diff --git a/django/views/csrf.py b/django/views/csrf.py
index c95d19d..ba9c0b5 100644
|
a
|
b
|
|
| | 1 | from django.conf import settings |
| 1 | 2 | from django.http import HttpResponseForbidden |
| 2 | 3 | from django.template import Context, Template |
| 3 | | from django.conf import settings |
| | 4 | from django.utils.translation import ugettext as _ |
| 4 | 5 | |
| 5 | 6 | # We include the template inline since we need to be able to reliably display |
| 6 | 7 | # this error message, especially for the sake of developers, and there isn't any |
| 7 | 8 | # other way of making it available independent of what is in the settings file. |
| | 9 | # Only the text appearing with DEBUG=False is translated. |
| 8 | 10 | |
| 9 | 11 | CSRF_FAILURE_TEMPLATE = """ |
| 10 | 12 | <!DOCTYPE html> |
| … |
… |
CSRF_FAILURE_TEMPLATE = """
|
| 20 | 22 | body { font:small sans-serif; background:#eee; } |
| 21 | 23 | body>div { border-bottom:1px solid #ddd; } |
| 22 | 24 | h1 { font-weight:normal; margin-bottom:.4em; } |
| 23 | | h1 span { font-size:60% |
| | 25 | h1 span { font-size:60%%; color:#666; font-weight:normal; } |
| 24 | 26 | #info { background:#f6f6f6; } |
| 25 | 27 | #info ul { margin: 0.5em 4em; } |
| 26 | 28 | #info p, #summary p { padding-top:10px; } |
| … |
… |
CSRF_FAILURE_TEMPLATE = """
|
| 30 | 32 | </head> |
| 31 | 33 | <body> |
| 32 | 34 | <div id="summary"> |
| 33 | | <h1>Forbidden <span>(403)</span></h1> |
| 34 | | <p>CSRF verification failed. Request aborted.</p> |
| 35 | | {% if no_referer %} |
| 36 | | <p>You are seeing this message because this HTTPS site requires a 'Referer |
| 37 | | header' to be sent by your Web browser, but none was sent. This header is |
| 38 | | required for security reasons, to ensure that your browser is not being |
| 39 | | hijacked by third parties.</p> |
| | 35 | <h1>%(title)s <span>(403)</span></h1> |
| | 36 | <p>%(main)s</p> |
| | 37 | {%% if no_referer %%} |
| | 38 | <p>%(no_referer1)s</p> |
| 40 | 39 | |
| 41 | | <p>If you have configured your browser to disable 'Referer' headers, please |
| 42 | | re-enable them, at least for this site, or for HTTPS connections, or for |
| 43 | | 'same-origin' requests.</p> |
| 44 | | {% endif %} |
| | 40 | <p>%(no_referer2)s</p> |
| | 41 | {%% endif %%} |
| 45 | 42 | </div> |
| 46 | | {% if DEBUG %} |
| | 43 | {%% if DEBUG %%} |
| 47 | 44 | <div id="info"> |
| 48 | 45 | <h2>Help</h2> |
| 49 | | {% if reason %} |
| | 46 | {%% if reason %%} |
| 50 | 47 | <p>Reason given for failure:</p> |
| 51 | 48 | <pre> |
| 52 | 49 | {{ reason }} |
| 53 | 50 | </pre> |
| 54 | | {% endif %} |
| | 51 | {%% endif %%} |
| 55 | 52 | |
| 56 | 53 | <p>In general, this can occur when there is a genuine Cross Site Request Forgery, or when |
| 57 | 54 | <a |
| … |
… |
CSRF_FAILURE_TEMPLATE = """
|
| 66 | 63 | href='http://docs.djangoproject.com/en/dev/ref/templates/api/#subclassing-context-requestcontext'><code>RequestContext</code></a> |
| 67 | 64 | for the template, instead of <code>Context</code>.</li> |
| 68 | 65 | |
| 69 | | <li>In the template, there is a <code>{% templatetag openblock %} csrf_token |
| 70 | | {% templatetag closeblock %}</code> template tag inside each POST form that |
| | 66 | <li>In the template, there is a <code>{%% templatetag openblock %%} csrf_token |
| | 67 | {%% templatetag closeblock %%}</code> template tag inside each POST form that |
| 71 | 68 | targets an internal URL.</li> |
| 72 | 69 | |
| 73 | 70 | <li>If you are not using <code>CsrfViewMiddleware</code>, then you must use |
| … |
… |
CSRF_FAILURE_TEMPLATE = """
|
| 82 | 79 | |
| 83 | 80 | <p>You can customize this page using the CSRF_FAILURE_VIEW setting.</p> |
| 84 | 81 | </div> |
| 85 | | {% else %} |
| | 82 | {%% else %%} |
| 86 | 83 | <div id="explanation"> |
| 87 | | <p><small>More information is available with DEBUG=True.</small></p> |
| | 84 | <p><small>%(more)s</small></p> |
| 88 | 85 | </div> |
| 89 | | {% endif %} |
| | 86 | {%% endif %%} |
| 90 | 87 | </body> |
| 91 | 88 | </html> |
| 92 | 89 | """ |
| … |
… |
def csrf_failure(request, reason=""):
|
| 96 | 93 | Default view used when request fails CSRF protection |
| 97 | 94 | """ |
| 98 | 95 | from django.middleware.csrf import REASON_NO_REFERER |
| 99 | | t = Template(CSRF_FAILURE_TEMPLATE) |
| | 96 | t = Template(CSRF_FAILURE_TEMPLATE % { |
| | 97 | 'title': _("Forbidden"), |
| | 98 | 'main': _("CSRF verification failed. Request aborted."), |
| | 99 | 'no_referer1': _( |
| | 100 | "You are seeing this message because this HTTPS site requires a 'Referer " |
| | 101 | "header' to be sent by your Web browser, but none was sent. This header is " |
| | 102 | "required for security reasons, to ensure that your browser is not being " |
| | 103 | "hijacked by third parties."), |
| | 104 | 'no_referer2': _( |
| | 105 | "If you have configured your browser to disable 'Referer' headers, please " |
| | 106 | "re-enable them, at least for this site, or for HTTPS connections, or for " |
| | 107 | "'same-origin' requests."), |
| | 108 | 'more': _("More information is available with DEBUG=True."), |
| | 109 | }) |
| 100 | 110 | c = Context({'DEBUG': settings.DEBUG, |
| 101 | 111 | 'reason': reason, |
| 102 | 112 | 'no_referer': reason == REASON_NO_REFERER |