Arthur de Jong

Open Source / Free Software developer

summaryrefslogtreecommitdiffstats
path: root/django/middleware/csrf.py
Commit message (Collapse)AuthorAgeFilesLines
* Fixed #24496 -- Added CSRF Referer checking against ↵Matt Robenolt2015-09-161-6/+29
| | | | | | | CSRF_COOKIE_DOMAIN. Thanks Seth Gottlieb for help with the documentation and Carl Meyer and Joshua Kehn for reviews.
* Fixed #25334 -- Provided a way to allow cross-origin ↵Joshua Kehn2015-09-051-4/+9
| | | | | | | | unsafe requests over HTTPS. Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other domains that are included during the CSRF Referer header verification for secure (HTTPS) requests.
* Fixed #24696 -- Made CSRF_COOKIE computation lazy.Jay Cox2015-05-031-11/+4
| | | | | | | | | | | | Only compute the CSRF_COOKIE when it is actually used. This is a significant speedup for clients not using cookies. Changed result of the “test_token_node_no_csrf_cookie” test: It gets a valid CSRF token now which seems like the correct behavior. Changed auth_tests.test_views.LoginTest.test_login_csrf_rotate to use get_token() to trigger CSRF cookie inclusion instead of changing request.META["CSRF_COOKIE_USED"] directly.
* Fixed #21495 -- Added settings.CSRF_HEADER_NAMEGrzegorz Slusarek2015-03-051-1/+1
|
* Sorted imports with isort; refs #23860.Tim Graham2015-02-061-2/+1
|
* Fixed #23815 -- Prevented UnicodeDecodeError in CSRF ↵Claude Paroz2015-01-061-1/+5
| | | | | | | middleware Thanks codeitloadit for the report, living180 for investigations and Tim Graham for the review.
* Fixed #20128 -- Made CsrfViewMiddleware ignore IOError ↵Tim Graham2014-06-251-1/+9
| | | | | | when reading POST data. Thanks Walter Doekes.
* Fixed #22185 -- Added settings.CSRF_COOKIE_AGERoger Hu2014-03-061-1/+1
| | | | Thanks Paul McMillan for the review.
* Fixed flake8 E251 violationsMilton Mazzarri2013-11-031-1/+1
|
* More attacking E302 violatorsAlex Gaynor2013-11-021-0/+1
|
* Fixed #21324 -- Translate CSRF failure viewBouke Haarsma2013-11-021-3/+2
| | | | Thanks to Claude Paroz for the original patch.
* Fixed bug causing CSRF token not to rotate on login.Tim Graham2013-10-181-1/+4
| | | | Thanks Gavin McQuillan for the report.
* Removed several unused imports.Aymeric Augustin2013-06-191-2/+0
|
* Rotate CSRF token on loginAndrew Godwin2013-05-241-0/+8
|
* Fixed #19436 -- Don't log warnings in ensure_csrf_cookie.Olivier Sels2013-05-181-27/+7
|
* Fixed #15808 -- Added optional HttpOnly flag to the CSRF ↵Aymeric Augustin2013-02-071-1/+2
| | | | | | Cookie. Thanks Samuel Lavitt for the report and Sascha Peilicke for the patch.
* Fixed typos in docs and commentsTim Graham2013-01-291-2/+2
|
* Imported getLogger directly from logging moduleClaude Paroz2012-09-201-2/+3
| | | | This was a remainder of some 2.4 compatibility code.
* fixed rfc comment typo in middleware/csrf.pyCollin Anderson2012-09-101-1/+1
|
* [py3] Made csrf context processor return UnicodeClaude Paroz2012-08-131-3/+4
|
* Documentation (and some small source code) edits from ↵Adrian Holovaty2012-02-171-12/+12
| | | | | | [17432] - [17537] git-svn-id: http://code.djangoproject.com/svn/django/trunk@17540 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixes #16827. Adds a length check to CSRF tokens before ↵Paul McMillan2012-02-111-25/+27
| | | | | | applying the santizing regex. Thanks to jedie for the report and zsiciarz for the initial patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17500 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #17358 -- Updated logging calls to use official ↵Jannis Leidel2012-02-091-4/+4
| | | | | | syntax for arguments instead of string interpolation. Thanks, spulec. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17480 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #15258 - Ajax CSRF protection doesn't apply to PUT ↵Luke Plant2011-05-101-4/+9
| | | | | | | | | | | | or DELETE requests Thanks to brodie for the report, and further input from tow21 This is a potentially backwards incompatible change - if you were doing PUT/DELETE requests and relying on the lack of protection, you will need to update your code, as noted in the releaste notes. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16201 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #14134 - ability to set cookie 'path' and 'secure' ↵Luke Plant2011-05-101-2/+6
| | | | | | | | attributes of CSRF cookie Thanks to cfattarsi for the report and initial patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16200 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Removed deprecated CsrfResponseMiddleware, and ↵Luke Plant2011-03-301-91/+0
| | | | | | corresponding tests and docs git-svn-id: http://code.djangoproject.com/svn/django/trunk@15949 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Removed Django 1.1 fallback for CSRF checks.Luke Plant2011-03-301-52/+23
| | | | git-svn-id: http://code.djangoproject.com/svn/django/trunk@15948 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Removed a bunch more Python 2.4 workarounds now that we ↵Adrian Holovaty2011-03-281-4/+3
| | | | | | don't support that version. Refs #15702 -- thanks to jonash for the patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15927 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #15617 - CSRF referer checking too strictLuke Plant2011-03-151-3/+3
| | | | | | Thanks to adam for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15840 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Corrected logging call in CSRF middlewareLuke Plant2011-02-221-1/+1
