Opened 3 years ago

Closed 3 years ago

#32817 closed Cleanup/optimization (fixed)

Include in CsrfViewMiddleware's bad CSRF token message where the token is from

Reported by: Chris Jerdonek Owned by: Chris Jerdonek
Component: CSRF Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Chris Jerdonek)

Currently, if CsrfViewMiddleware encounters a bad CSRF token, it will reject the request with a message like--

  • "CSRF token incorrect"
  • "CSRF token has incorrect length"

I noticed that it would be relatively easy to include in these messages whether the token was obtained from POST data or a custom header, which would be useful for troubleshooting. The messages are specified here in the code. The new messages could look e.g. like--

  • "CSRF token (from POST) incorrect"
  • "CSRF token (from 'X-CSRFToken' header) has incorrect length"

The changes to CsrfViewMiddlewareTestMixin proposed in #32800 would make these cases easy to test.

Change History (9)

comment:1 by Chris Jerdonek, 3 years ago

Description: modified (diff)

comment:2 by Mariusz Felisiak, 3 years ago

Triage Stage: UnreviewedAccepted

comment:3 by Chris Jerdonek, 3 years ago

Owner: changed from nobody to Chris Jerdonek
Status: newassigned

comment:5 by Mariusz Felisiak, 3 years ago

Triage Stage: AcceptedReady for checkin

comment:6 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

In 999402f:

Refs #32817 -- Combined the bad-or-missing CSRF token tests.

comment:7 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

In 6837bd68:

Refs #32817 -- Added post_token/meta_token/token_header arguments to _get_POST_csrf_cookie_request().

comment:8 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

In 1a284afb:

Refs #32817 -- Added tests for bad CSRF token provided via X-CSRFToken or custom header.

comment:9 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

Resolution: fixed
Status: assignedclosed

In fcb7565:

Fixed #32817 -- Added the token source to CsrfViewMiddleware's bad token error messages.

Note: See TracTickets for help on using tickets.
Back to Top