Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Browse files

[1.2.X] Patch CSRF-protection system to deal with reported security i…

…ssue. Announcement and details to follow. Backport of [13698] from trunk.

git-svn-id: bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
1 parent a04398e commit 7f84657b6b2243cc787bdb9f296710c8d13ad0bd @ubernostrum ubernostrum committed
6 django/middleware/
@@ -13,6 +13,7 @@
from django.core.urlresolvers import get_callable
from django.utils.cache import patch_vary_headers
from django.utils.hashcompat import md5_constructor
+from django.utils.html import escape
from django.utils.safestring import mark_safe
@@ -52,7 +53,8 @@ def _make_legacy_session_token(session_id):
def get_token(request):
- Returns the the CSRF token required for a POST form.
+ Returns the the CSRF token required for a POST form. No assumptions should
+ be made about what characters might be in the CSRF token.
A side effect of calling this function is to make the the csrf_protect
decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie'
@@ -233,7 +235,7 @@ def add_csrf_field(match):
"""Returns the matched <form> tag plus the added <input> element"""
return mark_safe( + "<div style='display:none;'>" + \
"<input type='hidden' " + + \
- " name='csrfmiddlewaretoken' value='" + csrf_token + \
+ " name='csrfmiddlewaretoken' value='" + escape(csrf_token) + \
"' /></div>")
# Modify any POST forms
3  django/template/
@@ -9,6 +9,7 @@
from django.template import get_library, Library, InvalidTemplateLibrary
from django.template.smartif import IfParser, Literal
from django.conf import settings
+from django.utils.html import escape
from django.utils.encoding import smart_str, smart_unicode
from django.utils.safestring import mark_safe
@@ -42,7 +43,7 @@ def render(self, context):
if csrf_token == 'NOTPROVIDED':
return mark_safe(u"")
- return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % (csrf_token))
+ return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % escape(csrf_token))
# It's very probable that the token is missing because of
# misconfiguration, so we raise a warning
7 tests/regressiontests/csrf_tests/
@@ -6,6 +6,7 @@
from django.views.decorators.csrf import csrf_exempt, csrf_view_exempt
from django.core.context_processors import csrf
from django.contrib.sessions.middleware import SessionMiddleware
+from django.utils.html import escape
from django.utils.importlib import import_module
from django.conf import settings
from django.template import RequestContext, Template
@@ -56,7 +57,9 @@ def is_secure(self):
return getattr(self, '_is_secure', False)
class CsrfMiddlewareTest(TestCase):
- _csrf_id = "1"
+ # The csrf token is potentially from an untrusted source, so could have
+ # characters that need escaping
+ _csrf_id = "<1>"
# This is a valid session token for this ID and secret key. This was generated using
# the old code that we're to be backwards-compatible with. Don't use the CSRF code
@@ -101,7 +104,7 @@ def _get_POST_session_request_no_token(self):
return req
def _check_token_present(self, response, csrf_id=None):
- self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % (csrf_id or self._csrf_id))
+ self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % escape(csrf_id or self._csrf_id))
# Check the post processing and outgoing cookie
def test_process_response_no_csrf_cookie(self):

0 comments on commit 7f84657

Please sign in to comment.
Something went wrong with that request. Please try again.