[1.2.X] Fixed #15617 - CSRF referer checking too strict

Thanks to adam for the report. Backport of [15840] from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@15844 bcc190cf-cafb-0310-a4f2-bffc1f526a37
author: Luke Plant <L.Plant.98@cantab.net> 2011-03-15 22:24:26 +0000
committer: Luke Plant <L.Plant.98@cantab.net> 2011-03-15 22:24:26 +0000
commit: 1d628d7ecf9ae832894e54acf7757a62caf7b548 (patch)
tree: 171748757a5b8013792f6506f70015c26d4f723c /tests
parent: 63686ce2c6657ae4db7bf6a05c3ee8ef8555e167 (diff)
3 files changed, 38 insertions, 0 deletions
diff --git a/tests/regressiontests/csrf_tests/tests.py b/tests/regressiontests/csrf_tests/tests.py
index 08501895d2..c788260fdf 100644
--- a/tests/regressiontests/csrf_tests/tests.py
+++ b/tests/regressiontests/csrf_tests/tests.py
@@ -373,3 +373,16 @@ class CsrfMiddlewareTest(TestCase):
         req.META['HTTP_REFERER'] = 'https://www.example.com/somepage'
         req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
         self.assertEquals(None, req2)
+
+    def test_https_good_referer_2(self):
+        """
+        Test that a POST HTTPS request with a good referer is accepted
+        where the referer contains no trailing slash
+        """
+        # See ticket #15617
+        req = self._get_POST_request_with_token()
+        req._is_secure = True
+        req.META['HTTP_HOST'] = 'www.example.com'
+        req.META['HTTP_REFERER'] = 'https://www.example.com'
+        req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
+        self.assertEqual(None, req2)
diff --git a/tests/regressiontests/utils/http.py b/tests/regressiontests/utils/http.py
new file mode 100644
index 0000000000..4b55196c0e
--- /dev/null
+++ b/tests/regressiontests/utils/http.py
@@ -0,0 +1,24 @@
+import unittest
+
+from django.utils import http
+
+class TestUtilsHttp(unittest.TestCase):
+
+    def test_same_origin_true(self):
+        # Identical
+        self.assertTrue(http.same_origin('http://foo.com/', 'http://foo.com/'))
+        # One with trailing slash - see #15617
+        self.assertTrue(http.same_origin('http://foo.com', 'http://foo.com/'))
+        self.assertTrue(http.same_origin('http://foo.com/', 'http://foo.com'))
+        # With port
+        self.assertTrue(http.same_origin('https://foo.com:8000', 'https://foo.com:8000/'))
+
+    def test_same_origin_false(self):
+        # Different scheme
+        self.assertFalse(http.same_origin('http://foo.com', 'https://foo.com'))
+        # Different host
+        self.assertFalse(http.same_origin('http://foo.com', 'http://goo.com'))
+        # Different host again
+        self.assertFalse(http.same_origin('http://foo.com', 'http://foo.com.evil.com'))
+        # Different port
+        self.assertFalse(http.same_origin('http://foo.com:8000', 'http://foo.com:8001'))
diff --git a/tests/regressiontests/utils/tests.py b/tests/regressiontests/utils/tests.py
index 6d3bbfa86c..5c4c0602e8 100644
--- a/tests/regressiontests/utils/tests.py
+++ b/tests/regressiontests/utils/tests.py
@@ -7,6 +7,7 @@ from feedgenerator import *
 from module_loading import *
 from termcolors import *
 from html import *
+from http import *
 from checksums import *
 from text import *
 from simplelazyobject import *
author	Luke Plant <L.Plant.98@cantab.net>	2011-03-15 22:24:26 +0000
committer	Luke Plant <L.Plant.98@cantab.net>	2011-03-15 22:24:26 +0000
commit	1d628d7ecf9ae832894e54acf7757a62caf7b548 (patch)
tree	171748757a5b8013792f6506f70015c26d4f723c /tests
parent	63686ce2c6657ae4db7bf6a05c3ee8ef8555e167 (diff)