diff options
| author | Luke Plant <L.Plant.98@cantab.net> | 2011-05-09 23:45:54 +0000 |
|---|---|---|
| committer | Luke Plant <L.Plant.98@cantab.net> | 2011-05-09 23:45:54 +0000 |
| commit | cb060f0f340356ac71ed7db5399753edce278766 (patch) | |
| tree | de4b482840b4be8b0f8695a33c33c03418e2a7c5 /tests | |
| parent | 8cbcf1d3a60a0ba1a6f3ddde9317ac07b67c6c5d (diff) | |
Fixed #15258 - Ajax CSRF protection doesn't apply to PUT or DELETE requests
Thanks to brodie for the report, and further input from tow21
This is a potentially backwards incompatible change - if you were doing
PUT/DELETE requests and relying on the lack of protection, you will need to
update your code, as noted in the releaste notes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16201 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/regressiontests/csrf_tests/tests.py | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/tests/regressiontests/csrf_tests/tests.py b/tests/regressiontests/csrf_tests/tests.py index 8dc3fbbc1b..3894de2c02 100644 --- a/tests/regressiontests/csrf_tests/tests.py +++ b/tests/regressiontests/csrf_tests/tests.py @@ -164,6 +164,37 @@ class CsrfViewMiddlewareTest(TestCase): req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) self.assertEqual(None, req2) + def test_put_and_delete_rejected(self): + """ + Tests that HTTP PUT and DELETE methods have protection + """ + req = TestingHttpRequest() + req.method = 'PUT' + req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) + self.assertEqual(403, req2.status_code) + + req = TestingHttpRequest() + req.method = 'DELETE' + req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) + self.assertEqual(403, req2.status_code) + + def test_put_and_delete_allowed(self): + """ + Tests that HTTP PUT and DELETE methods can get through with + X-CSRFToken and a cookie + """ + req = self._get_GET_csrf_cookie_request() + req.method = 'PUT' + req.META['HTTP_X_CSRFTOKEN'] = self._csrf_id + req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) + self.assertEqual(None, req2) + + req = self._get_GET_csrf_cookie_request() + req.method = 'DELETE' + req.META['HTTP_X_CSRFTOKEN'] = self._csrf_id + req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) + self.assertEqual(None, req2) + # Tests for the template tag method def test_token_node_no_csrf_cookie(self): """ |
