Context Navigation

Back to Ticket #9977

Ticket #9977: csrf_template_tag_18.diff

File csrf_template_tag_18.diff, 61.9 KB (added by Luke Plant, 15 years ago)
Added docs about upgrading, used csrf_response_exempt in admin, removed duplicated code

django/conf/project_template/settings.py

 MIDDLEWARE_CLASSES = (
     'django.middleware.common.CommonMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
+    'django.contrib.csrf.middleware.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
+)
 …
 INSTALLED_APPS = (
     'django.contrib.auth',
     'django.contrib.contenttypes',
+    'django.contrib.csrf',
     'django.contrib.sessions',
     'django.contrib.sites',
+)

django/conf/global_settings.py

     'django.core.context_processors.debug',
     'django.core.context_processors.i18n',
     'django.core.context_processors.media',
+    'django.contrib.csrf.context_processors.csrf',
 #    'django.core.context_processors.request',
+)
 …
 MIDDLEWARE_CLASSES = (
     'django.middleware.common.CommonMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
+    'django.contrib.csrf.middleware.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
 #     'django.middleware.http.ConditionalGetMiddleware',
 #     'django.middleware.gzip.GZipMiddleware',
 …
 # The number of days a password reset link is valid for
 PASSWORD_RESET_TIMEOUT_DAYS = 3
+########
+# CSRF #
+########
+# Dotted path to callable to be used as view when a request is
+# rejected by the CSRF middleware.
+CSRF_FAILURE_VIEW = 'django.contrib.csrf.views.csrf_failure'
+# Some 'salt' to stop CSRF middleware being abused into generating and
+# returning md5hash(SECRET_KEY + user supplied string).  This probably
+# is not needed with built-in session backends. It does not matter if
+# this setting is not changed in individual settings files, because
+# the SECRET_KEY is also used for hashing.
+CSRF_SALT = 'g7x2(s0$h!^^_ykw81nm383yl58#@lpkfw_yv_yf'
 ###########
 # TESTING #
 ###########

django/contrib/formtools/templates/formtools/preview.html

 {% extends "base.html" %}
+{% load csrf %}
 {% block content %}
 <h1>Preview your submission</h1>
 …
 <p>Security hash: {{ hash_value }}</p>
 <form action="" method="post">
+<form action="" method="post">{% csrf_token %}
 {% for field in form %}{{ field.as_hidden }}
 {% endfor %}
 <input type="hidden" name="{{ stage_field }}" value="2" />
 …
 <h1>Or edit it again</h1>
 <form action="" method="post">
+<form action="" method="post">{% csrf_token %}
 <table>
 {{ form }}
 </table>

django/contrib/formtools/templates/formtools/form.html

 {% extends "base.html" %}
+{% load csrf %}
 {% block content %}
 {% if form.errors %}<h1>Please correct the following errors</h1>{% else %}<h1>Submit</h1>{% endif %}
 <form action="" method="post">
+<form action="" method="post">{% csrf_token %}
 <table>
 {{ form }}
 </table>

django/contrib/comments/templates/comments/approve.html

 {% extends "comments/base.html" %}
 {% load i18n %}
+{% load i18n csrf %}
 {% block title %}{% trans "Approve a comment" %}{% endblock %}
 {% block content %}
   <h1>{% trans "Really make this comment public?" %}</h1>
   <blockquote>{{ comment|linebreaks }}</blockquote>
   <form action="." method="post">
+  <form action="." method="post">{% csrf_token %}
     {% if next %}<input type="hidden" name="next" value="{{ next }}" id="next" />{% endif %}
     <p class="submit">
       <input type="submit" name="submit" value="{% trans "Approve" %}" /> or <a href="{{ comment.get_absolute_url }}">cancel</a>

django/contrib/comments/templates/comments/preview.html

 {% extends "comments/base.html" %}
 {% load i18n %}
+{% load i18n csrf %}
 {% block title %}{% trans "Preview your comment" %}{% endblock %}
 {% block content %}
   {% load comments %}
   <form action="{% comment_form_target %}" method="post">
+  <form action="{% comment_form_target %}" method="post">{% csrf_token %}
     {% if next %}<input type="hidden" name="next" value="{{ next }}" />{% endif %}
     {% if form.errors %}
     <h1>{% blocktrans count form.errors|length as counter %}Please correct the error below{% plural %}Please correct the errors below{% endblocktrans %}</h1>

django/contrib/comments/templates/comments/delete.html

 {% extends "comments/base.html" %}
 {% load i18n %}
+{% load i18n csrf %}
 {% block title %}{% trans "Remove a comment" %}{% endblock %}
 {% block content %}
 <h1>{% trans "Really remove this comment?" %}</h1>
   <blockquote>{{ comment|linebreaks }}</blockquote>
   <form action="." method="post">
+  <form action="." method="post">{% csrf_token %}
     {% if next %}<input type="hidden" name="next" value="{{ next }}" id="next" />{% endif %}
     <p class="submit">
     <input type="submit" name="submit" value="{% trans "Remove" %}" /> or <a href="{{ comment.get_absolute_url }}">cancel</a>

django/contrib/comments/templates/comments/form.html

 {% load comments i18n %}
 <form action="{% comment_form_target %}" method="post">
+{% load comments i18n csrf %}
+<form action="{% comment_form_target %}" method="post">{% csrf_token %}
   {% if next %}<input type="hidden" name="next" value="{{ next }}" />{% endif %}
   {% for field in form %}
     {% if field.is_hidden %}

django/contrib/comments/templates/comments/moderation_queue.html

 {% extends "admin/change_list.html" %}
 {% load adminmedia i18n %}
+{% load adminmedia i18n csrf %}
 {% block title %}{% trans "Comment moderation queue" %}{% endblock %}
 …
       {% for comment in comments %}
         <tr class="{% cycle 'row1' 'row2' %}">
           <td class="actions">
             <form action="{% url comments-approve comment.pk %}" method="post">
+            <form action="{% url comments-approve comment.pk %}" method="post">{% csrf_token %}
               <input type="hidden" name="next" value="{% url comments-moderation-queue %}" />
               <input class="approve submit" type="submit" name="submit" value="{% trans "Approve" %}" />
             </form>
             <form action="{% url comments-delete comment.pk %}" method="post">
+            <form action="{% url comments-delete comment.pk %}" method="post">{% csrf_token %}
               <input type="hidden" name="next" value="{% url comments-moderation-queue %}" />
               <input class="remove submit" type="submit" name="submit" value="{% trans "Remove" %}" />
             </form>

