Changes between Initial Version and Version 1 of Ticket #32795, comment 1
- Timestamp:
- May 28, 2021, 9:27:00 PM (3 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #32795, comment 1
initial v1 1 One way to implement this would be to change [https://github.com/django/django/blob/b746596f5f0e1fcac791b0f7c8bfc3d69dfef2ff/django/middleware/csrf.py#L109-L123 _sanitize_token()] to raise a new internal `InvalidTokenFormat` exception with an appropriate reason string if the token has the wrong length or contains invalid characters, instead of calling `_get_new_csrf_token()`. Then, the two places that call `_sanitize_token()` can handle the exception differently: (1) In `process_view()`, the request could be rejected using the exception's message. This is similar to how `process_view()` now handles `RejectRequest` exceptions raised by `_check_referer()`. (2) In `_get_token()`, the exception could be handled by calling `_get_new_csrf_token()` .1 One way to implement this would be to change [https://github.com/django/django/blob/b746596f5f0e1fcac791b0f7c8bfc3d69dfef2ff/django/middleware/csrf.py#L109-L123 _sanitize_token()] to raise a new internal `InvalidTokenFormat` exception with an appropriate reason string if the token has the wrong length or contains invalid characters, instead of calling `_get_new_csrf_token()`. Then, the two places that call `_sanitize_token()` can handle the exception differently: (1) In `process_view()`, the request could be rejected using the exception's message. This is similar to how `process_view()` now handles `RejectRequest` exceptions raised by `_check_referer()`. (2) In `_get_token()`, the exception could be handled by calling `_get_new_csrf_token()` (`_sanitize_token()`'s current behavior).