summaryrefslogtreecommitdiff
path: root/tests/cache/tests.py
diff options
context:
space:
mode:
authorAymeric Augustin <aymeric.augustin@m4x.org>2014-04-20 16:27:33 -0400
committerTim Graham <timograham@gmail.com>2014-04-21 18:30:27 -0400
commitd63e20942f3024f24cb8cd85a49461ba8a9b6736 (patch)
tree862f0077b9de3f505a1c4154678f1af5ef4ec186 /tests/cache/tests.py
parent4352a50871e239ebcdf64eee6f0b88e714015c1b (diff)
[1.6.x] Prevented leaking the CSRF token through caching.
This is a security fix. Disclosure will follow shortly. Backport of c083e3815aec23b99833da710eea574e6f2e8566 from master
Diffstat (limited to 'tests/cache/tests.py')
-rw-r--r--tests/cache/tests.py28
1 files changed, 28 insertions, 0 deletions
diff --git a/tests/cache/tests.py b/tests/cache/tests.py
index 7413a4aae6..04ef21b851 100644
--- a/tests/cache/tests.py
+++ b/tests/cache/tests.py
@@ -19,12 +19,14 @@ from django.core import management
from django.core.cache import get_cache
from django.core.cache.backends.base import (CacheKeyWarning,
InvalidCacheBackendError)
+from django.core.context_processors import csrf
from django.db import router, transaction
from django.core.cache.utils import make_template_fragment_key
from django.http import (HttpResponse, HttpRequest, StreamingHttpResponse,
QueryDict)
from django.middleware.cache import (FetchFromCacheMiddleware,
UpdateCacheMiddleware, CacheMiddleware)
+from django.middleware.csrf import CsrfViewMiddleware
from django.template import Template
from django.template.response import TemplateResponse
from django.test import TestCase, TransactionTestCase, RequestFactory
@@ -1578,6 +1580,10 @@ def hello_world_view(request, value):
return HttpResponse('Hello World %s' % value)
+def csrf_view(request):
+ return HttpResponse(csrf(request)['csrf_token'])
+
+
@override_settings(
CACHE_MIDDLEWARE_ALIAS='other',
CACHE_MIDDLEWARE_KEY_PREFIX='middlewareprefix',
@@ -1797,6 +1803,28 @@ class CacheMiddlewareTest(IgnorePendingDeprecationWarningsMixin, TestCase):
response = other_with_prefix_view(request, '16')
self.assertEqual(response.content, b'Hello World 16')
+ def test_sensitive_cookie_not_cached(self):
+ """
+ Django must prevent caching of responses that set a user-specific (and
+ maybe security sensitive) cookie in response to a cookie-less request.
+ """
+ csrf_middleware = CsrfViewMiddleware()
+ cache_middleware = CacheMiddleware()
+
+ request = self.factory.get('/view/')
+ self.assertIsNone(cache_middleware.process_request(request))
+
+ csrf_middleware.process_view(request, csrf_view, (), {})
+
+ response = csrf_view(request)
+
+ response = csrf_middleware.process_response(request, response)
+ response = cache_middleware.process_response(request, response)
+
+ # Inserting a CSRF cookie in a cookie-less request prevented caching.
+ self.assertIsNone(cache_middleware.process_request(request))
+
+
@override_settings(
CACHE_MIDDLEWARE_KEY_PREFIX='settingsprefix',
CACHE_MIDDLEWARE_SECONDS=1,