django/contrib/comments/templates/comments/flag.html

 {% extends "comments/base.html" %}
 {% load i18n %}
+{% load i18n csrf %}
 {% block title %}{% trans "Flag this comment" %}{% endblock %}
 {% block content %}
 <h1>{% trans "Really flag this comment?" %}</h1>
   <blockquote>{{ comment|linebreaks }}</blockquote>
   <form action="." method="post">
+  <form action="." method="post">{% csrf_token %}
     {% if next %}<input type="hidden" name="next" value="{{ next }}" id="next" />{% endif %}
     <p class="submit">
     <input type="submit" name="submit" value="{% trans "Flag" %}" /> or <a href="{{ comment.get_absolute_url }}">cancel</a>

django/contrib/admin/templates/admin/change_list.html

 {% extends "admin/base_site.html" %}
 {% load adminmedia admin_list i18n %}
+{% load adminmedia admin_list i18n csrf %}
 {% block extrastyle %}
   {{ block.super }}
 …
         {% endif %}
       {% endblock %}
       <form action="" method="post"{% if cl.formset.is_multipart %} enctype="multipart/form-data"{% endif %}>
+      <form action="" method="post"{% if cl.formset.is_multipart %} enctype="multipart/form-data"{% endif %}>{% csrf_token %}
       {% if cl.formset %}
         {{ cl.formset.management_form }}
       {% endif %}

django/contrib/admin/templates/admin/template_validator.html

 {% extends "admin/base_site.html" %}
+{% load csrf %}
 {% block content %}
 <div id="content-main">
 <form action="" method="post">
+<form action="" method="post">{% csrf_token %}
 {% if form.errors %}
 <p class="errornote">Your template had {{ form.errors|length }} error{{ form.errors|pluralize }}:</p>

django/contrib/admin/templates/admin/delete_selected_confirmation.html

 {% extends "admin/base_site.html" %}
 {% load i18n %}
+{% load i18n csrf %}
 {% block breadcrumbs %}
 <div class="breadcrumbs">
 …
     {% for deleteable_object in deletable_objects %}
         <ul>{{ deleteable_object|unordered_list }}</ul>
     {% endfor %}
     <form action="" method="post">
+    <form action="" method="post">{% csrf_token %}
     <div>
     {% for obj in queryset %}
     <input type="hidden" name="{{ action_checkbox_name }}" value="{{ obj.pk }}" />
 …
     </div>
     </form>
 {% endif %}
+{% endblock %}
+ No newline at end of file
+{% endblock %}

django/contrib/admin/templates/admin/auth/user/change_password.html

 {% extends "admin/base_site.html" %}
 {% load i18n admin_modify adminmedia %}
+{% load i18n admin_modify adminmedia csrf %}
 {% block extrahead %}{{ block.super }}
 <script type="text/javascript" src="../../../../jsi18n/"></script>
 {% endblock %}
 …
 </div>
 {% endif %}{% endblock %}
 {% block content %}<div id="content-main">
 <form action="{{ form_url }}" method="post" id="{{ opts.module_name }}_form">{% block form_top %}{% endblock %}
+<form action="{{ form_url }}" method="post" id="{{ opts.module_name }}_form">{% csrf_token %}{% block form_top %}{% endblock %}
 <div>
 {% if is_popup %}<input type="hidden" name="_popup" value="1" />{% endif %}
 {% if form.errors %}

django/contrib/admin/templates/admin/login.html

 {% extends "admin/base_site.html" %}
 {% load i18n %}
+{% load i18n csrf %}
 {% block extrastyle %}{% load adminmedia %}{{ block.super }}<link rel="stylesheet" type="text/css" href="{% admin_media_prefix %}css/login.css" />{% endblock %}
 …
 <p class="errornote">{{ error_message }}</p>
 {% endif %}
 <div id="content-main">
 <form action="{{ app_path }}" method="post" id="login-form">
+<form action="{{ app_path }}" method="post" id="login-form">{% csrf_token %}
   <div class="form-row">
     <label for="id_username">{% trans 'Username:' %}</label> <input type="text" name="username" id="id_username" />
   </div>

django/contrib/admin/templates/admin/change_form.html

 {% extends "admin/base_site.html" %}
 {% load i18n admin_modify adminmedia %}
+{% load i18n admin_modify adminmedia csrf %}
 {% block extrahead %}{{ block.super }}
 <script type="text/javascript" src="../../../jsi18n/"></script>
 …
   </ul>
 {% endif %}{% endif %}
 {% endblock %}
 <form {% if has_file_field %}enctype="multipart/form-data" {% endif %}action="{{ form_url }}" method="post" id="{{ opts.module_name }}_form">{% block form_top %}{% endblock %}
+<form {% if has_file_field %}enctype="multipart/form-data" {% endif %}action="{{ form_url }}" method="post" id="{{ opts.module_name }}_form">{% csrf_token %}{% block form_top %}{% endblock %}
 <div>
 {% if is_popup %}<input type="hidden" name="_popup" value="1" />{% endif %}
 {% if save_on_top %}{% submit_row %}{% endif %}

django/contrib/admin/templates/admin/delete_confirmation.html

 {% extends "admin/base_site.html" %}
 {% load i18n %}
+{% load i18n csrf %}
 {% block breadcrumbs %}
 <div class="breadcrumbs">
 …
 {% else %}
     <p>{% blocktrans with object as escaped_object %}Are you sure you want to delete the {{ object_name }} "{{ escaped_object }}"? All of the following related items will be deleted:{% endblocktrans %}</p>
     <ul>{{ deleted_objects|unordered_list }}</ul>
     <form action="" method="post">
+    <form action="" method="post">{% csrf_token %}
     <div>
     <input type="hidden" name="post" value="yes" />
     <input type="submit" value="{% trans "Yes, I'm sure" %}" />

django/contrib/admin/templates/registration/password_reset_confirm.html

 {% extends "admin/base_site.html" %}
 {% load i18n %}
+{% load i18n csrf %}
 {% block breadcrumbs %}<div class="breadcrumbs"><a href="../">{% trans 'Home' %}</a> &rsaquo; {% trans 'Password reset confirmation' %}</div>{% endblock %}
 …
 <p>{% trans "Please enter your new password twice so we can verify you typed it in correctly." %}</p>
 <form action="" method="post">
+<form action="" method="post">{% csrf_token %}
 {{ form.new_password1.errors }}
 <p class="aligned wide"><label for="id_new_password1">{% trans 'New password:' %}</label>{{ form.new_password1 }}</p>
 {{ form.new_password2.errors }}

