2015-05-26 22:46:13 +02:00
|
|
|
from django.http import HttpRequest
|
2020-02-25 14:16:19 +01:00
|
|
|
from django.middleware.csrf import _compare_masked_tokens as equivalent_tokens
|
2015-05-26 22:46:13 +02:00
|
|
|
from django.template.context_processors import csrf
|
|
|
|
from django.test import SimpleTestCase
|
|
|
|
|
|
|
|
|
|
|
|
class TestContextProcessor(SimpleTestCase):
|
|
|
|
|
2017-01-24 12:22:42 +01:00
|
|
|
def test_force_token_to_string(self):
|
2015-05-26 22:46:13 +02:00
|
|
|
request = HttpRequest()
|
Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).
While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).
Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2015-11-07 17:35:45 +01:00
|
|
|
test_token = '1bcdefghij2bcdefghij3bcdefghij4bcdefghij5bcdefghij6bcdefghijABCD'
|
|
|
|
request.META['CSRF_COOKIE'] = test_token
|
2015-05-26 22:46:13 +02:00
|
|
|
token = csrf(request).get('csrf_token')
|
2017-01-24 12:22:42 +01:00
|
|
|
self.assertTrue(equivalent_tokens(str(token), test_token))
|