#32843 closed Cleanup/optimization (fixed)
Some CSRF tests leave request.method set to None
Reported by: | Chris Jerdonek | Owned by: | Chris Jerdonek |
---|---|---|---|
Component: | CSRF | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
I noticed that for some CSRF tests, request.method
is None
when the test thinks it should be GET
. This causes CsrfViewMiddleware.process_view()
to take a different code path and treat the request as unsafe because the method isn't in its allowed list:
https://github.com/django/django/blob/316cc34d046ad86e100227772294f906fae1c2e5/django/middleware/csrf.py#L338-L339
The cause for this is that neither implementation of _get_GET_csrf_cookie_request()
sets req.method
. See here and here.
The tests affected are:
csrf_tests.tests.CsrfViewMiddlewareTests.test_get_token_for_requires_csrf_token_view
csrf_tests.tests.CsrfViewMiddlewareTests.test_token_node_with_csrf_cookie
csrf_tests.tests.CsrfViewMiddlewareUseSessionsTests.test_get_token_for_requires_csrf_token_view
csrf_tests.tests.CsrfViewMiddlewareUseSessionsTests.test_token_node_with_csrf_cookie
Fortunately, the tests still pass when request.method
is set to GET
.
Change History (8)
comment:1 by , 4 years ago
Summary: | Some CSRF tests don't set request.method → Some CSRF tests leave request.method set to None |
---|
comment:2 by , 4 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:3 by , 3 years ago
Before submitting a fix for this ticket, I will wait until after this PR is merged: https://github.com/django/django/pull/14485
(There are a few more minor clean-ups / refactorings to the CSRF tests I'd like to do in conjunction with this fix.)
OK, nice. Good spot.