+11
-5
lines changedFilter options
+11
-5
lines changed Original file line number Diff line number Diff line change
@@ -13,6 +13,7 @@
13 13
from django.core.urlresolvers import get_callable
14 14
from django.utils.cache import patch_vary_headers
15 15
from django.utils.hashcompat import md5_constructor
16 +
from django.utils.html import escape
16 17
from django.utils.safestring import mark_safe
17 18 18 19
_POST_FORM_RE = \
@@ -52,7 +53,8 @@ def _make_legacy_session_token(session_id):
52 53 53 54
def get_token(request):
54 55
"""
55 -
Returns the the CSRF token required for a POST form.
56 +
Returns the the CSRF token required for a POST form. No assumptions should
57 +
be made about what characters might be in the CSRF token.
56 58 57 59
A side effect of calling this function is to make the the csrf_protect
58 60
decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie'
@@ -233,7 +235,7 @@ def add_csrf_field(match):
233 235
"""Returns the matched <form> tag plus the added <input> element"""
234 236
return mark_safe(match.group() + "<div style='display:none;'>" + \
235 237
"<input type='hidden' " + idattributes.next() + \
236 -
" name='csrfmiddlewaretoken' value='" + csrf_token + \
238 +
" name='csrfmiddlewaretoken' value='" + escape(csrf_token) + \
237 239
"' /></div>")
238 240 239 241
# Modify any POST forms
@@ -9,6 +9,7 @@
9 9
from django.template import get_library, Library, InvalidTemplateLibrary
10 10
from django.template.smartif import IfParser, Literal
11 11
from django.conf import settings
12 +
from django.utils.html import escape
12 13
from django.utils.encoding import smart_str, smart_unicode
13 14
from django.utils.safestring import mark_safe
14 15
@@ -42,7 +43,7 @@ def render(self, context):
42 43
if csrf_token == 'NOTPROVIDED':
43 44
return mark_safe(u"")
44 45
else:
45 -
return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % (csrf_token))
46 +
return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % escape(csrf_token))
46 47
else:
47 48
# It's very probable that the token is missing because of
48 49
# misconfiguration, so we raise a warning
@@ -6,6 +6,7 @@
6 6
from django.views.decorators.csrf import csrf_exempt, csrf_view_exempt
7 7
from django.core.context_processors import csrf
8 8
from django.contrib.sessions.middleware import SessionMiddleware
9 +
from django.utils.html import escape
9 10
from django.utils.importlib import import_module
10 11
from django.conf import settings
11 12
from django.template import RequestContext, Template
@@ -56,7 +57,9 @@ def is_secure(self):
56 57
return getattr(self, '_is_secure', False)
57 58 58 59
class CsrfMiddlewareTest(TestCase):
59 -
_csrf_id = "1"
60 +
# The csrf token is potentially from an untrusted source, so could have
61 +
# characters that need escaping
62 +
_csrf_id = "<1>"
60 63 61 64
# This is a valid session token for this ID and secret key. This was generated using
62 65
# the old code that we're to be backwards-compatible with. Don't use the CSRF code
@@ -101,7 +104,7 @@ def _get_POST_session_request_no_token(self):
101 104
return req
102 105 103 106
def _check_token_present(self, response, csrf_id=None):
104 -
self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % (csrf_id or self._csrf_id))
107 +
self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % escape(csrf_id or self._csrf_id))
105 108 106 109
# Check the post processing and outgoing cookie
107 110
def test_process_response_no_csrf_cookie(self):
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4