django/contrib/admin/templates/registration/password_reset_form.html

 {% extends "admin/base_site.html" %}
 {% load i18n %}
+{% load i18n csrf %}
 {% block breadcrumbs %}<div class="breadcrumbs"><a href="../">{% trans 'Home' %}</a> &rsaquo; {% trans 'Password reset' %}</div>{% endblock %}
 …
 <p>{% trans "Forgotten your password? Enter your e-mail address below, and we'll e-mail instructions for setting a new one." %}</p>
 <form action="" method="post">
+<form action="" method="post">{% csrf_token %}
 {{ form.email.errors }}
 <p><label for="id_email">{% trans 'E-mail address:' %}</label> {{ form.email }} <input type="submit" value="{% trans 'Reset my password' %}" /></p>
 </form>

django/contrib/admin/templates/registration/password_change_form.html

 {% extends "admin/base_site.html" %}
 {% load i18n %}
+{% load i18n csrf %}
 {% block userlinks %}{% url django-admindocs-docroot as docsroot %}{% if docsroot %}<a href="{{ docsroot }}">{% trans 'Documentation' %}</a> / {% endif %} {% trans 'Change password' %} / <a href="../logout/">{% trans 'Log out' %}</a>{% endblock %}
 {% block breadcrumbs %}<div class="breadcrumbs"><a href="../">{% trans 'Home' %}</a> &rsaquo; {% trans 'Password change' %}</div>{% endblock %}
 …
 <p>{% trans "Please enter your old password, for security's sake, and then enter your new password twice so we can verify you typed it in correctly." %}</p>
 <form action="" method="post">
+<form action="" method="post">{% csrf_token %}
 {{ form.old_password.errors }}
 <p class="aligned wide"><label for="id_old_password">{% trans 'Old password:' %}</label>{{ form.old_password }}</p>

django/contrib/admin/sites.py

 from django.contrib.admin import ModelAdmin
 from django.contrib.admin import actions
 from django.contrib.auth import authenticate, login
+from django.contrib.csrf.middleware import csrf_response_exempt
 from django.db.models.base import ModelBase
 from django.core.exceptions import ImproperlyConfigured
 from django.shortcuts import render_to_response
 …
             raise ImproperlyConfigured("Put 'django.contrib.admin' in your INSTALLED_APPS setting in order to use the admin application.")
         if not ContentType._meta.installed:
             raise ImproperlyConfigured("Put 'django.contrib.contenttypes' in your INSTALLED_APPS setting in order to use the admin application.")
+        if 'django.contrib.csrf' not in settings.INSTALLED_APPS:
+            raise ImproperlyConfigured("Put 'django.contrib.csrf' in your INSTALLED_APPS setting in order to use the admin application.")
         if 'django.core.context_processors.auth' not in settings.TEMPLATE_CONTEXT_PROCESSORS:
             raise ImproperlyConfigured("Put 'django.core.context_processors.auth' in your TEMPLATE_CONTEXT_PROCESSORS setting in order to use the admin application.")
+        if 'django.contrib.csrf.context_processors.csrf' not in settings.TEMPLATE_CONTEXT_PROCESSORS:
+            raise ImproperlyConfigured("Put 'django.contrib.csrf.context_processors.csrf' in your TEMPLATE_CONTEXT_PROCESSORS setting in order to use the admin application.")
     def admin_view(self, view):
         """
 …
             if not self.has_permission(request):
                 return self.login(request)
             return view(request, *args, **kwargs)
+        return update_wrapper(inner, view)
+        inner = update_wrapper(inner, view)
+        return csrf_response_exempt(inner)
     def get_urls(self):
         from django.conf.urls.defaults import patterns, url, include