| | | | git-svn-id: http://code.djangoproject.com/svn/django/trunk@15623 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed a security issue in the CSRF component. ↵Alex Gaynor2011-02-091-25/+5
| | | | | | Disclosure and new release forthcoming. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15464 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #14565 - No csrf_token on 404 page.Luke Plant2010-10-281-16/+20
| | | | | | This solution doesn't have the negative side-effects of [14356]. git-svn-id: http://code.djangoproject.com/svn/django/trunk@14377 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #14445 - Use HMAC and constant-time comparison ↵Luke Plant2010-10-141-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | functions where needed. All adhoc MAC applications have been updated to use HMAC, using SHA1 to generate unique keys for each application based on the SECRET_KEY, which is common practice for this situation. In all cases, backwards compatibility with existing hashes has been maintained, aiming to phase this out as per the normal deprecation process. In this way, under most normal circumstances the old hashes will have expired (e.g. by session expiration etc.) before they become invalid. In the case of the messages framework and the cookie backend, which was already using HMAC, there is the possibility of a backwards incompatibility if the SECRET_KEY is shorter than the default 50 bytes, but the low likelihood and low impact meant compatibility code was not worth it. All known instances where tokens/hashes were compared using simple string equality, which could potentially open timing based attacks, have also been fixed using a constant-time comparison function. There are no known practical attacks against the existing implementations, so these security improvements will not be backported. git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #14436 -- Escalated 1.2 PendingDeprecationWarnings ↵Russell Keith-Magee2010-10-111-1/+1
| | | | | | to DeprecationWarnings, and removed 1.1 deprecated code. git-svn-id: http://code.djangoproject.com/svn/django/trunk@14138 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #14406 -- Added a Python 2.4 compatibility to the ↵Russell Keith-Magee2010-10-061-2/+2
| | | | | | logging interface. Thanks to Łukasz Rekucki for the report, and to Luke Plant for original patch this was based on. git-svn-id: http://code.djangoproject.com/svn/django/trunk@13989 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #12012 -- Added support for logging. Thanks to ↵Russell Keith-Magee2010-10-041-2/+35
| | | | | | Vinay Sajip for his draft patch, and to the many people who gave feedback during development of the patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@13981 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #14235 - UnicodeDecodeError in CSRF middlewareLuke Plant2010-09-111-5/+18
| | | | | | | | | | | Thanks to jbg for the report. This changeset essentially backs out [13698] in favour of a method that sanitizes the token rather than escaping it. git-svn-id: http://code.djangoproject.com/svn/django/trunk@13732 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Patch CSRF-protection system to deal with reported ↵James Bennett2010-09-091-2/+4
| | | | | | security issue. Announcement and details to follow. git-svn-id: http://code.djangoproject.com/svn/django/trunk@13698 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Added explanatory note on CSRF failure page for the case ↵Luke Plant2010-09-031-6/+18
| | | | | | | | | | | | | of a missing Referer header. This is intended to help power users who have disabled Referer headers, or installed add-ons which have done so, and to help web site administrators with debugging, since this problem will be browser specific and not a programming error. git-svn-id: http://code.djangoproject.com/svn/django/trunk@13680 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Added proper code comments for the HTTPS CSRF protection.Luke Plant2010-07-011-2/+16
| | | | | | | | Refs #13489 which noticed a vague comment - thanks pmclanahan git-svn-id: http://code.djangoproject.com/svn/django/trunk@13405 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #13716 - the CSRF get_token function stopped ↵Luke Plant2010-06-081-3/+5
| | | | | | | | | | | | working for views with csrf_view_exempt This was a regression caused by the the CSRF changes in 1.2. Thanks to edevil for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@13336 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Misc clarifications in csrf middleware commentsLuke Plant2009-10-271-6/+9
| | | | git-svn-id: http://code.djangoproject.com/svn/django/trunk@11673 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Slight change to CSRF error messages to make debugging ↵Luke Plant2009-10-271-2/+6
| | | | | | easier. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11669 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Removed unused import.Luke Plant2009-10-271-4/+0
| | | | git-svn-id: http://code.djangoproject.com/svn/django/trunk@11664 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Moved contrib.csrf.* to core code.Luke Plant2009-10-271-0/+262
There is stub code for backwards compatiblity with Django 1.1 imports. The documentation has been updated, but has been left in docs/contrib/csrf.txt for now, in order to avoid dead links to documentation on the website. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661 bcc190cf-cafb-0310-a4f2-bffc1f526a37