Ticket #15258: csrf-put-delete.patch

File csrf-put-delete.patch, 1.4 KB (added by Brodie Rao, 15 years ago)

Minimal (and untested) patch to add PUT/DELETE protection

  • django/middleware/csrf.py 

    # HG changeset patch
# User Brodie Rao <brodie@bitheap.org>
# Date 1297297039 28800
# Branch releases/1.2.X
# Node ID 62ee79e7fcc8f220d8d34c0066083bbbf425f122
# Parent  61c0665bc6c15ed9db42a7ca5da2678efa551934
Apply CSRF checks to PUT and DELETE in addition to POST

diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py
    a b class CsrfViewMiddleware(object):  
    123123        if getattr(callback, 'csrf_exempt', False):
    124124            return None
    125125
    126         if request.method == 'POST':
     126        if request.method in ('POST', 'PUT', 'DELETE'):
    127127            if getattr(request, '_dont_enforce_csrf_checks', False):
    128128                # Mechanism to turn off CSRF checks for test suite.  It comes after
    129129                # the creation of CSRF cookies, so that everything else continues to
    class CsrfViewMiddleware(object):  
    160160            else:
    161161                csrf_token = request.META["CSRF_COOKIE"]
    162162
    163             # check incoming token
     163            # Check the incoming token in the request's POST data. For
     164            # PUT and DELETE requests, we only support the X-CSRFToken
     165            # header.
    164166            request_csrf_token = request.POST.get('csrfmiddlewaretoken', "")
    165167            if request_csrf_token == "":
    166168                # Fall back to X-CSRFToken, to make things easier for AJAX
Back to Top