django/contrib/csrf/middleware.py

 against request forgeries from other sites.
 """
+import itertools
 import re
-import itertools
 try:
     from functools import wraps
 except ImportError:
     from django.utils.functional import wraps  # Python 2.3, 2.4 fallback.
 from django.conf import settings
 from django.http import HttpResponseForbidden
+from django.core.urlresolvers import get_callable
 from django.utils.hashcompat import md5_constructor
 from django.utils.safestring import mark_safe
-_ERROR_MSG = mark_safe('<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>')
 _POST_FORM_RE = \
     re.compile(r'(<form\W[^>]*\bmethod=(\'|"|)POST(\'|"|)\b[^>]*>)', re.IGNORECASE)
 _HTML_TYPES = ('text/html', 'application/xhtml+xml')
+def _make_token(session_id):
+    return md5_constructor(settings.SECRET_KEY + session_id).hexdigest()
+def _get_failure_view():
+    """
+    Returns the view to be used for CSRF rejections
+    """
+    return get_callable(settings.CSRF_FAILURE_VIEW)
+def _get_validated_session_id(request):
+    # This function is called by the csrf_token. So, we don't make the
+    # session framework a requirement, otherwise people would have to change
+    # their templates if they disabled the session middleware
+    if hasattr(request, 'session'):
+        if request.session.accessed or request.session.modified:
+            # Could be a new session, need to use new session ID
+            return request.session.session_key
+        else:
+            # Avoid use of session.session_key, which can trigger
+            # unecessary work
+            session_id = request.COOKIES.get(settings.SESSION_COOKIE_NAME, None)
+            if session_id is not None and request.session.exists(session_id):
+                return session_id
+            else:
+                return None # not a valid session
+    return None
+def get_token(request, salt=None):
+    """
+    Returns the the CSRF token required for a session,
+    or None if there is no session active.
+    'salt' parameter is designed for internal use only.
+    """
+    session_id = _get_validated_session_id(request)
+    if session_id is None:
+        # No session
+        return None
+    else:
+        return _make_token(session_id, salt=salt)
+def _make_token(session_id, salt=None):
+    # 'salt' was added in case the session_id is not validated by the
+    # backend, which would create a potential vulnerability whereby an
+    # attacker could generate md5hash(SECRETE_KEY + arbitrary string),
+    # which could be useful to circumvent other protections.
+    if salt is None:
+        salt = settings.CSRF_SALT
+    return md5_constructor(settings.SECRET_KEY + salt + session_id).hexdigest()
 class CsrfViewMiddleware(object):
     """
     Middleware that requires a present and correct csrfmiddlewaretoken
     for POST requests that have an active session.
+    This middleware should be used in conjunction with the csrf_token template
+    tag.
     """
     def process_view(self, request, callback, callback_args, callback_kwargs):
         if request.method == 'POST':
 …
             if request.is_ajax():
                 return None
+            try:
+                session_id = request.COOKIES[settings.SESSION_COOKIE_NAME]
+            except KeyError:
+            csrf_token = get_token(request)
+            if csrf_token is None:
+                # Coud happen if session middleware is disabled
+                assert hasattr(request, 'session'), "The CSRF middleware requires the session middleware to be installed. Edit your MIDDLEWARE_CLASSES setting to add 'django.contrib.sessions.middleware.SessionMiddleware'."
                 # No session, no check required
                 return None
-            csrf_token = _make_token(session_id)
             # check incoming token
             try:
                 request_csrf_token = request.POST['csrfmiddlewaretoken']
             except KeyError:
                 return HttpResponseForbidden(_ERROR_MSG)
+                return _get_failure_view()(request)
             if request_csrf_token != csrf_token:
+                return HttpResponseForbidden(_ERROR_MSG)
+                # Earlier versions of Django did not use 'salt' in
+                # generating the token.  On upgrading, a form
+                # generated by such a version will produce a
+                # different token, so to avoid upgrade bumps, we
+                # accept the old tokens
+                old_csrf_token = get_token(request, salt="")
+                if request_csrf_token != old_csrf_token:
+                    return _get_failure_view()(request)
         return None
 …
     Middleware that post-processes a response to add a
     csrfmiddlewaretoken if the response/request have an active
     session.
+    It is recommended to use the csrf_token template tag instead of
+    this middleware.
     """
     def process_response(self, request, response):
         if getattr(response, 'csrf_exempt', False):
 …
             csrf_token = _make_token(cookie.value)
         except KeyError:
             # Normal case - look for existing session cookie
             try:
                 session_id = request.COOKIES[settings.SESSION_COOKIE_NAME]
+            session_id = _get_validated_session_id(request)
+            if session_id is not None:
                 csrf_token = _make_token(session_id)
             except KeyError:
+            else:
                 # no incoming or outgoing cookie
                 pass
         if csrf_token is not None and \
                 response['Content-Type'].split(';')[0] in _HTML_TYPES:
+            response['Content-Type'].split(';')[0] in _HTML_TYPES:
             # ensure we don't add the 'id' attribute twice (HTML validity)
             idattributes = itertools.chain(("id='csrfmiddlewaretoken'",),
                                             itertools.repeat(''))
+        # ensure we don't add the 'id' attribute twice (HTML validity)
+            idattributes = itertools.chain(("id='csrfmiddlewaretoken'", ),
+                itertools.repeat(''))
             def add_csrf_field(match):
                 """Returns the matched <form> tag plus the added <input> element"""
                 return mark_safe(match.group() + "<div style='display:none;'>" + \
 …
     Request Forgeries by adding hidden form fields to POST forms and
     checking requests for the correct value.
+    In the list of middlewares, SessionMiddleware is required, and
+    must come after this middleware.  CsrfMiddleWare must come after
+    compression middleware.
+    CsrfMiddleWare is composed of two middleware, CsrfViewMiddleware
+    and CsrfResponseMiddleware which can be used independently.
+    It is recommended to use only CsrfViewMiddleware and use the
+    csrf_token template tag in templates for inserting the token.
-    If a session ID cookie is present, it is hashed with the
-    SECRET_KEY setting to create an authentication token.  This token
-    is added to all outgoing POST forms and is expected on all
-    incoming POST requests that have a session ID cookie.
     If you are setting cookies directly, instead of using Django's
     session framework, this middleware will not work.
-    CsrfMiddleWare is composed of two middleware, CsrfViewMiddleware
-    and CsrfResponseMiddleware which can be used independently.
     """
     pass
 …
     from the post-processing of the CSRF middleware.
     """
     def wrapped_view(*args, **kwargs):
         resp = view_func(*args, **kwargs)
+        resp = view_func( * args, ** kwargs)
         resp.csrf_exempt = True
         return resp
     return wraps(view_func)(wrapped_view)
 …
     # are nicer if they don't have side-effects, so we return a new
     # function.
     def wrapped_view(*args, **kwargs):
         return view_func(*args, **kwargs)
+        return view_func( * args, ** kwargs)
     wrapped_view.csrf_exempt = True
     return wraps(view_func)(wrapped_view)

django/contrib/csrf/views.py

+from django.http import HttpResponseForbidden
+from django.utils.safestring import mark_safe
+_ERROR_MSG = mark_safe('<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>')
+def csrf_failure(request):
+    """
+    Default view used when request fails CSRF protection
+    """
+    return HttpResponseForbidden(_ERROR_MSG)

django/contrib/csrf/tests.py

Property changes on: django/contrib/csrf/views.py
___________________________________________________________________
Added: svn:eol-style
   + native

