Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed #9163 - CsrfMiddleware needs to reset ETag header

Thanks to carljm for report and patch.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@11650 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit a02a6fab66afc9462c79cc4914f4624b640165f4 1 parent c44fdf6
@spookylukey spookylukey authored
Showing with 13 additions and 7 deletions.
  1. +7 −1 django/contrib/csrf/middleware.py
  2. +6 −6 docs/ref/contrib/csrf.txt
View
8 django/contrib/csrf/middleware.py
@@ -101,7 +101,13 @@ def add_csrf_field(match):
"' /></div>")
# Modify any POST forms
- response.content = _POST_FORM_RE.sub(add_csrf_field, response.content)
+ response.content, n = _POST_FORM_RE.subn(add_csrf_field, response.content)
+ if n > 0:
+ # Since the content has been modified, any Etag will now be
+ # incorrect. We could recalculate, but only is we assume that
+ # the Etag was set by CommonMiddleware. The safest thing is just
+ # to delete. See bug #9163
+ del response['ETag']
return response
class CsrfMiddleware(CsrfViewMiddleware, CsrfResponseMiddleware):
View
12 docs/ref/contrib/csrf.txt
@@ -22,12 +22,12 @@ middleware into your list of installed middleware.
How to use it
=============
-Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to
-your list of middleware classes, :setting:`MIDDLEWARE_CLASSES`. It needs to process
-the response after the SessionMiddleware, so must come before it in the
-list. It also must process the response before things like compression
-happen to the response, so it must come after GZipMiddleware in the
-list.
+Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to your
+list of middleware classes, :setting:`MIDDLEWARE_CLASSES`. It needs to process
+the response after the SessionMiddleware, so must come before it in the list. It
+also must process the response before things like compression or setting of
+ETags happen to the response, so it must come after GZipMiddleware,
+CommonMiddleware and ConditionalGetMiddleware in the list.
The ``CsrfMiddleware`` class is actually composed of two middleware:
``CsrfViewMiddleware`` which performs the checks on incoming requests,
Please sign in to comment.
Something went wrong with that request. Please try again.