. 39 40 If you are setting cookies directly, instead of using Django's session 41 framework, this middleware will not work. 26 class CsrfViewMiddleware(object): 42 27 """ 43 44 def process_request(self, request): 28 Middleware that requires a present and correct csrfmiddlewaretoken 29 for POST requests that have an active session. 30 """ 31 def process_view(self, request, callback, callback_args, callback_kwargs): 45 32 if request.method == 'POST': 46 33 try: … … 62 49 return None 63 50 51 class CsrfResponseMiddleware(object): 52 """ 53 Middleware that post-processes a response to add a 54 csrfmiddlewaretoken if the response/request have an active 55 session. 56 """ 64 57 def process_response(self, request, response): 65 58 csrf_token = None … … 93 86 response.content = _POST_FORM_RE.sub(add_csrf_field, response.content) 94 87 return response 88 89 class CsrfMiddleware(CsrfViewMiddleware, CsrfResponseMiddleware): 90 """Django middleware that adds protection against Cross Site 91 Request Forgeries by adding hidden form fields to POST forms and 92 checking requests for the correct value. 93 94 In the list of middlewares, SessionMiddleware is required, and 95 must come after this middleware. CsrfMiddleWare must come after 96 compression middleware. 97 98 If a session ID cookie is present, it is hashed with the 99 SECRET_KEY setting to create an authentication token. This token 100 is added to all outgoing POST forms and is expected on all 101 incoming POST requests that have a session ID cookie. 102 103 If you are setting cookies directly, instead of using Django's 104 session framework, this middleware will not work. 105 106 CsrfMiddleWare is composed of two middleware, CsrfViewMiddleware 107 and CsrfResponseMiddleware which can be used independently. 108 """ 109 pass django/trunk/django/contrib/csrf/tests.py
r9552 r9553 5 5 from django.contrib.csrf.middleware import CsrfMiddleware, _make_token 6 6 from django.conf import settings 7 7 8 8 9 class CsrfMiddlewareTest(TestCase): … … 47 48 self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % _make_token(self._session_id)) 48 49 50 def get_view(self): 51 def dummyview(request): 52 return self._get_post_form_response() 53 49 54 # Check the post processing 50 55 def test_process_response_no_session(self): … … 87 92 """ 88 93 req = self._get_POST_no_session_request() 89 req2 = CsrfMiddleware().process_ request(req)94 req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {}) 90 95 self.assertEquals(None, req2) 91 96 … … 95 100 """ 96 101 req = self._get_POST_session_request() 97 req2 = CsrfMiddleware().process_ request(req)102 req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {}) 98 103 self.assertEquals(HttpResponseForbidden, req2.__class__) 99 104 … … 103 108 """ 104 109 req = self._get_POST_session_request_with_token() 105 req2 = CsrfMiddleware().process_ request(req)110 req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {}) 106 111 self.assertEquals(None, req2)
