Fixed a security issue in the CSRF component. Disclosure and new release forthcoming.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15464 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-10-23 21:59:11 +00:00 · 2011-02-09 02:06:27 +00:00
parent c2666c9a45
commit 208630aa4b
3 changed files with 49 additions and 50 deletions
--- a/tests/regressiontests/csrf_tests/tests.py
+++ b/tests/regressiontests/csrf_tests/tests.py
@@ -284,12 +284,12 @@ class CsrfMiddlewareTest(TestCase):
        req2 = CsrfMiddleware().process_view(req, csrf_exempt(post_form_view), (), {})
        self.assertEquals(None, req2)

-    def test_ajax_exemption(self):
+    def test_csrf_token_in_header(self):
        """
-        Check that AJAX requests are automatically exempted.
+        Check that we can pass in the token in a header instead of in the form
        """
        req = self._get_POST_csrf_cookie_request()
-        req.META['HTTP_X_REQUESTED_WITH'] = 'XMLHttpRequest'
+        req.META['HTTP_X_CSRFTOKEN'] = self._csrf_id
        req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
        self.assertEquals(None, req2)