Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #9163 - CsrfMiddleware needs to reset ETag header

Thanks to carljm for report and patch.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@11650 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit a02a6fab66afc9462c79cc4914f4624b640165f4 1 parent c44fdf6
Luke Plant authored October 24, 2009
8  django/contrib/csrf/middleware.py
@@ -101,7 +101,13 @@ def add_csrf_field(match):
101 101
                 "' /></div>")
102 102
 
103 103
             # Modify any POST forms
104  
-            response.content = _POST_FORM_RE.sub(add_csrf_field, response.content)
  104
+            response.content, n = _POST_FORM_RE.subn(add_csrf_field, response.content)
  105
+            if n > 0:
  106
+                # Since the content has been modified, any Etag will now be
  107
+                # incorrect.  We could recalculate, but only is we assume that
  108
+                # the Etag was set by CommonMiddleware. The safest thing is just
  109
+                # to delete. See bug #9163
  110
+                del response['ETag']
105 111
         return response
106 112
 
107 113
 class CsrfMiddleware(CsrfViewMiddleware, CsrfResponseMiddleware):
12  docs/ref/contrib/csrf.txt
@@ -22,12 +22,12 @@ middleware into your list of installed middleware.
22 22
 How to use it
23 23
 =============
24 24
 
25  
-Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to
26  
-your list of middleware classes, :setting:`MIDDLEWARE_CLASSES`. It needs to process
27  
-the response after the SessionMiddleware, so must come before it in the
28  
-list. It also must process the response before things like compression
29  
-happen to the response, so it must come after GZipMiddleware in the
30  
-list.
  25
+Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to your
  26
+list of middleware classes, :setting:`MIDDLEWARE_CLASSES`. It needs to process
  27
+the response after the SessionMiddleware, so must come before it in the list. It
  28
+also must process the response before things like compression or setting of
  29
+ETags happen to the response, so it must come after GZipMiddleware,
  30
+CommonMiddleware and ConditionalGetMiddleware in the list.
31 31
 
32 32
 The ``CsrfMiddleware`` class is actually composed of two middleware:
33 33
 ``CsrfViewMiddleware`` which performs the checks on incoming requests,

0 notes on commit a02a6fa

Please sign in to comment.
Something went wrong with that request. Please try again.