summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChris Jerdonek <chris.jerdonek@gmail.com>2021-05-29 03:53:50 -0700
committerGitHub <noreply@github.com>2021-05-29 12:53:50 +0200
commitd270dd584e0af12fe6229fb712d0704c232dc7e5 (patch)
treebd5e13eab5d6a54127d5755ede8d7918c22f93a9
parent5685b7cd73820f56a6763d96f1423a0bdfca7c05 (diff)
Refs #32778 -- Improved the name of the regex object detecting invalid CSRF token characters.
This also improves the comments near where the variable is used.
-rw-r--r--django/middleware/csrf.py7
1 files changed, 4 insertions, 3 deletions
diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py
index d862006a07..9e6c9f5e9d 100644
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@@ -21,7 +21,8 @@ from django.utils.log import log_response
from django.utils.regex_helper import _lazy_re_compile
logger = logging.getLogger('django.security.csrf')
-token_re = _lazy_re_compile('[^a-zA-Z0-9]')
+# This matches if any character is not in CSRF_ALLOWED_CHARS.
+invalid_token_chars_re = _lazy_re_compile('[^a-zA-Z0-9]')
REASON_BAD_ORIGIN = "Origin checking failed - %s does not match any trusted origins."
REASON_NO_REFERER = "Referer checking failed - no Referer."
@@ -107,8 +108,8 @@ def rotate_token(request):
def _sanitize_token(token):
- # Allow only ASCII alphanumerics
- if token_re.search(token):
+ # Make sure all characters are in CSRF_ALLOWED_CHARS.
+ if invalid_token_chars_re.search(token):
return _get_new_csrf_token()
elif len(token) == CSRF_TOKEN_LENGTH:
return token