diff --git a/django/contrib/csrf/middleware.py b/django/contrib/csrf/middleware.py
index 24c1511..8a9fac5 100644
|
a
|
b
|
from django.http import HttpResponseForbidden
|
| 13 | 13 | from django.utils.hashcompat import md5_constructor |
| 14 | 14 | from django.utils.safestring import mark_safe |
| 15 | 15 | |
| | 16 | CSRF_TOKEN_NAME = 'csrfmiddlewaretoken' |
| | 17 | |
| 16 | 18 | _ERROR_MSG = mark_safe('<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>') |
| 17 | 19 | |
| 18 | 20 | _POST_FORM_RE = \ |
| … |
… |
class CsrfMiddleware(object):
|
| 52 | 54 | csrf_token = _make_token(session_id) |
| 53 | 55 | # check incoming token |
| 54 | 56 | try: |
| 55 | | request_csrf_token = request.POST['csrfmiddlewaretoken'] |
| | 57 | request_csrf_token = request.POST[CSRF_TOKEN_NAME] |
| 56 | 58 | except KeyError: |
| 57 | 59 | return HttpResponseForbidden(_ERROR_MSG) |
| 58 | 60 | |
| … |
… |
class CsrfMiddleware(object):
|
| 80 | 82 | response['Content-Type'].split(';')[0] in _HTML_TYPES: |
| 81 | 83 | |
| 82 | 84 | # ensure we don't add the 'id' attribute twice (HTML validity) |
| 83 | | idattributes = itertools.chain(("id='csrfmiddlewaretoken'",), |
| | 85 | idattributes = itertools.chain(("id='%s'" % (CSRF_TOKEN_NAME,),), |
| 84 | 86 | itertools.repeat('')) |
| 85 | 87 | def add_csrf_field(match): |
| 86 | 88 | """Returns the matched <form> tag plus the added <input> element""" |
| 87 | 89 | return mark_safe(match.group() + "<div style='display:none;'>" + \ |
| 88 | 90 | "<input type='hidden' " + idattributes.next() + \ |
| 89 | | " name='csrfmiddlewaretoken' value='" + csrf_token + \ |
| | 91 | " name='" + CSRF_TOKEN_NAME + "' value='" + csrf_token + \ |
| 90 | 92 | "' /></div>") |
| 91 | 93 | |
| 92 | 94 | # Modify any POST forms |
diff --git a/django/test/client.py b/django/test/client.py
index ecc3a1c..2fb3f42 100644
|
a
|
b
|
from django.utils.functional import curry
|
| 18 | 18 | from django.utils.encoding import smart_str |
| 19 | 19 | from django.utils.http import urlencode |
| 20 | 20 | from django.utils.itercompat import is_iterable |
| | 21 | from django.contrib.csrf.middleware import CSRF_TOKEN_NAME, _make_token |
| 21 | 22 | |
| 22 | 23 | BOUNDARY = 'BoUnDaRyStRiNg' |
| 23 | 24 | MULTIPART_CONTENT = 'multipart/form-data; boundary=%s' % BOUNDARY |
| … |
… |
class Client(object):
|
| 275 | 276 | """ |
| 276 | 277 | Requests a response from the server using POST. |
| 277 | 278 | """ |
| | 279 | if ('django.contrib.csrf.middleware.CsrfMiddleware' in |
| | 280 | settings.MIDDLEWARE_CLASSES and |
| | 281 | hasattr(self.session, 'session_key')): |
| | 282 | data[CSRF_TOKEN_NAME] = _make_token(self.session.session_key) |
| | 283 | |
| 278 | 284 | if content_type is MULTIPART_CONTENT: |
| 279 | 285 | post_data = encode_multipart(BOUNDARY, data) |
| 280 | 286 | else: |
diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt
index cf0fe8a..71467bf 100644
|
a
|
b
|
it sends fragments of HTML in JavaScript document.write statements)
|
| 73 | 73 | you might bypass the filter that adds the hidden field to the form, |
| 74 | 74 | in which case form submission will always fail. It may still be possible |
| 75 | 75 | to use the middleware, provided you can find some way to get the |
| 76 | | CSRF token and ensure that is included when your form is submitted. |
| 77 | | No newline at end of file |
| | 76 | CSRF token and ensure that is included when your form is submitted. |
| | 77 | |
| | 78 | Testing |
| | 79 | ======= |
| | 80 | |
| | 81 | The :mod:`Django test client <django.test.client>` automatically |
| | 82 | bypasses CsrfMiddleware, for easier testing of POST requests. |