Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

[1.2.X] Patch CSRF-protection system to deal with reported security i…

…ssue. Announcement and details to follow. Backport of [13698] from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@13699 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 7f84657b6b2243cc787bdb9f296710c8d13ad0bd 1 parent a04398e
James Bennett authored September 09, 2010
6  django/middleware/csrf.py
@@ -13,6 +13,7 @@
13 13
 from django.core.urlresolvers import get_callable
14 14
 from django.utils.cache import patch_vary_headers
15 15
 from django.utils.hashcompat import md5_constructor
  16
+from django.utils.html import escape
16 17
 from django.utils.safestring import mark_safe
17 18
 
18 19
 _POST_FORM_RE = \
@@ -52,7 +53,8 @@ def _make_legacy_session_token(session_id):
52 53
 
53 54
 def get_token(request):
54 55
     """
55  
-    Returns the the CSRF token required for a POST form.
  56
+    Returns the the CSRF token required for a POST form. No assumptions should
  57
+    be made about what characters might be in the CSRF token.
56 58
 
57 59
     A side effect of calling this function is to make the the csrf_protect
58 60
     decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie'
@@ -233,7 +235,7 @@ def add_csrf_field(match):
233 235
                 """Returns the matched <form> tag plus the added <input> element"""
234 236
                 return mark_safe(match.group() + "<div style='display:none;'>" + \
235 237
                 "<input type='hidden' " + idattributes.next() + \
236  
-                " name='csrfmiddlewaretoken' value='" + csrf_token + \
  238
+                " name='csrfmiddlewaretoken' value='" + escape(csrf_token) + \
237 239
                 "' /></div>")
238 240
 
239 241
             # Modify any POST forms
3  django/template/defaulttags.py
@@ -9,6 +9,7 @@
9 9
 from django.template import get_library, Library, InvalidTemplateLibrary
10 10
 from django.template.smartif import IfParser, Literal
11 11
 from django.conf import settings
  12
+from django.utils.html import escape
12 13
 from django.utils.encoding import smart_str, smart_unicode
13 14
 from django.utils.safestring import mark_safe
14 15
 
@@ -42,7 +43,7 @@ def render(self, context):
42 43
             if csrf_token == 'NOTPROVIDED':
43 44
                 return mark_safe(u"")
44 45
             else:
45  
-                return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % (csrf_token))
  46
+                return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % escape(csrf_token))
46 47
         else:
47 48
             # It's very probable that the token is missing because of
48 49
             # misconfiguration, so we raise a warning
7  tests/regressiontests/csrf_tests/tests.py
@@ -6,6 +6,7 @@
6 6
 from django.views.decorators.csrf import csrf_exempt, csrf_view_exempt
7 7
 from django.core.context_processors import csrf
8 8
 from django.contrib.sessions.middleware import SessionMiddleware
  9
+from django.utils.html import escape
9 10
 from django.utils.importlib import import_module
10 11
 from django.conf import settings
11 12
 from django.template import RequestContext, Template
@@ -56,7 +57,9 @@ def is_secure(self):
56 57
         return getattr(self, '_is_secure', False)
57 58
 
58 59
 class CsrfMiddlewareTest(TestCase):
59  
-    _csrf_id = "1"
  60
+    # The csrf token is potentially from an untrusted source, so could have
  61
+    # characters that need escaping
  62
+    _csrf_id = "<1>"
60 63
 
61 64
     # This is a valid session token for this ID and secret key.  This was generated using
62 65
     # the old code that we're to be backwards-compatible with.  Don't use the CSRF code
@@ -101,7 +104,7 @@ def _get_POST_session_request_no_token(self):
101 104
         return req
102 105
 
103 106
     def _check_token_present(self, response, csrf_id=None):
104  
-        self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % (csrf_id or self._csrf_id))
  107
+        self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % escape(csrf_id or self._csrf_id))
105 108
 
106 109
     # Check the post processing and outgoing cookie
107 110
     def test_process_response_no_csrf_cookie(self):

0 notes on commit 7f84657

Please sign in to comment.
Something went wrong with that request. Please try again.