summaryrefslogtreecommitdiff
path: root/tests/csrf_tests
AgeCommit message (Collapse)Author
2018-09-08Fixed #29728 -- Prevented session resaving if CSRF cookie is unchanged.Michal Čihař
2018-05-07Replaced django.test.utils.patch_logger() with assertLogs().Claude Paroz
Thanks Tim Graham for the review.
2018-05-03Used double quotation marks for csrf form element.CHI Cheng
2018-04-13Fixed #27863 -- Added support for the SameSite cookie flag.Alex Gaynor
Thanks Alex Gaynor for contributing to the patch.
2018-02-14Fixed #28693 -- Fixed crash in CsrfViewMiddleware when an HTTPS request has ↵Tomer Chachamu
an invalid host.
2018-01-21Fixed #29038 -- Removed closing slash from HTML void tags.Jon Dufresne
2017-09-20Fixed #28488 -- Reallowed error handlers to access CSRF tokens.Florian Apolloner
Regression in eef95ea96faef0b7dbbe0c8092202b74f68a899b.
2017-09-20Initialized CsrfViewMiddleware once in csrf_tests.Florian Apolloner
2017-01-30Refs #23919 -- Assumed request COOKIES and META are strClaude Paroz
2017-01-25Refs #23919 -- Replaced super(ClassName, self) with super().chillaranand
2017-01-24Removed unneeded force_text calls in the test suiteClaude Paroz
2017-01-19Refs #23919 -- Stopped inheriting from object to define new style classes.Simon Charette
2017-01-18Refs #23919 -- Removed six.<various>_types usageClaude Paroz
Thanks Tim Graham and Simon Charette for the reviews.
2017-01-18Refs #23919 -- Removed encoding preambles and future importsClaude Paroz
2016-11-30Moved csrf_tests views to a spearate file.Tim Graham
2016-11-30Refs #16859 -- Allowed storing CSRF tokens in sessions.Raphael Michel
Major thanks to Shai for helping to refactor the tests, and to Shai, Tim, Florian, and others for extensive and helpful review.
2016-11-10Refs #27392 -- Removed "Tests that", "Ensures that", etc. from test docstrings.za
2016-11-01Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True.Tim Graham
This is a security fix.
2016-06-16Fixed #26747 -- Used more specific assertions in the Django test suite.Jon Dufresne
2016-06-04Fixed #26628 -- Changed CSRF logger to django.security.csrf.Holly Becker
2016-05-19Fixed #20869 -- made CSRF tokens change every request by salt-encrypting themShai Berger
Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews.
2016-01-20Fixed #26094 -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True).chemary
2015-12-03Fixed many spelling mistakes in code, comments, and docs.Josh Soref
2015-09-16Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.Matt Robenolt
Thanks Seth Gottlieb for help with the documentation and Carl Meyer and Joshua Kehn for reviews.
2015-09-05Cleaned up docstrings in csrf_tests/tests.py.Joshua Kehn
2015-09-05Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS.Joshua Kehn
Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other domains that are included during the CSRF Referer header verification for secure (HTTPS) requests.
2015-05-27Fixed #24836 -- Made force_text() resolve lazy objects.Tim Graham
2015-05-20Refs #24652 -- Used SimpleTestCase where appropriate.Simon Charette
2015-05-02Fixed #24696 -- Made CSRF_COOKIE computation lazy.Jay Cox
Only compute the CSRF_COOKIE when it is actually used. This is a significant speedup for clients not using cookies. Changed result of the “test_token_node_no_csrf_cookie” test: It gets a valid CSRF token now which seems like the correct behavior. Changed auth_tests.test_views.LoginTest.test_login_csrf_rotate to use get_token() to trigger CSRF cookie inclusion instead of changing request.META["CSRF_COOKIE_USED"] directly.
2015-03-05Fixed #21495 -- Added settings.CSRF_HEADER_NAMEGrzegorz Slusarek
2015-02-06Sorted imports with isort; refs #23860.Tim Graham
2015-01-06Used None-related assertions in CSRF testsClaude Paroz
Thanks Markus Holtermann for spotting this.
2015-01-06Fixed #23815 -- Prevented UnicodeDecodeError in CSRF middlewareClaude Paroz
Thanks codeitloadit for the report, living180 for investigations and Tim Graham for the review.
2014-12-28Moved context_processors from django.core to django.template.Aymeric Augustin
2014-11-03Fixed #23620 -- Used more specific assertions in the Django test suite.Berker Peksag
2014-06-25Fixed #20128 -- Made CsrfViewMiddleware ignore IOError when reading POST data.Tim Graham
Thanks Walter Doekes.
2014-03-06Fixed #22185 -- Added settings.CSRF_COOKIE_AGERoger Hu
Thanks Paul McMillan for the review.
2013-12-23Imported override_settings from its new location.Aymeric Augustin
2013-12-17Removed superfluous models.py files.Aymeric Augustin
Added comments in the three empty models.py files that are still needed. Adjusted the test runner to add applications corresponding to test labels to INSTALLED_APPS even when they don't have a models module.
2013-11-02PEP8 cleanupJason Myers
Signed-off-by: Jason Myers <jason@jasonamyers.com>
2013-10-26Fix all violators of E231Alex Gaynor
2013-09-08Removed some more unused local varsAlex Gaynor
2013-05-18Fixed #19436 -- Don't log warnings in ensure_csrf_cookie.Olivier Sels
2013-05-18Fixed #20411 -- Don't let invalid referers blow up CSRF same origin checks.Florian Apolloner
Thanks to edevil for the report and saz for the patch.
2013-02-26Merged regressiontests and modeltests into the test root.Florian Apolloner