encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2024-11-25 11:04:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix CSRF cookie check failure when using session auth with django 1.11.6+ (#6113)

Browse Source 
Test included. Fixes #6088
This commit is contained in:
Craig de Stigter 2018-08-07 19:18:56 +12:00 committed by Tom Christie
parent 2fab7838ef
commit 81fa4b4f75
2 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
rest_framework/authentication.py
View File

@ -135,7 +135,10 @@ class SessionAuthentication(BaseAuthentication):
""" """
Enforce CSRF validation for session based authentication. Enforce CSRF validation for session based authentication.
""" """
reason = CSRFCheck().process_view(request, None, (), {}) check = CSRFCheck()
# populates request.META['CSRF_COOKIE'], which is used in process_view()
check.process_request(request)
reason = check.process_view(request, None, (), {})
if reason: if reason:
# CSRF failed, bail with explicit error message # CSRF failed, bail with explicit error message
raise exceptions.PermissionDenied('CSRF Failed: %s' % reason) raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)

21
tests/test_authentication.py
View File

@ -5,6 +5,7 @@ from __future__ import unicode_literals
import base64 import base64
import pytest import pytest
from django.conf import settings
from django.conf.urls import include, url from django.conf.urls import include, url
from django.contrib.auth.models import User from django.contrib.auth.models import User
from django.db import models from django.db import models
@ -202,6 +203,26 @@ class SessionAuthTests(TestCase):
response = self.csrf_client.post('/session/', {'example': 'example'}) response = self.csrf_client.post('/session/', {'example': 'example'})
assert response.status_code == status.HTTP_403_FORBIDDEN assert response.status_code == status.HTTP_403_FORBIDDEN
def test_post_form_session_auth_passing_csrf(self):
"""
Ensure POSTing form over session authentication with CSRF token succeeds.
Regression test for #6088
"""
from django.middleware.csrf import _get_new_csrf_token
self.csrf_client.login(username=self.username, password=self.password)
# Set the csrf_token cookie so that CsrfViewMiddleware._get_token() works
token = _get_new_csrf_token()
self.csrf_client.cookies[settings.CSRF_COOKIE_NAME] = token
# Post the token matching the cookie value
response = self.csrf_client.post('/session/', {
'example': 'example',
'csrfmiddlewaretoken': token,
})
assert response.status_code == status.HTTP_200_OK
def test_post_form_session_auth_passing(self): def test_post_form_session_auth_passing(self):
""" """
Ensure POSTing form over session authentication with logged in Ensure POSTing form over session authentication with logged in