From d270dd584e0af12fe6229fb712d0704c232dc7e5 Mon Sep 17 00:00:00 2001
From: Chris Jerdonek <chris.jerdonek@gmail.com>
Date: Sat, 29 May 2021 03:53:50 -0700
Subject: [PATCH] Refs #32778 -- Improved the name of the regex object
 detecting invalid CSRF token characters.

This also improves the comments near where the variable is used.
---
 django/middleware/csrf.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py
index d862006a07..9e6c9f5e9d 100644
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@@ -21,7 +21,8 @@ from django.utils.log import log_response
 from django.utils.regex_helper import _lazy_re_compile
 
 logger = logging.getLogger('django.security.csrf')
-token_re = _lazy_re_compile('[^a-zA-Z0-9]')
+# This matches if any character is not in CSRF_ALLOWED_CHARS.
+invalid_token_chars_re = _lazy_re_compile('[^a-zA-Z0-9]')
 
 REASON_BAD_ORIGIN = "Origin checking failed - %s does not match any trusted origins."
 REASON_NO_REFERER = "Referer checking failed - no Referer."
@@ -107,8 +108,8 @@ def rotate_token(request):
 
 
 def _sanitize_token(token):
-    # Allow only ASCII alphanumerics
-    if token_re.search(token):
+    # Make sure all characters are in CSRF_ALLOWED_CHARS.
+    if invalid_token_chars_re.search(token):
         return _get_new_csrf_token()
     elif len(token) == CSRF_TOKEN_LENGTH:
         return token