 from django.test import TestCase
 from django.http import HttpRequest, HttpResponse, HttpResponseForbidden
 from django.contrib.csrf.middleware import CsrfMiddleware, _make_token, csrf_exempt
+from django.contrib.csrf.context_processors import csrf
+from django.contrib.sessions.middleware import SessionMiddleware
+from django.utils.importlib import import_module
 from django.conf import settings
+from django.template import RequestContext, Template
+# Response/views used for CsrfResponseMiddleware and CsrfViewMiddleware tests
 def post_form_response():
     resp = HttpResponse(content="""
 <html><body><form method="POST"><input type="text" /></form></body></html>
 """, mimetype="text/html")
     return resp
 def test_view(request):
+def post_form_view(request):
     return post_form_response()
+# Response/views used for template tag tests
+def _token_template():
+    return Template("{% load csrf %}{% csrf_token %}")
+def _render_csrf_token_template(req):
+    context = RequestContext(req, processors=[csrf])
+    template = _token_template()
+    return template.render(context)
+def token_view(request):
+    return HttpResponse(_render_csrf_token_template(request))
+def token_view_with_session_access(request):
+    request.session["test value"] = "value"
+    return HttpResponse(_render_csrf_token_template(request))
+def token_view_with_late_session_access(request):
+    # This view creates RequestContext and *then* accesses the
+    # session.  This will be problematic unless the csrf context
+    # processor is lazy.
+    assert not (request.session.accessed or request.session.modified)
+    context = RequestContext(request, processors=[csrf])
+    request.session["test value"] = "value"
+    assert (request.session.accessed or request.session.modified)
+    template = _token_template()
+    return HttpResponse(template.render(context))
+def token_view_with_new_session(request):
+    # View deliberately cycles the session key
+    request.session.create()
+    return HttpResponse(_render_csrf_token_template(request))
 class CsrfMiddlewareTest(TestCase):
+    _session_id = "1"
+    def setUp(self, *args, **kwargs):
+        super(CsrfMiddlewareTest, self).setUp(*args, **kwargs)
+        # We have to create an actual session in the DB as the
+        # middleware validates the session
+        engine = import_module(settings.SESSION_ENGINE)
+        s = engine.SessionStore(None)
+        s.create()
+        self._session_id = s.session_key
+    def _apply_request_middleware(self, req):
+        SessionMiddleware().process_request(req)
+        return req
     def _get_GET_no_session_request(self):
         return HttpRequest()
+        return self._apply_request_middleware(HttpRequest())
     def _get_GET_session_request(self):
         req = self._get_GET_no_session_request()
+        req = HttpRequest()
         req.COOKIES[settings.SESSION_COOKIE_NAME] = self._session_id
         return req
+        return self._apply_request_middleware(req)
     def _get_POST_session_request(self):
+        req = self._get_GET_session_request()
+        req = HttpRequest()
+        req.COOKIES[settings.SESSION_COOKIE_NAME] = self._session_id
         req.method = "POST"
         return req
+        return self._apply_request_middleware(req)
     def _get_POST_no_session_request(self):
         req = self._get_GET_no_session_request()
+        req = HttpRequest()
         req.method = "POST"
         return req
+        return self._apply_request_middleware(req)
     def _get_POST_session_request_with_token(self):
         req = self._get_POST_session_request()
         req.POST['csrfmiddlewaretoken'] = _make_token(self._session_id)
         return req
-    def _get_post_form_response(self):
-        return post_form_response()
     def _get_new_session_response(self):
         resp = self._get_post_form_response()
+        resp = post_form_response()
         resp.cookies[settings.SESSION_COOKIE_NAME] = self._session_id
         return resp
     def _check_token_present(self, response):
         self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % _make_token(self._session_id))
-    def get_view(self):
-        return test_view
     # Check the post processing
     def test_process_response_no_session(self):
         """
         Check the the post-processor does nothing if no session active
         """
         req = self._get_GET_no_session_request()
         resp = self._get_post_form_response()
+        resp = post_form_response()
         resp_content = resp.content # needed because process_response modifies resp
         resp2 = CsrfMiddleware().process_response(req, resp)
         self.assertEquals(resp_content, resp2.content)
 …
         Check that the token is inserted if there is an existing session
         """
         req = self._get_GET_session_request()
         resp = self._get_post_form_response()
+        resp = post_form_response()
         resp_content = resp.content # needed because process_response modifies resp
         resp2 = CsrfMiddleware().process_response(req, resp)
         self.assertNotEqual(resp_content, resp2.content)
 …
         Check that no post processing is done for an exempt view
         """
         req = self._get_POST_session_request()
         resp = csrf_exempt(self.get_view())(req)
+        resp = csrf_exempt(post_form_view)(req)
         resp_content = resp.content
         resp2 = CsrfMiddleware().process_response(req, resp)
         self.assertEquals(resp_content, resp2.content)
 …
         to the incoming request.
         """
         req = self._get_POST_no_session_request()
         req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {})
+        req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
         self.assertEquals(None, req2)
     def test_process_request_session_no_token(self):
 …
         Check that if a session is present but no token, we get a 'forbidden'
         """
         req = self._get_POST_session_request()
         req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {})
+        req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
         self.assertEquals(HttpResponseForbidden, req2.__class__)
     def test_process_request_session_and_token(self):
 …
         Check that if a session is present and a token, the middleware lets it through
         """
         req = self._get_POST_session_request_with_token()
         req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {})
+        req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
         self.assertEquals(None, req2)
+    def test_process_request_old_token_compat(self):
+        """
+        Check that the view middleware accepts tokens generated by
+        previous version of response middleware.
+        """
+        req = self._get_POST_session_request_with_token()
+        # Previous versions did not use 'salt' in _make_token
+        req.POST['csrfmiddlewaretoken'] = _make_token(self._session_id, salt="")
+        req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
+        self.assertEquals(None, req2)
     def test_process_request_session_no_token_exempt_view(self):
         """
         Check that if a session is present and no token, but the csrf_exempt
         decorator has been applied to the view, the middleware lets it through
         """
         req = self._get_POST_session_request()
         req2 = CsrfMiddleware().process_view(req, csrf_exempt(self.get_view()), (), {})
+        req2 = CsrfMiddleware().process_view(req, csrf_exempt(post_form_view), (), {})
         self.assertEquals(None, req2)
     def test_ajax_exemption(self):
 …
         """
         req = self._get_POST_session_request()
         req.META['HTTP_X_REQUESTED_WITH'] = 'XMLHttpRequest'
         req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {})
+        req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
         self.assertEquals(None, req2)
+    # Tests for the template tag method
+    def test_token_node_no_session(self):
+        """
+        Check that CsrfTokenNode works when no session is active
+        """
+        req = self._get_GET_no_session_request()
+        resp = token_view(req)
+        self.assertEquals(u"", resp.content)
+    def test_token_node_with_session(self):
+        """
+        Check that CsrfTokenNode works when a session is active
+        """
+        req = self._get_GET_session_request()
+        resp = token_view(req)
+        self._check_token_present(resp)
+    def test_token_node_with_new_session(self):
+        """
+        Check that CsrfTokenNode works when a session is created by
+        the view (when one was not already active)
+        """
+        req = self._get_GET_no_session_request()
+        resp = token_view_with_session_access(req)
+        # view will have caused new session to be created
+        self._session_id = req.session.session_key
+        self._check_token_present(resp)
+    def test_token_node_with_changed_session(self):
+        """
+        Check that CsrfTokenNode works when a session is deliberately
+        created by the view (though one was already active)
+        """
+        req = self._get_GET_session_request()
+        resp = token_view_with_new_session(req)
+        # View will have modified session key
+        self._session_id = req.session.session_key
+        self._check_token_present(resp)
+    def test_token_node_with_modified_session_data(self):
+        """
+        Check that CsrfTokenNode works when session data is modified
+        by the view
+        """
+        req = self._get_GET_session_request()
+        resp = token_view_with_session_access(req)
+        # View should not have modified session key
+        self._check_token_present(resp)
+    def test_token_node_with_late_session_access(self):
+        """
+        Check that CsrfTokenNode works when a session is created by
+        the view *after* the RequestContext has been created
+        """
+        req = self._get_GET_no_session_request()
+        resp = token_view_with_late_session_access(req)
+        # view will have caused new session to be created
+        self._session_id = req.session.session_key
+        self._check_token_present(resp)

