diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py
index 4230344..98974f0 100644
|
a
|
b
|
class CsrfViewMiddleware(object):
|
| 83 | 83 | return None |
| 84 | 84 | |
| 85 | 85 | def _reject(self, request, reason): |
| | 86 | logger.warning('Forbidden (%s): %s', |
| | 87 | reason, request.path, |
| | 88 | extra={ |
| | 89 | 'status_code': 403, |
| | 90 | 'request': request, |
| | 91 | } |
| | 92 | ) |
| 86 | 93 | return _get_failure_view()(request, reason=reason) |
| 87 | 94 | |
| 88 | 95 | def process_view(self, request, callback, callback_args, callback_kwargs): |
| … |
… |
class CsrfViewMiddleware(object):
|
| 134 | 141 | # we can use strict Referer checking. |
| 135 | 142 | referer = request.META.get('HTTP_REFERER') |
| 136 | 143 | if referer is None: |
| 137 | | logger.warning('Forbidden (%s): %s', |
| 138 | | REASON_NO_REFERER, request.path, |
| 139 | | extra={ |
| 140 | | 'status_code': 403, |
| 141 | | 'request': request, |
| 142 | | } |
| 143 | | ) |
| 144 | 144 | return self._reject(request, REASON_NO_REFERER) |
| 145 | 145 | |
| 146 | 146 | # Note that request.get_host() includes the port. |
| 147 | 147 | good_referer = 'https://%s/' % request.get_host() |
| 148 | 148 | if not same_origin(referer, good_referer): |
| 149 | 149 | reason = REASON_BAD_REFERER % (referer, good_referer) |
| 150 | | logger.warning('Forbidden (%s): %s', reason, request.path, |
| 151 | | extra={ |
| 152 | | 'status_code': 403, |
| 153 | | 'request': request, |
| 154 | | } |
| 155 | | ) |
| 156 | 150 | return self._reject(request, reason) |
| 157 | 151 | |
| 158 | 152 | if csrf_token is None: |
| 159 | 153 | # No CSRF cookie. For POST requests, we insist on a CSRF cookie, |
| 160 | 154 | # and in this way we can avoid all CSRF attacks, including login |
| 161 | 155 | # CSRF. |
| 162 | | logger.warning('Forbidden (%s): %s', |
| 163 | | REASON_NO_CSRF_COOKIE, request.path, |
| 164 | | extra={ |
| 165 | | 'status_code': 403, |
| 166 | | 'request': request, |
| 167 | | } |
| 168 | | ) |
| 169 | 156 | return self._reject(request, REASON_NO_CSRF_COOKIE) |
| 170 | 157 | |
| 171 | 158 | # Check non-cookie token for match. |
| … |
… |
class CsrfViewMiddleware(object):
|
| 179 | 166 | request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '') |
| 180 | 167 | |
| 181 | 168 | if not constant_time_compare(request_csrf_token, csrf_token): |
| 182 | | logger.warning('Forbidden (%s): %s', |
| 183 | | REASON_BAD_TOKEN, request.path, |
| 184 | | extra={ |
| 185 | | 'status_code': 403, |
| 186 | | 'request': request, |
| 187 | | } |
| 188 | | ) |
| 189 | 169 | return self._reject(request, REASON_BAD_TOKEN) |
| 190 | 170 | |
| 191 | 171 | return self._accept(request) |
diff --git a/django/views/decorators/csrf.py b/django/views/decorators/csrf.py
index 7a7eb6b..a6bd7d8 100644
|
a
|
b
|
using the decorator multiple times, is harmless and efficient.
|
| 15 | 15 | |
| 16 | 16 | class _EnsureCsrfToken(CsrfViewMiddleware): |
| 17 | 17 | # We need this to behave just like the CsrfViewMiddleware, but not reject |
| 18 | | # requests |
| | 18 | # requests or log warnings. |
| 19 | 19 | def _reject(self, request, reason): |
| 20 | 20 | return None |
| 21 | 21 | |