Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Split CsrfMiddleware into two to make it more reusable.

Also converted it to be a view middleware instead of request,
as this allows more options.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@9553 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit c0f9e85fbe616a38255cd568fc5f2f0a870586ea 1 parent 01ec6d0
@spookylukey spookylukey authored
Showing with 41 additions and 21 deletions.
  1. +33 −18 django/contrib/csrf/middleware.py
  2. +8 −3 django/contrib/csrf/tests.py
View
51 django/contrib/csrf/middleware.py
@@ -23,25 +23,12 @@
def _make_token(session_id):
return md5_constructor(settings.SECRET_KEY + session_id).hexdigest()
-class CsrfMiddleware(object):
- """Django middleware that adds protection against Cross Site
- Request Forgeries by adding hidden form fields to POST forms and
- checking requests for the correct value.
-
- In the list of middlewares, SessionMiddleware is required, and must come
- after this middleware. CsrfMiddleWare must come after compression
- middleware.
-
- If a session ID cookie is present, it is hashed with the SECRET_KEY
- setting to create an authentication token. This token is added to all
- outgoing POST forms and is expected on all incoming POST requests that
- have a session ID cookie.
-
- If you are setting cookies directly, instead of using Django's session
- framework, this middleware will not work.
+class CsrfViewMiddleware(object):
"""
-
- def process_request(self, request):
+ Middleware that requires a present and correct csrfmiddlewaretoken
+ for POST requests that have an active session.
+ """
+ def process_view(self, request, callback, callback_args, callback_kwargs):
if request.method == 'POST':
try:
session_id = request.COOKIES[settings.SESSION_COOKIE_NAME]
@@ -61,6 +48,12 @@ def process_request(self, request):
return None
+class CsrfResponseMiddleware(object):
+ """
+ Middleware that post-processes a response to add a
+ csrfmiddlewaretoken if the response/request have an active
+ session.
+ """
def process_response(self, request, response):
csrf_token = None
try:
@@ -92,3 +85,25 @@ def add_csrf_field(match):
# Modify any POST forms
response.content = _POST_FORM_RE.sub(add_csrf_field, response.content)
return response
+
+class CsrfMiddleware(CsrfViewMiddleware, CsrfResponseMiddleware):
+ """Django middleware that adds protection against Cross Site
+ Request Forgeries by adding hidden form fields to POST forms and
+ checking requests for the correct value.
+
+ In the list of middlewares, SessionMiddleware is required, and
+ must come after this middleware. CsrfMiddleWare must come after
+ compression middleware.
+
+ If a session ID cookie is present, it is hashed with the
+ SECRET_KEY setting to create an authentication token. This token
+ is added to all outgoing POST forms and is expected on all
+ incoming POST requests that have a session ID cookie.
+
+ If you are setting cookies directly, instead of using Django's
+ session framework, this middleware will not work.
+
+ CsrfMiddleWare is composed of two middleware, CsrfViewMiddleware
+ and CsrfResponseMiddleware which can be used independently.
+ """
+ pass
View
11 django/contrib/csrf/tests.py
@@ -5,6 +5,7 @@
from django.contrib.csrf.middleware import CsrfMiddleware, _make_token
from django.conf import settings
+
class CsrfMiddlewareTest(TestCase):
_session_id = "1"
@@ -46,6 +47,10 @@ def _get_new_session_response(self):
def _check_token_present(self, response):
self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % _make_token(self._session_id))
+ def get_view(self):
+ def dummyview(request):
+ return self._get_post_form_response()
+
# Check the post processing
def test_process_response_no_session(self):
"""
@@ -86,7 +91,7 @@ def test_process_request_no_session(self):
to the incoming request.
"""
req = self._get_POST_no_session_request()
- req2 = CsrfMiddleware().process_request(req)
+ req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {})
self.assertEquals(None, req2)
def test_process_request_session_no_token(self):
@@ -94,7 +99,7 @@ def test_process_request_session_no_token(self):
Check that if a session is present but no token, we get a 'forbidden'
"""
req = self._get_POST_session_request()
- req2 = CsrfMiddleware().process_request(req)
+ req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {})
self.assertEquals(HttpResponseForbidden, req2.__class__)
def test_process_request_session_and_token(self):
@@ -102,5 +107,5 @@ def test_process_request_session_and_token(self):
Check that if a session is present and a token, the middleware lets it through
"""
req = self._get_POST_session_request_with_token()
- req2 = CsrfMiddleware().process_request(req)
+ req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {})
self.assertEquals(None, req2)
Please sign in to comment.
Something went wrong with that request. Please try again.