diff options
| author | Tim Graham <timograham@gmail.com> | 2021-01-12 19:55:02 -0500 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-03-18 20:00:22 +0100 |
| commit | dba44a7a7a3581ec722e06fa0f9f33dfc00ed5cd (patch) | |
| tree | a999c49d722b06cc70740b55be21c8f73ae343eb /django | |
| parent | 9bf5e9418f425666726559c9f1981a516da30aab (diff) | |
Refs #16010 -- Required CSRF_TRUSTED_ORIGINS setting to include the scheme.
Diffstat (limited to 'django')
| -rw-r--r-- | django/core/checks/__init__.py | 1 | ||||
| -rw-r--r-- | django/core/checks/compatibility/django_4_0.py | 18 | ||||
| -rw-r--r-- | django/middleware/csrf.py | 10 |
3 files changed, 28 insertions, 1 deletions
diff --git a/django/core/checks/__init__.py b/django/core/checks/__init__.py index 7eb526a41c..296e991ddc 100644 --- a/django/core/checks/__init__.py +++ b/django/core/checks/__init__.py @@ -7,6 +7,7 @@ from .registry import Tags, register, run_checks, tag_exists # Import these to force registration of checks import django.core.checks.async_checks # NOQA isort:skip import django.core.checks.caches # NOQA isort:skip +import django.core.checks.compatibility.django_4_0 # NOQA isort:skip import django.core.checks.database # NOQA isort:skip import django.core.checks.files # NOQA isort:skip import django.core.checks.model_checks # NOQA isort:skip diff --git a/django/core/checks/compatibility/django_4_0.py b/django/core/checks/compatibility/django_4_0.py new file mode 100644 index 0000000000..7788629735 --- /dev/null +++ b/django/core/checks/compatibility/django_4_0.py @@ -0,0 +1,18 @@ +from django.conf import settings + +from .. import Error, Tags, register + + +@register(Tags.compatibility) +def check_csrf_trusted_origins(app_configs, **kwargs): + errors = [] + for origin in settings.CSRF_TRUSTED_ORIGINS: + if '://' not in origin: + errors.append(Error( + 'As of Django 4.0, the values in the CSRF_TRUSTED_ORIGINS ' + 'setting must start with a scheme (usually http:// or ' + 'https://) but found %s. See the release notes for details.' + % origin, + id='4_0.E001', + )) + return errors diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py index 368b51f316..10d678db41 100644 --- a/django/middleware/csrf.py +++ b/django/middleware/csrf.py @@ -15,6 +15,7 @@ from django.urls import get_callable from django.utils.cache import patch_vary_headers from django.utils.crypto import constant_time_compare, get_random_string from django.utils.deprecation import MiddlewareMixin +from django.utils.functional import cached_property from django.utils.http import is_same_domain from django.utils.log import log_response @@ -136,6 +137,13 @@ class CsrfViewMiddleware(MiddlewareMixin): This middleware should be used in conjunction with the {% csrf_token %} template tag. """ + @cached_property + def csrf_trusted_origins_hosts(self): + return [ + urlparse(origin).netloc.lstrip('*') + for origin in settings.CSRF_TRUSTED_ORIGINS + ] + # The _accept and _reject methods currently only exist for the sake of the # requires_csrf_token decorator. def _accept(self, request): @@ -272,7 +280,7 @@ class CsrfViewMiddleware(MiddlewareMixin): # Create a list of all acceptable HTTP referers, including the # current host if it's permitted by ALLOWED_HOSTS. - good_hosts = list(settings.CSRF_TRUSTED_ORIGINS) + good_hosts = list(self.csrf_trusted_origins_hosts) if good_referer is not None: good_hosts.append(good_referer) |
