diff options
| author | Chris Jerdonek <chris.jerdonek@gmail.com> | 2021-05-29 03:53:50 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-05-29 12:53:50 +0200 |
| commit | d270dd584e0af12fe6229fb712d0704c232dc7e5 (patch) | |
| tree | bd5e13eab5d6a54127d5755ede8d7918c22f93a9 | |
| parent | 5685b7cd73820f56a6763d96f1423a0bdfca7c05 (diff) | |
Refs #32778 -- Improved the name of the regex object detecting invalid CSRF token characters.
This also improves the comments near where the variable is used.
| -rw-r--r-- | django/middleware/csrf.py | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py index d862006a07..9e6c9f5e9d 100644 --- a/django/middleware/csrf.py +++ b/django/middleware/csrf.py @@ -21,7 +21,8 @@ from django.utils.log import log_response from django.utils.regex_helper import _lazy_re_compile logger = logging.getLogger('django.security.csrf') -token_re = _lazy_re_compile('[^a-zA-Z0-9]') +# This matches if any character is not in CSRF_ALLOWED_CHARS. +invalid_token_chars_re = _lazy_re_compile('[^a-zA-Z0-9]') REASON_BAD_ORIGIN = "Origin checking failed - %s does not match any trusted origins." REASON_NO_REFERER = "Referer checking failed - no Referer." @@ -107,8 +108,8 @@ def rotate_token(request): def _sanitize_token(token): - # Allow only ASCII alphanumerics - if token_re.search(token): + # Make sure all characters are in CSRF_ALLOWED_CHARS. + if invalid_token_chars_re.search(token): return _get_new_csrf_token() elif len(token) == CSRF_TOKEN_LENGTH: return token |
