Refs #32916 -- Replaced request.csrf_cookie_needs_reset with request.META['CSRF_COOKIE_NEEDS_UPDATE'].

author: Chris Jerdonek <chris.jerdonek@gmail.com> 2021-07-23 01:54:57 -0400
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2021-07-29 11:55:36 +0200
commit: 7c30bdbdb16204970cc320f4345b8a439d8f65b4 (patch)
tree: c8daa41f6de29e11c049cfae9785ee1892cd212a /django
parent: 6ebf931de8926d88db6d2684cb07d1bbebb919a5 (diff)
1 files changed, 14 insertions, 12 deletions
diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py
index fb52f612d5..a79015ae07 100644
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@@ -101,7 +101,7 @@ def get_token(request):
     # Since the cookie is being used, flag to send the cookie in
     # process_response() (even if the client already has it) in order to renew
     # the expiry timer.
-    request.csrf_cookie_needs_reset = True
+    request.META['CSRF_COOKIE_NEEDS_UPDATE'] = True
     return _mask_cipher_secret(csrf_secret)
 
 
@@ -110,8 +110,10 @@ def rotate_token(request):
     Change the CSRF token in use for a request - should be done on login
     for security purposes.
     """
-    request.META["CSRF_COOKIE"] = _get_new_csrf_token()
-    request.csrf_cookie_needs_reset = True
+    request.META.update({
+        'CSRF_COOKIE': _get_new_csrf_token(),
+        'CSRF_COOKIE_NEEDS_UPDATE': True,
+    })
 
 
 class InvalidTokenFormat(Exception):
@@ -224,7 +226,7 @@ class CsrfViewMiddleware(MiddlewareMixin):
             if csrf_token != cookie_token:
                 # Then the cookie token had length CSRF_SECRET_LENGTH, so flag
                 # to replace it with the masked version.
-                request.csrf_cookie_needs_reset = True
+                request.META['CSRF_COOKIE_NEEDS_UPDATE'] = True
             return csrf_token
 
     def _set_token(self, request, response):
@@ -376,7 +378,7 @@ class CsrfViewMiddleware(MiddlewareMixin):
             csrf_token = self._get_token(request)
         except InvalidTokenFormat:
             csrf_token = _get_new_csrf_token()
-            request.csrf_cookie_needs_reset = True
+            request.META["CSRF_COOKIE_NEEDS_UPDATE"] = True
 
         if csrf_token is not None:
             # Use same token next time.
@@ -438,15 +440,15 @@ class CsrfViewMiddleware(MiddlewareMixin):
         return self._accept(request)
 
     def process_response(self, request, response):
-        if getattr(request, 'csrf_cookie_needs_reset', False):
+        if request.META.get('CSRF_COOKIE_NEEDS_UPDATE'):
             self._set_token(request, response)
             # Unset the flag to prevent _set_token() from being unnecessarily
             # called again in process_response() by other instances of
-            # CsrfViewMiddleware. This can happen e.g. when both a decorator
-            # and middleware are used. However, the csrf_cookie_needs_reset
-            # attribute is still respected in subsequent calls e.g. in case
-            # rotate_token() is called in process_response() later by custom
-            # middleware but before those subsequent calls.
-            request.csrf_cookie_needs_reset = False
+            # CsrfViewMiddleware. This can happen e.g. when both a decorator and
+            # middleware are used. However, CSRF_COOKIE_NEEDS_UPDATE is still
+            # respected in subsequent calls e.g. in case rotate_token() is
+            # called in process_response() later by custom middleware but before
+            # those subsequent calls.
+            request.META['CSRF_COOKIE_NEEDS_UPDATE'] = False
 
         return response
author	Chris Jerdonek <chris.jerdonek@gmail.com>	2021-07-23 01:54:57 -0400
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2021-07-29 11:55:36 +0200
commit	7c30bdbdb16204970cc320f4345b8a439d8f65b4 (patch)
tree	c8daa41f6de29e11c049cfae9785ee1892cd212a /django
parent	6ebf931de8926d88db6d2684cb07d1bbebb919a5 (diff)