Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixed CsrfMiddleware post processing so that it in the presence of mu…

…ltiple

POST <form>s, only one <input> tag is added with an id, for HTML validity.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@2900 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 5c0e4f3908d7782939b4a16af3d3be9f07d5504b 1 parent c26553c
@spookylukey spookylukey authored
Showing with 16 additions and 8 deletions.
  1. +16 −8 django/contrib/csrf/middleware.py
View
24 django/contrib/csrf/middleware.py
@@ -9,6 +9,7 @@
from django.http import HttpResponseForbidden
import md5
import re
+import itertools
_ERROR_MSG = "<h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p>"
@@ -19,7 +20,7 @@
def _make_token(session_id):
return md5.new(settings.SECRET_KEY + session_id).hexdigest()
-
+
class CsrfMiddleware(object):
"""Django middleware that adds protection against Cross Site
Request Forgeries by adding hidden form fields to POST forms and
@@ -57,7 +58,7 @@ def process_request(self, request):
return HttpResponseForbidden(_ERROR_MSG)
return None
-
+
def process_response(self, request, response):
csrf_token = None
try:
@@ -74,11 +75,18 @@ def process_response(self, request, response):
pass
if csrf_token is not None and \
- response['Content-Type'].split(';')[0] in _HTML_TYPES:
-
+ response['Content-Type'].split(';')[0] in _HTML_TYPES:
+
+ # ensure we don't add the 'id' attribute twice (HTML validity)
+ idattributes = itertools.chain(("id='csrfmiddlewaretoken'",),
+ itertools.repeat(''))
+ def add_csrf_field(match):
+ """Returns the matched <form> tag plus the added <input> element"""
+ return match.group() + "<div style='display:none;'>" + \
+ "<input type='hidden' " + idattributes.next() + \
+ " name='csrfmiddlewaretoken' value='" + csrf_token + \
+ "' /></div>"
+
# Modify any POST forms
- extra_field = "<div style='display:none;'>" + \
- "<input type='hidden' id='csrfmiddlewaretoken' name='csrfmiddlewaretoken' value='" + \
- csrf_token + "' /></div>"
- response.content = _POST_FORM_RE.sub('\\1' + extra_field, response.content)
+ response.content = _POST_FORM_RE.sub(add_csrf_field, response.content)
return response
Please sign in to comment.
Something went wrong with that request. Please try again.