Opened 4 years ago

Closed 3 years ago

Last modified 3 years ago

#32843 closed Cleanup/optimization (fixed)

Some CSRF tests leave request.method set to None

Reported by: Chris Jerdonek Owned by: Chris Jerdonek
Component: CSRF Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I noticed that for some CSRF tests, request.method is None when the test thinks it should be GET. This causes CsrfViewMiddleware.process_view() to take a different code path and treat the request as unsafe because the method isn't in its allowed list:
https://github.com/django/django/blob/316cc34d046ad86e100227772294f906fae1c2e5/django/middleware/csrf.py#L338-L339

The cause for this is that neither implementation of _get_GET_csrf_cookie_request() sets req.method. See here and here.

The tests affected are:

  • csrf_tests.tests.CsrfViewMiddlewareTests.test_get_token_for_requires_csrf_token_view
  • csrf_tests.tests.CsrfViewMiddlewareTests.test_token_node_with_csrf_cookie
  • csrf_tests.tests.CsrfViewMiddlewareUseSessionsTests.test_get_token_for_requires_csrf_token_view
  • csrf_tests.tests.CsrfViewMiddlewareUseSessionsTests.test_token_node_with_csrf_cookie

Fortunately, the tests still pass when request.method is set to GET.

Change History (8)

comment:1 by Chris Jerdonek, 4 years ago

Summary: Some CSRF tests don't set request.methodSome CSRF tests leave request.method set to None

comment:2 by Carlton Gibson, 4 years ago

Triage Stage: UnreviewedAccepted

OK, nice. Good spot.

comment:3 by Chris Jerdonek, 3 years ago

Before submitting a fix for this ticket, I will wait until after this PR is merged: https://github.com/django/django/pull/14485

(There are a few more minor clean-ups / refactorings to the CSRF tests I'd like to do in conjunction with this fix.)

comment:5 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

Resolution: fixed
Status: assignedclosed

In 4397d2bd:

Fixed #32843 -- Ensured the CSRF tests' _get_GET_csrf_cookie_request() sets the request method.

comment:6 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

In 6bccb643:

Refs #32843 -- Moved _get_GET_csrf_cookie_request() to CsrfViewMiddlewareTestMixin.

comment:7 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

In c8439d1:

Refs #32843 -- Added method/cookie arguments to CsrfViewMiddlewareTestMixin._get_request().

This also removes unnecessary test hooks.

comment:8 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

In 594d6e94:

Refs #32843 -- Added CsrfViewMiddlewareTestMixin._get_csrf_cookie_request() hook.

Note: See TracTickets for help on using tickets.
Back to Top