Ticket #9172: django-1.0.2-csrf-test-client.patch

File django-1.0.2-csrf-test-client.patch, 3.6 KB (added by Markus Bertheau, 16 years ago)

Updated patch for 1.0.2

  • django/contrib/csrf/middleware.py

    diff --git a/django/contrib/csrf/middleware.py b/django/contrib/csrf/middleware.py
    index 24c1511..8a9fac5 100644
    a b from django.http import HttpResponseForbidden  
    1313from django.utils.hashcompat import md5_constructor
    1414from django.utils.safestring import mark_safe
    1515
     16CSRF_TOKEN_NAME = 'csrfmiddlewaretoken'
     17
    1618_ERROR_MSG = mark_safe('<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>')
    1719
    1820_POST_FORM_RE = \
    class CsrfMiddleware(object):  
    5254            csrf_token = _make_token(session_id)
    5355            # check incoming token
    5456            try:
    55                 request_csrf_token = request.POST['csrfmiddlewaretoken']
     57                request_csrf_token = request.POST[CSRF_TOKEN_NAME]
    5658            except KeyError:
    5759                return HttpResponseForbidden(_ERROR_MSG)
    5860
    class CsrfMiddleware(object):  
    8082                response['Content-Type'].split(';')[0] in _HTML_TYPES:
    8183
    8284            # ensure we don't add the 'id' attribute twice (HTML validity)
    83             idattributes = itertools.chain(("id='csrfmiddlewaretoken'",),
     85            idattributes = itertools.chain(("id='%s'" % (CSRF_TOKEN_NAME,),),
    8486                                            itertools.repeat(''))
    8587            def add_csrf_field(match):
    8688                """Returns the matched <form> tag plus the added <input> element"""
    8789                return mark_safe(match.group() + "<div style='display:none;'>" + \
    8890                "<input type='hidden' " + idattributes.next() + \
    89                 " name='csrfmiddlewaretoken' value='" + csrf_token + \
     91                " name='" + CSRF_TOKEN_NAME + "' value='" + csrf_token + \
    9092                "' /></div>")
    9193
    9294            # Modify any POST forms
  • django/test/client.py

    diff --git a/django/test/client.py b/django/test/client.py
    index ecc3a1c..2fb3f42 100644
    a b from django.utils.functional import curry  
    1818from django.utils.encoding import smart_str
    1919from django.utils.http import urlencode
    2020from django.utils.itercompat import is_iterable
     21from django.contrib.csrf.middleware import CSRF_TOKEN_NAME, _make_token
    2122
    2223BOUNDARY = 'BoUnDaRyStRiNg'
    2324MULTIPART_CONTENT = 'multipart/form-data; boundary=%s' % BOUNDARY
    class Client(object):  
    275276        """
    276277        Requests a response from the server using POST.
    277278        """
     279        if ('django.contrib.csrf.middleware.CsrfMiddleware' in
     280            settings.MIDDLEWARE_CLASSES and
     281            hasattr(self.session, 'session_key')):
     282            data[CSRF_TOKEN_NAME] = _make_token(self.session.session_key)
     283
    278284        if content_type is MULTIPART_CONTENT:
    279285            post_data = encode_multipart(BOUNDARY, data)
    280286        else:
  • docs/ref/contrib/csrf.txt

    diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt
    index cf0fe8a..71467bf 100644
    a b it sends fragments of HTML in JavaScript document.write statements)  
    7373you might bypass the filter that adds the hidden field to the form,
    7474in which case form submission will always fail.  It may still be possible
    7575to use the middleware, provided you can find some way to get the
    76 CSRF token and ensure that is included when your form is submitted.
    77  No newline at end of file
     76CSRF token and ensure that is included when your form is submitted.
     77
     78Testing
     79=======
     80
     81The :mod:`Django test client <django.test.client>` automatically
     82bypasses CsrfMiddleware, for easier testing of POST requests.
Back to Top