encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2025-07-27 08:29:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

added setting and code to turn off extra CSRF checking for unsafe actions

Browse Source
This commit is contained in:
Rick Yazwinski 2013-01-17 15:56:16 -05:00
parent e429f702e0
commit d2e12c293b
1 changed files with 22 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
rest_framework/compat.py
View File

@ -290,24 +290,30 @@ else:
) )
return self._reject(request, REASON_NO_CSRF_COOKIE) return self._reject(request, REASON_NO_CSRF_COOKIE)
# check non-cookie token for match if hasattr(settings, 'REST_FRAMEWORK_EXTRA_CSRF'):
request_csrf_token = "" extra_csrf = settings.REST_FRAMEWORK_EXTRA_CSRF
if request.method == "POST": else:
request_csrf_token = request.POST.get('csrfmiddlewaretoken', '') extra_csrf = True
if request_csrf_token == "": if extra_csrf:
# Fall back to X-CSRFToken, to make things easier for AJAX, # check non-cookie token for match
# and possible for PUT/DELETE request_csrf_token = ""
request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '') if request.method == "POST":
request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')
if not constant_time_compare(request_csrf_token, csrf_token): if request_csrf_token == "":
logger.warning('Forbidden (%s): %s' % (REASON_BAD_TOKEN, request.path), # Fall back to X-CSRFToken, to make things easier for AJAX,
extra={ # and possible for PUT/DELETE
'status_code': 403, request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')
'request': request,
} if not constant_time_compare(request_csrf_token, csrf_token):
) logger.warning('Forbidden (%s): %s' % (REASON_BAD_TOKEN, request.path),
return self._reject(request, REASON_BAD_TOKEN) extra={
'status_code': 403,
'request': request,
}
)
return self._reject(request, REASON_BAD_TOKEN)
return self._accept(request) return self._accept(request)