Opened 17 months ago

Closed 17 months ago

Last modified 17 months ago

#34695 closed Bug (worksforme)

security.E101 false positive with class-based views

Reported by: Anthony Sottile Owned by: nobody
Component: Core (System checks) Version: 4.2
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

minimal example

class MyView(View):
    def dispatch(self, request, reason=''):
        ...

view = MyView.as_view()

though this appears to work at runtime (at least in unsupported django 2.2 which is what I'm trying to upgrade from), the framework gives an error:

ERRORS:
?: (security.E101) The CSRF failure view 'myview.view' does not take the correct number of arguments.

the reason stems from the use of inspect.signature on the view:

>>> sig = inspect.signature(view)
>>> sig
<Signature (self, request, reason='')>
>>> sig.bind(None, reason=None)
Traceback (most recent call last):
  File "/Users/asottile/.pyenv/versions/3.8.16/lib/python3.8/code.py", line 90, in runcode
    exec(code, self.locals)
  File "<console>", line 1, in <module>
  File "/Users/asottile/.pyenv/versions/3.8.16/lib/python3.8/inspect.py", line 3037, in bind
    return self._bind(args, kwargs)
  File "/Users/asottile/.pyenv/versions/3.8.16/lib/python3.8/inspect.py", line 2952, in _bind
    raise TypeError(msg) from None
TypeError: missing a required argument: 'request'

https://github.com/django/django/blob/649262a406168709686f97694493aa1f717c6c96/django/core/checks/security/csrf.py#L60

Change History (5)

comment:1 by Anthony Sottile, 17 months ago

Component: UncategorizedCore (System checks)
Type: UncategorizedBug

comment:2 by Mariusz Felisiak, 17 months ago

As far as I'm aware, CSRF_FAILURE_VIEW doesn't support class-based views, at least officially, check out docs:

"A dotted path to the view function to be used when an incoming request is rejected by the CSRF protection. The function should have this signature:"

Version 0, edited 17 months ago by Mariusz Felisiak (next)

comment:3 by Mariusz Felisiak, 17 months ago

Resolution: worksforme
Status: newclosed

Also, it works for me with Django 4.2 and on the current main branch. I've checked with Python 3.8 and 3.10.

comment:4 by Mariusz Felisiak, 17 months ago

Check out PR.

comment:5 by GitHub <noreply@…>, 17 months ago

In c7276a9c:

Refs #34695 -- Added tests for check for CSRF_FAILURE_VIEW signature with valid class-based view.

Note: See TracTickets for help on using tickets.
Back to Top