+36
-1
lines changedFilter options
+36
-1
lines changed Original file line number Diff line number Diff line change
@@ -47,7 +47,8 @@
47 47 48 48
from django.conf import settings
49 49
from django.core.cache import caches, DEFAULT_CACHE_ALIAS
50 -
from django.utils.cache import get_cache_key, learn_cache_key, patch_response_headers, get_max_age
50 +
from django.utils.cache import (get_cache_key, get_max_age, has_vary_header,
51 +
learn_cache_key, patch_response_headers)
51 52
from django.utils.deprecation import RemovedInDjango18Warning
52 53 53 54
@@ -91,8 +92,15 @@ def process_response(self, request, response):
91 92
if not self._should_update_cache(request, response):
92 93
# We don't need to update the cache, just return.
93 94
return response
95 + 94 96
if response.streaming or response.status_code != 200:
95 97
return response
98 + 99 +
# Don't cache responses that set a user-specific (and maybe security
100 +
# sensitive) cookie in response to a cookie-less request.
101 +
if not request.COOKIES and response.cookies and has_vary_header(response, 'Cookie'):
102 +
return response
103 + 96 104
# Try to get the timeout from the "max-age" section of the "Cache-
97 105
# Control" header before reverting to using the default cache_timeout
98 106
# length.
@@ -18,11 +18,13 @@
18 18
from django.core import management
19 19
from django.core.cache import (cache, caches, CacheKeyWarning,
20 20
InvalidCacheBackendError, DEFAULT_CACHE_ALIAS)
21 +
from django.core.context_processors import csrf
21 22
from django.db import connection, router, transaction
22 23
from django.core.cache.utils import make_template_fragment_key
23 24
from django.http import HttpResponse, StreamingHttpResponse
24 25
from django.middleware.cache import (FetchFromCacheMiddleware,
25 26
UpdateCacheMiddleware, CacheMiddleware)
27 +
from django.middleware.csrf import CsrfViewMiddleware
26 28
from django.template import Template
27 29
from django.template.response import TemplateResponse
28 30
from django.test import TestCase, TransactionTestCase, RequestFactory, override_settings
@@ -1739,6 +1741,10 @@ def hello_world_view(request, value):
1739 1741
return HttpResponse('Hello World %s' % value)
1740 1742 1741 1743 1744 +
def csrf_view(request):
1745 +
return HttpResponse(csrf(request)['csrf_token'])
1746 + 1747 + 1742 1748
@override_settings(
1743 1749
CACHE_MIDDLEWARE_ALIAS='other',
1744 1750
CACHE_MIDDLEWARE_KEY_PREFIX='middlewareprefix',
@@ -1958,6 +1964,27 @@ def test_view_decorator(self):
1958 1964
response = other_with_prefix_view(request, '16')
1959 1965
self.assertEqual(response.content, b'Hello World 16')
1960 1966 1967 +
def test_sensitive_cookie_not_cached(self):
1968 +
"""
1969 +
Django must prevent caching of responses that set a user-specific (and
1970 +
maybe security sensitive) cookie in response to a cookie-less request.
1971 +
"""
1972 +
csrf_middleware = CsrfViewMiddleware()
1973 +
cache_middleware = CacheMiddleware()
1974 + 1975 +
request = self.factory.get('/view/')
1976 +
self.assertIsNone(cache_middleware.process_request(request))
1977 + 1978 +
csrf_middleware.process_view(request, csrf_view, (), {})
1979 + 1980 +
response = csrf_view(request)
1981 + 1982 +
response = csrf_middleware.process_response(request, response)
1983 +
response = cache_middleware.process_response(request, response)
1984 + 1985 +
# Inserting a CSRF cookie in a cookie-less request prevented caching.
1986 +
self.assertIsNone(cache_middleware.process_request(request))
1987 + 1961 1988 1962 1989
@override_settings(
1963 1990
CACHE_MIDDLEWARE_KEY_PREFIX='settingsprefix',
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4