django/contrib/csrf/templatetags/csrf.py

+from django import template
+from django.utils.safestring import mark_safe
+register = template.Library()
+class CsrfTokenNode(template.Node):
+    def render(self, context):
+        csrf_token = context.get('csrf_token', None)
+        if csrf_token:
+            if csrf_token == 'NOTNEEDED':
+                return mark_safe(u"")
+            else:
+                return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % (csrf_token))
+        else:
+            # It's very probable that the token is missing because of
+            # misconfiguration, so we raise a warning
+            from django.conf import settings
+            if settings.DEBUG:
+                import warnings
+                warnings.warn("A {% csrf_token %} was used in a template, but the context did not provide the value.  This is usually caused by not having 'django.contrib.csrf.context_processors.csrf' in TEMPLATE_CONTEXT_PROCESSORS.")
+            return u''
+def csrf_token(parser, token):
+    return CsrfTokenNode()
+register.tag(csrf_token)

django/contrib/csrf/templatetags/init.py

Property changes on: django/contrib/csrf/templatetags/csrf.py
___________________________________________________________________
Added: svn:eol-style
   + native


	1

django/contrib/csrf/context_processors.py

Property changes on: django/contrib/csrf/templatetags/__init__.py
___________________________________________________________________
Added: svn:eol-style
   + native

+from django.contrib.csrf.middleware import get_token
+from django.utils.functional import lazy, memoize
+def csrf(request):
+    """
+    Context processor that provides a CSRF token, or the string
+    'NOTNEEDED' if it is not needed
+    """
+    def _get_val():
+        token = get_token(request)
+        if token is None:
+            # In order to be able to provide debugging info in the
+            # case of misconfiguration, we use a sentinel value
+            # instead of an empty dict.
+            return 'NOTNEEDED'
+        else:
+            return token
+    # We need to generate the value as late as possible, in case the
+    # user creates RequestContext early in the view. But we also want
+    # to memoize so that we don't call this many times.
+    cache = {}
+    _get_val = lazy(memoize(_get_val, cache, 0), str)
+    return {'csrf_token': _get_val() }

django/contrib/auth/views.py

Property changes on: django/contrib/csrf/context_processors.py
___________________________________________________________________
Added: svn:eol-style
   + native

     else:
         context_instance['validlink'] = False
         form = None
     context_instance['form'] = form
+    context_instance['form'] = form
     return render_to_response(template_name, context_instance=context_instance)
 def password_reset_complete(request, template_name='registration/password_reset_complete.html'):

django/contrib/auth/tests/views.py

         # Let's munge the token in the path, but keep the same length,
         # in case the URLconf will reject a different length.
         path = path[:-5] + ("0"*4) + path[-1]
         response = self.client.get(path)
         self.assertEquals(response.status_code, 200)
         self.assert_("The password reset link was invalid" in response.content)

tests/regressiontests/admin_views/tests.py

         # 4 action inputs (3 regular checkboxes, 1 checkbox to select all)
         # main form submit button = 1
         # search field and search submit button = 2
+        # 6 + 2 + 1 + 2 = 11 inputs
+        self.failUnlessEqual(response.content.count("<input"), 15)
+        # csrf hidden field = 1
+        # 6 + 2 + 4 + 1 + 2 + 1 = 16 inputs
+        self.failUnlessEqual(response.content.count("<input"), 16)
         # 1 select per object = 3 selects
         self.failUnlessEqual(response.content.count("<select"), 4)

tests/runtests.py

     'django.contrib.sessions',
     'django.contrib.comments',
     'django.contrib.admin',
+    'django.contrib.csrf',
+]
 def get_test_models():

docs/topics/http/middleware.txt

     MIDDLEWARE_CLASSES = (
         'django.middleware.common.CommonMiddleware',
         'django.contrib.sessions.middleware.SessionMiddleware',
+        'django.contrib.csrf.middleware.CsrfViewMiddleware',
         'django.contrib.auth.middleware.AuthenticationMiddleware',
+    )

