Changes between Initial Version and Version 1 of Ticket #32795, comment 1


Ignore:
Timestamp:
May 28, 2021, 9:27:00 PM (4 years ago)
Author:
Chris Jerdonek

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #32795, comment 1

    initial v1  
    1 One way to implement this would be to change [https://github.com/django/django/blob/b746596f5f0e1fcac791b0f7c8bfc3d69dfef2ff/django/middleware/csrf.py#L109-L123 _sanitize_token()] to raise a new internal `InvalidTokenFormat` exception with an appropriate reason string if the token has the wrong length or contains invalid characters, instead of calling `_get_new_csrf_token()`. Then, the two places that call `_sanitize_token()` can handle the exception differently: (1) In `process_view()`, the request could be rejected using the exception's message. This is similar to how `process_view()` now handles `RejectRequest` exceptions raised by `_check_referer()`. (2) In `_get_token()`, the exception could be handled by calling `_get_new_csrf_token()`.
     1One way to implement this would be to change [https://github.com/django/django/blob/b746596f5f0e1fcac791b0f7c8bfc3d69dfef2ff/django/middleware/csrf.py#L109-L123 _sanitize_token()] to raise a new internal `InvalidTokenFormat` exception with an appropriate reason string if the token has the wrong length or contains invalid characters, instead of calling `_get_new_csrf_token()`. Then, the two places that call `_sanitize_token()` can handle the exception differently: (1) In `process_view()`, the request could be rejected using the exception's message. This is similar to how `process_view()` now handles `RejectRequest` exceptions raised by `_check_referer()`. (2) In `_get_token()`, the exception could be handled by calling `_get_new_csrf_token()` (`_sanitize_token()`'s current behavior).
Back to Top