Code

Ticket #19436: 19436_patch.diff

File 19436_patch.diff, 3.5 KB (added by chass, 14 months ago)
Line 
1diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py
2index 4230344..98974f0 100644
3--- a/django/middleware/csrf.py
4+++ b/django/middleware/csrf.py
5@@ -83,6 +83,13 @@ class CsrfViewMiddleware(object):
6         return None
7 
8     def _reject(self, request, reason):
9+        logger.warning('Forbidden (%s): %s',
10+                       reason, request.path,
11+            extra={
12+                'status_code': 403,
13+                'request': request,
14+            }
15+        )
16         return _get_failure_view()(request, reason=reason)
17 
18     def process_view(self, request, callback, callback_args, callback_kwargs):
19@@ -134,38 +141,18 @@ class CsrfViewMiddleware(object):
20                 # we can use strict Referer checking.
21                 referer = request.META.get('HTTP_REFERER')
22                 if referer is None:
23-                    logger.warning('Forbidden (%s): %s',
24-                                   REASON_NO_REFERER, request.path,
25-                        extra={
26-                            'status_code': 403,
27-                            'request': request,
28-                        }
29-                    )
30                     return self._reject(request, REASON_NO_REFERER)
31 
32                 # Note that request.get_host() includes the port.
33                 good_referer = 'https://%s/' % request.get_host()
34                 if not same_origin(referer, good_referer):
35                     reason = REASON_BAD_REFERER % (referer, good_referer)
36-                    logger.warning('Forbidden (%s): %s', reason, request.path,
37-                        extra={
38-                            'status_code': 403,
39-                            'request': request,
40-                        }
41-                    )
42                     return self._reject(request, reason)
43 
44             if csrf_token is None:
45                 # No CSRF cookie. For POST requests, we insist on a CSRF cookie,
46                 # and in this way we can avoid all CSRF attacks, including login
47                 # CSRF.
48-                logger.warning('Forbidden (%s): %s',
49-                               REASON_NO_CSRF_COOKIE, request.path,
50-                    extra={
51-                        'status_code': 403,
52-                        'request': request,
53-                    }
54-                )
55                 return self._reject(request, REASON_NO_CSRF_COOKIE)
56 
57             # Check non-cookie token for match.
58@@ -179,13 +166,6 @@ class CsrfViewMiddleware(object):
59                 request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')
60 
61             if not constant_time_compare(request_csrf_token, csrf_token):
62-                logger.warning('Forbidden (%s): %s',
63-                               REASON_BAD_TOKEN, request.path,
64-                    extra={
65-                        'status_code': 403,
66-                        'request': request,
67-                    }
68-                )
69                 return self._reject(request, REASON_BAD_TOKEN)
70 
71         return self._accept(request)
72diff --git a/django/views/decorators/csrf.py b/django/views/decorators/csrf.py
73index 7a7eb6b..a6bd7d8 100644
74--- a/django/views/decorators/csrf.py
75+++ b/django/views/decorators/csrf.py
76@@ -15,7 +15,7 @@ using the decorator multiple times, is harmless and efficient.
77 
78 class _EnsureCsrfToken(CsrfViewMiddleware):
79     # We need this to behave just like the CsrfViewMiddleware, but not reject
80-    # requests.
81+    # requests or log warnings.
82     def _reject(self, request, reason):
83         return None
84