docs/ref/contrib/csrf.txt

 .. module:: django.contrib.csrf
    :synopsis: Protects against Cross Site Request Forgeries
 The CsrfMiddleware class provides easy-to-use protection against
+The CSRF middleware and template tag provides easy-to-use protection against
 `Cross Site Request Forgeries`_.  This type of attack occurs when a malicious
 Web site creates a link or form button that is intended to perform some action
 on your Web site, using the credentials of a logged-in user who is tricked
 into clicking on the link in their browser.
+on your Web site, using the credentials of a logged-in user who is tricked into
+clicking on the link in their browser.
 The first defense against CSRF attacks is to ensure that GET requests
+are side-effect free.  POST requests can then be protected by adding this
 middleware into your list of installed middleware.
+The first defense against CSRF attacks is to ensure that GET requests are
+side-effect free.  POST requests can then be protected by adding these
+middleware into your list of installed middleware following the steps below.
+.. versionadded:: 1.1
+    The 'contrib' apps, including the admin, depend on the functionality
+    described here. Anyone upgrading from earlier versions should read
+    the `Upgrading notes`_ carefully.
 .. _Cross Site Request Forgeries: http://www.squarefree.com/securitytips/web-developers.html#CSRF
 How to use it
 =============
+Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to
+your list of middleware classes, :setting:`MIDDLEWARE_CLASSES`. It needs to process
+the response after the SessionMiddleware, so must come before it in the
+list. It also must process the response before things like compression
+happen to the response, so it must come after GZipMiddleware in the
+list.
+.. versionchanged:: 1.1
+    The template tag functionality (the recommended way to use this) was added
+    in version 1.1. The previous method (still available) is described under
+    `Legacy method`_.
+The ``CsrfMiddleware`` class is actually composed of two middleware:
+``CsrfViewMiddleware`` which performs the checks on incoming requests,
+and ``CsrfResponseMiddleware`` which performs post-processing of the
+result.  This allows the individual components to be used and/or
+replaced instead of using ``CsrfMiddleware``.
+To enable CSRF protection for your views, follow these steps:
+.. versionchanged:: 1.1
+    (previous versions of Django did not provide these two components
+    of ``CsrfMiddleware`` as described above)
+. Add the middleware
+       ``'django.contrib.csrf.middleware.CsrfViewMiddleware'`` to your list of
+       middleware classes, :setting:`MIDDLEWARE_CLASSES`.  (Currently it can
+       come anywhere in the list with respect to other middleware included in
+       Django.  It should come before any view middleware that assume that CSRF
+       attacks have been dealt with.)
+. Add ``'django.contrib.csrf'`` to your :setting:`INSTALLED_APPS`.
+. In any template that uses a POST form, first load the 'csrf' template tag
+       library::
+           {% load csrf %}
+       Then use the ``csrf_token`` tag inside the ``<form>`` element, e.g.::
+           <form action="" method="POST">{% csrf_token %}
+. In the corresponding view functions, ensure that the
+       ``'django.contrib.csrf.context_processors.csrf'`` is being used. Usually,
+       this can be done in one of two ways:
+. Using RequestContext:
+. Ensure ``'django.contrib.csrf.context_processors.csrf'`` is present
+             in your :setting:`TEMPLATE_CONTEXT_PROCESSORS` setting. It is
+             present by default.
+. Use ``RequestContext`` as the context instance in the relevant
+             views. If you are using generic views or contrib apps, you are
+             covered already.
+. Manually import and use the processor to generate the CSRF token and
+          add it to the template context. e.g.::
+              from django.contrib.csrf.context_processors import csrf
+              from django.template import Context
+              from django.shortcuts import render_to_response
+              def my_view(request):
+                  c = Context()
+                  c.update(csrf(request))
+                  return render_to_response("a_template.html", context_instance=c)
+. Ensure that any code in a view which could create a new session executes
+       **before** any templates containing a ``csrf_token`` tag are
+       rendered. Note that sessions can be created implicitly simply by setting
+       a value or accessing the contents.  If this is done after the template is
+       rendered, the CSRF token it contains could be incorrect, and the
+       following form submission will be rejected.
+Legacy method
+-------------
+In Django 1.0, the template tag did not exist.  Instead, a post-processing
+middleware that re-wrote POST forms to include the CRSF token was used.  If you
+are upgrading a site from version 1.0 or earlier, please read this section and
+the `Upgrading notes`_ below.  The post-processing middleware is still available
+as ``CsrfResponseMiddleware``, and it can be used by following these steps:
+. Follow step 1 above to install ``CsrfViewMiddleware``.
+. Add ``'django.contrib.csrf.middleware.CsrfResponseMiddleware'`` to your
+       :setting:`MIDDLEWARE_CLASSES` setting.
+       ``CsrfResponseMiddleware`` needs to process the response after the
+       ``SessionMiddleware``, so must come before it in the list.  It also must
+       process the response before things like compression happen to the
+       response, so it must come after ``GZipMiddleware`` in the list.
+Use of the ``CsrfResponseMiddleware`` is not recommended, but it can be used as
+an interim measure until applications have been updated to use the ``{%
+crsf_token %}`` tag.
+Django 1.0 provided a single ``CsrfMiddleware`` class.  This is also still
+available for backwards compatibility.  It combines the functions of the two new
+middleware.
+Upgrading notes
+---------------
+When upgrading to version 1.1 or later, you may have applications that rely on
+the old post-processing functionality for CSRF protection, or you may not have
+enabled any CSRF protection.  This section outlines the steps necessary for a
+smooth upgrade, without having to fix all the applications to use the new
+template tag method immediately.
+If you are using any of the contrib apps (such as the admin), there are some
+required steps for these applications to continue working. First, the CSRF
+application must be added to :setting:`INSTALLED_APPS` (See `How to use it`_
+above, step 2).  Second, the :setting:`TEMPLATE_CONTEXT_PROCESSORS` setting must
+be updated (step 4.1.1 above).
+If you have ``CsrfMiddleware`` in your :setting:`MIDDLEWARE_CLASSES`, you will now
+have a working installation with CSRF protection.  It is recommended at this
+point that you replace ``CsrfMiddleware`` with its two components,
+``CsrfViewMiddleware`` and ``CsrfResponseMiddleware``.
+If you do not have any of the the middleware in your :setting:`MIDDLEWARE_CLASSES`,
+you will have a working installation but without any CSRF protection (just as
+you had before). It is recommended to install ``CsrfViewMiddleware`` and
+``CsrfResponseMiddleware``, but if you are not interested in having any CSRF
+protection, you can simply stop here.
+Assuming you have followed the above, all views in your Django site will now be
+protected by the ``CsrfViewMiddleware``.  Contrib apps meet the requirements
+imposed by the ``CsrfViewMiddleware`` using the template tag, and other
+applications in your project will meet its requirements by virtue of the
+``CsrfResponseMiddleware``.
+The next step is to update all your applications to use the template tag, as
+described in `How to use it`_, steps 3-5.  This can be done as soon as is
