summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorLuke Plant <L.Plant.98@cantab.net>2011-05-09 23:45:54 +0000
committerLuke Plant <L.Plant.98@cantab.net>2011-05-09 23:45:54 +0000
commitcb060f0f340356ac71ed7db5399753edce278766 (patch)
treede4b482840b4be8b0f8695a33c33c03418e2a7c5 /tests
parent8cbcf1d3a60a0ba1a6f3ddde9317ac07b67c6c5d (diff)
Fixed #15258 - Ajax CSRF protection doesn't apply to PUT or DELETE requests
Thanks to brodie for the report, and further input from tow21 This is a potentially backwards incompatible change - if you were doing PUT/DELETE requests and relying on the lack of protection, you will need to update your code, as noted in the releaste notes. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16201 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'tests')
-rw-r--r--tests/regressiontests/csrf_tests/tests.py31
1 files changed, 31 insertions, 0 deletions
diff --git a/tests/regressiontests/csrf_tests/tests.py b/tests/regressiontests/csrf_tests/tests.py
index 8dc3fbbc1b..3894de2c02 100644
--- a/tests/regressiontests/csrf_tests/tests.py
+++ b/tests/regressiontests/csrf_tests/tests.py
@@ -164,6 +164,37 @@ class CsrfViewMiddlewareTest(TestCase):
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
self.assertEqual(None, req2)
+ def test_put_and_delete_rejected(self):
+ """
+ Tests that HTTP PUT and DELETE methods have protection
+ """
+ req = TestingHttpRequest()
+ req.method = 'PUT'
+ req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
+ self.assertEqual(403, req2.status_code)
+
+ req = TestingHttpRequest()
+ req.method = 'DELETE'
+ req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
+ self.assertEqual(403, req2.status_code)
+
+ def test_put_and_delete_allowed(self):
+ """
+ Tests that HTTP PUT and DELETE methods can get through with
+ X-CSRFToken and a cookie
+ """
+ req = self._get_GET_csrf_cookie_request()
+ req.method = 'PUT'
+ req.META['HTTP_X_CSRFTOKEN'] = self._csrf_id
+ req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
+ self.assertEqual(None, req2)
+
+ req = self._get_GET_csrf_cookie_request()
+ req.method = 'DELETE'
+ req.META['HTTP_X_CSRFTOKEN'] = self._csrf_id
+ req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
+ self.assertEqual(None, req2)
+
# Tests for the template tag method
def test_token_node_no_csrf_cookie(self):
"""