#32843 closed Cleanup/optimization (fixed)
Some CSRF tests leave request.method set to None
| Reported by: | Chris Jerdonek | Owned by: | Chris Jerdonek |
|---|---|---|---|
| Component: | CSRF | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
I noticed that for some CSRF tests, request.method is None when the test thinks it should be GET. This causes CsrfViewMiddleware.process_view() to take a different code path and treat the request as unsafe because the method isn't in its allowed list:
https://github.com/django/django/blob/316cc34d046ad86e100227772294f906fae1c2e5/django/middleware/csrf.py#L338-L339
The cause for this is that neither implementation of _get_GET_csrf_cookie_request() sets req.method. See here and here.
The tests affected are:
csrf_tests.tests.CsrfViewMiddlewareTests.test_get_token_for_requires_csrf_token_viewcsrf_tests.tests.CsrfViewMiddlewareTests.test_token_node_with_csrf_cookiecsrf_tests.tests.CsrfViewMiddlewareUseSessionsTests.test_get_token_for_requires_csrf_token_viewcsrf_tests.tests.CsrfViewMiddlewareUseSessionsTests.test_token_node_with_csrf_cookie
Fortunately, the tests still pass when request.method is set to GET.
Change History (8)
comment:1 by , 4 years ago
| Summary: | Some CSRF tests don't set request.method → Some CSRF tests leave request.method set to None |
|---|
comment:2 by , 4 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:3 by , 4 years ago
Before submitting a fix for this ticket, I will wait until after this PR is merged: https://github.com/django/django/pull/14485
(There are a few more minor clean-ups / refactorings to the CSRF tests I'd like to do in conjunction with this fix.)
OK, nice. Good spot.