+practical. Any applications that are updated will now require Django 1.1 or
+later, since they will use the CSRF template tag library which was not available
+in earlier versions.
+Finally, once all applications are upgraded, the ``CsrfResponseMiddleware`` can
+be removed.
+While in the process of upgrading, the ``csrf_response_exempt`` decorator,
+described in `Exceptions`_, may be useful.  The post-processing middleware
+imposes a performance hit, and any views that have been upgraded to use the new
+template tag method no longer need it.  Using this decorator will allow you to
+avoid this performance hit.
 Exceptions
 ----------
 .. versionadded:: 1.1
 To manually exclude a view function from being handled by the
+CsrfMiddleware, you can use the ``csrf_exempt`` decorator, found in
 the ``django.contrib.csrf.middleware`` module. For example::
+To manually exclude a view function from being handled by either of the two CSRF
+middleware, you can use the ``csrf_exempt`` decorator, found in the
+``django.contrib.csrf.middleware`` module. For example::
     from django.contrib.csrf.middleware import csrf_exempt
 …
         return HttpResponse('Hello world')
     my_view = csrf_exempt(my_view)
 Like the middleware itself, the ``csrf_exempt`` decorator is composed
+of two parts: a ``csrf_view_exempt`` decorator and a
+``csrf_response_exempt`` decorator, found in the same module.  These
+disable the view protection mechanism (``CsrfViewMiddleware``) and the
+response post-processing (``CsrfResponseMiddleware``) respectively.
 They can be used individually if required.
+Like the middleware, the ``csrf_exempt`` decorator is composed of two parts: a
+``csrf_view_exempt`` decorator and a ``csrf_response_exempt`` decorator, found
+in the same module.  These disable the view protection mechanism
+(``CsrfViewMiddleware``) and the response post-processing
+(``CsrfResponseMiddleware``) respectively.  They can be used individually if
+required.
 You don't have to worry about doing this for most AJAX views. Any
+request sent with "X-Requested-With: XMLHttpRequest" is automatically
 exempt. (See the next section.)
+You don't have to worry about doing this for most AJAX views. Any request sent
+with "X-Requested-With: XMLHttpRequest" is automatically exempt. (See the next
+section.)
+Rejected requests
+=================
+By default, a '403 Forbidden' response is sent to the user if an incoming
+request fails the checks performed by ``CsrfViewMiddleware``.  This should
+usually only be seen when there is a genuine Cross Site Request Forgery, or
+when, due to a programming error, the CSRF token has not been included with a
+POST form.
+No logging is done, and the error message is not very friendly, so you may want
+to provide your own page for handling this condition.  To do this, simply set
+the :setting:`CSRF_FAILURE_VIEW` setting to a dotted path to your own view
+function.
 How it works
 ============
 CsrfMiddleware does two things:
+The CSRF protection requires two things:
+. It modifies outgoing requests by adding a hidden form field to all
+   'POST' forms, with the name 'csrfmiddlewaretoken' and a value which is
+   a hash of the session ID plus a secret. If there is no session ID set,
+   this modification of the response isn't done, so there is very little
+   performance penalty for those requests that don't have a session.
+   (This is done by ``CsrfResponseMiddleware``).
+. A hidden form field with the name 'csrfmiddlewaretoken' must be added to all
+   outgoing POST forms.  The value of this field is a hash of the session ID
+   plus a secret. If there is no session ID set, this modification of the
+   response isn't done, so there is very little performance penalty for those
+   requests that don't have a session.
+. On all incoming POST requests that have the session cookie set, it
+   checks that the 'csrfmiddlewaretoken' is present and correct. If it
+   isn't, the user will get a 403 error. (This is done by
+   ``CsrfViewMiddleware``)
+   This part is done by the template tag (and with the legacy method, it is done
+   by ``CsrfResponseMiddleware``).
+This ensures that only forms that have originated from your Web site
+can be used to POST data back.
+. On all incoming POST requests that have the session cookie set, the
+   'csrfmiddlewaretoken' must be present and correct. If it isn't, the user will
+   get a 403 error.
+   This check is done by ``CsrfViewMiddleware``.
+This ensures that only forms that have originated from your Web site can be used
+to POST data back.
 It deliberately only targets HTTP POST requests (and the corresponding POST
 forms). GET requests ought never to have any potentially dangerous side
+effects (see `9.1.1 Safe Methods, HTTP 1.1, RFC 2616`_), and so a
 CSRF attack with a GET request ought to be harmless.
+forms). GET requests ought never to have any potentially dangerous side effects
+(see `9.1.1 Safe Methods, HTTP 1.1, RFC 2616`_), and so a CSRF attack with a GET
+request ought to be harmless.
 POST requests that are not accompanied by a session cookie are not protected,
 but they do not need to be protected, since the 'attacking' Web site
 could make these kind of requests anyway.
+but they do not need to be protected, since the 'attacking' Web site could make
+these kind of requests anyway.
+The Content-Type is checked before modifying the response, and only
+pages that are served as 'text/html' or 'application/xml+xhtml'
+are modified.
+The Content-Type is checked before modifying the response, and only pages that
+are served as 'text/html' or 'application/xml+xhtml' are modified.
 The middleware tries to be smart about requests that come in via AJAX. Many
 JavaScript toolkits send an "X-Requested-With: XMLHttpRequest" HTTP header;
 …
 Limitations
 ===========
+CsrfMiddleware requires Django's session framework to work. If you have
+a custom authentication system that manually sets cookies and the like,
 it won't help you.
+These middleware require Django's session framework to work. If you have a
+custom authentication system that manually sets cookies and the like, it won't
+help you.
 If your app creates HTML pages and forms in some unusual way, (e.g.
+it sends fragments of HTML in JavaScript document.write statements)
+you might bypass the filter that adds the hidden field to the form,
+in which case form submission will always fail.  It may still be possible
 to use the middleware, provided you can find some way to get the
+If you are using ``CsrfResponseMiddleware`` and your app creates HTML pages and
+forms in some unusual way, (e.g.  it sends fragments of HTML in JavaScript
+document.write statements) you might bypass the filter that adds the hidden
+field to the form, in which case form submission will always fail.  It may still
+be possible to use the middleware, provided you can find some way to get the
 CSRF token and ensure that is included when your form is submitted.

docs/ref/settings.txt

 .. setting:: DATABASE_ENGINE
+CSRF_FAILURE_VIEW
+-----------------
+Default: ``'django.contrib.csrf.views.csrf_failure'``
+The name of the view function to be used when an incoming request
+is rejected by the CSRF protection. See :ref:`ref-contrib-csrf`.
+CSRF_SALT
+---------
+Some additional 'salt' used by the CSRF middleware when hashing, to
+avoid a potential security problem.  Does not need to be changed.  See
+source for more details.
 DATABASE_ENGINE
 ---------------
 …
     ('django.middleware.common.CommonMiddleware',
      'django.contrib.sessions.middleware.SessionMiddleware',
+     'django.contrib.csrf.middleware.CsrfViewMiddleware',
      'django.contrib.auth.middleware.AuthenticationMiddleware',)
 A tuple of middleware classes to use. See :ref:`topics-http-middleware`.

Download in other formats:

Original Format

Issues

Context Navigation

Ticket #9977: csrf_template_tag_18.diff

Download in other formats: