diff options
| author | Aymeric Augustin <aymeric.augustin@m4x.org> | 2014-04-20 16:29:06 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-04-21 18:31:05 -0400 |
| commit | 6872f42757d7ef6a97e0b6ec5db4d2615d8a2bd8 (patch) | |
| tree | 5039f01c622e02e776877f0f9bba71bc9bb2ab3f /tests/regressiontests/cache | |
| parent | 2a5bcb69f42b84464b24b5c835dca6467b6aa7f1 (diff) | |
[1.5.x] Prevented leaking the CSRF token through caching.
This is a security fix. Disclosure will follow shortly.
Backport of c083e3815aec23b99833da710eea574e6f2e8566 from master
Diffstat (limited to 'tests/regressiontests/cache')
| -rw-r--r-- | tests/regressiontests/cache/tests.py | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/tests/regressiontests/cache/tests.py b/tests/regressiontests/cache/tests.py index cd7da4cece..6d38116b87 100644 --- a/tests/regressiontests/cache/tests.py +++ b/tests/regressiontests/cache/tests.py @@ -18,11 +18,13 @@ from django.core import management from django.core.cache import get_cache from django.core.cache.backends.base import (CacheKeyWarning, InvalidCacheBackendError) +from django.core.context_processors import csrf from django.db import router from django.http import (HttpResponse, HttpRequest, StreamingHttpResponse, QueryDict) from django.middleware.cache import (FetchFromCacheMiddleware, UpdateCacheMiddleware, CacheMiddleware) +from django.middleware.csrf import CsrfViewMiddleware from django.template import Template from django.template.response import TemplateResponse from django.test import TestCase, TransactionTestCase, RequestFactory @@ -1456,6 +1458,10 @@ def hello_world_view(request, value): return HttpResponse('Hello World %s' % value) +def csrf_view(request): + return HttpResponse(csrf(request)['csrf_token']) + + @override_settings( CACHE_MIDDLEWARE_ALIAS='other', CACHE_MIDDLEWARE_KEY_PREFIX='middlewareprefix', @@ -1696,6 +1702,27 @@ class CacheMiddlewareTest(TestCase): response = other_with_timeout_view(request, '18') self.assertEqual(response.content, b'Hello World 18') + def test_sensitive_cookie_not_cached(self): + """ + Django must prevent caching of responses that set a user-specific (and + maybe security sensitive) cookie in response to a cookie-less request. + """ + csrf_middleware = CsrfViewMiddleware() + cache_middleware = CacheMiddleware() + + request = self.factory.get('/view/') + self.assertIsNone(cache_middleware.process_request(request)) + + csrf_middleware.process_view(request, csrf_view, (), {}) + + response = csrf_view(request) + + response = csrf_middleware.process_response(request, response) + response = cache_middleware.process_response(request, response) + + # Inserting a CSRF cookie in a cookie-less request prevented caching. + self.assertIsNone(cache_middleware.process_request(request)) + @override_settings( CACHE_MIDDLEWARE_KEY_PREFIX='settingsprefix', |