Michal Čihař 
							
						 
					 
					
						
						
							
						
						22e8ab0286 
					 
					
						
						
							
							Fixed   #29728  -- Prevented session resaving if CSRF cookie is unchanged.  
						
						
						
						
					 
					
						2018-09-08 11:46:13 -04:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						607970f31c 
					 
					
						
						
							
							Replaced django.test.utils.patch_logger() with assertLogs().  
						
						... 
						
						
						
						Thanks Tim Graham for the review. 
						
						
					 
					
						2018-05-07 09:34:00 -04:00 
						 
				 
			
				
					
						
							
							
								CHI Cheng 
							
						 
					 
					
						
						
							
						
						98019df855 
					 
					
						
						
							
							Used double quotation marks for csrf form element.  
						
						
						
						
					 
					
						2018-05-03 08:57:18 +02:00 
						 
				 
			
				
					
						
							
							
								Alex Gaynor 
							
						 
					 
					
						
						
							
						
						9a56b4b13e 
					 
					
						
						
							
							Fixed   #27863  -- Added support for the SameSite cookie flag.  
						
						... 
						
						
						
						Thanks Alex Gaynor for contributing to the patch. 
						
						
					 
					
						2018-04-13 20:58:31 -04:00 
						 
				 
			
				
					
						
							
							
								Tomer Chachamu 
							
						 
					 
					
						
						
							
						
						7ec0fdf62a 
					 
					
						
						
							
							Fixed   #28693  -- Fixed crash in CsrfViewMiddleware when an HTTPS request has an invalid host.  
						
						
						
						
					 
					
						2018-02-14 20:24:01 -05:00 
						 
				 
			
				
					
						
							
							
								Jon Dufresne 
							
						 
					 
					
						
						
							
						
						ff05de760c 
					 
					
						
						
							
							Fixed   #29038  -- Removed closing slash from HTML void tags.  
						
						
						
						
					 
					
						2018-01-21 02:09:10 -05:00 
						 
				 
			
				
					
						
							
							
								Florian Apolloner 
							
						 
					 
					
						
						
							
						
						c4c128d67c 
					 
					
						
						
							
							Fixed   #28488  -- Reallowed error handlers to access CSRF tokens.  
						
						... 
						
						
						
						Regression in eef95ea96f 
						
						
					 
					
						2017-09-20 16:22:18 -04:00 
						 
				 
			
				
					
						
							
							
								Florian Apolloner 
							
						 
					 
					
						
						
							
						
						77f82c4bf1 
					 
					
						
						
							
							Initialized CsrfViewMiddleware once in csrf_tests.  
						
						
						
						
					 
					
						2017-09-20 16:22:12 -04:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						c688336ebc 
					 
					
						
						
							
							Refs  #23919  -- Assumed request COOKIES and META are str  
						
						
						
						
					 
					
						2017-01-30 14:13:29 +01:00 
						 
				 
			
				
					
						
							
							
								chillaranand 
							
						 
					 
					
						
						
							
						
						d6eaf7c018 
					 
					
						
						
							
							Refs  #23919  -- Replaced super(ClassName, self) with super().  
						
						
						
						
					 
					
						2017-01-25 12:23:46 -05:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						2366100872 
					 
					
						
						
							
							Removed unneeded force_text calls in the test suite  
						
						
						
						
					 
					
						2017-01-24 18:45:54 +01:00 
						 
				 
			
				
					
						
							
							
								Simon Charette 
							
						 
					 
					
						
						
							
						
						cecc079168 
					 
					
						
						
							
							Refs  #23919  -- Stopped inheriting from object to define new style classes.  
						
						
						
						
					 
					
						2017-01-19 08:39:46 +01:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						7b2f2e74ad 
					 
					
						
						
							
							Refs  #23919  -- Removed six.<various>_types usage  
						
						... 
						
						
						
						Thanks Tim Graham and Simon Charette for the reviews. 
						
						
					 
					
						2017-01-18 20:18:46 +01:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						d7b9aaa366 
					 
					
						
						
							
							Refs  #23919  -- Removed encoding preambles and future imports  
						
						
						
						
					 
					
						2017-01-18 09:55:19 +01:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						78500102b7 
					 
					
						
						
							
							Moved csrf_tests views to a spearate file.  
						
						
						
						
					 
					
						2016-11-30 18:24:29 -05:00 
						 
				 
			
				
					
						
							
							
								Raphael Michel 
							
						 
					 
					
						
						
							
						
						ddf169cdac 
					 
					
						
						
							
							Refs  #16859  -- Allowed storing CSRF tokens in sessions.  
						
						... 
						
						
						
						Major thanks to Shai for helping to refactor the tests, and to
Shai, Tim, Florian, and others for extensive and helpful review. 
						
						
					 
					
						2016-11-30 08:57:27 -05:00 
						 
				 
			
				
					
						
							
							
								za 
							
						 
					 
					
						
						
							
						
						321e94fa41 
					 
					
						
						
							
							Refs  #27392  -- Removed "Tests that", "Ensures that", etc. from test docstrings.  
						
						
						
						
					 
					
						2016-11-10 21:30:21 -05:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						7fe2d8d940 
					 
					
						
						
							
							Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True.  
						
						... 
						
						
						
						This is a security fix. 
						
						
					 
					
						2016-11-01 09:30:57 -04:00 
						 
				 
			
				
					
						
							
							
								Jon Dufresne 
							
						 
					 
					
						
						
							
						
						4f336f6652 
					 
					
						
						
							
							Fixed   #26747  -- Used more specific assertions in the Django test suite.  
						
						
						
						
					 
					
						2016-06-16 14:19:18 -04:00 
						 
				 
			
				
					
						
							
							
								Holly Becker 
							
						 
					 
					
						
						
							
						
						55fec16aaf 
					 
					
						
						
							
							Fixed   #26628  -- Changed CSRF logger to django.security.csrf.  
						
						
						
						
					 
					
						2016-06-04 10:17:06 -04:00 
						 
				 
			
				
					
						
							
							
								Shai Berger 
							
						 
					 
					
						
						
							
						
						5112e65ef2 
					 
					
						
						
							
							Fixed   #20869  -- made CSRF tokens change every request by salt-encrypting them  
						
						... 
						
						
						
						Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).
While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).
Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews. 
						
						
					 
					
						2016-05-19 05:02:19 +03:00 
						 
				 
			
				
					
						
							
							
								chemary 
							
						 
					 
					
						
						
							
						
						2d28144c95 
					 
					
						
						
							
							Fixed   #26094  -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True).  
						
						
						
						
					 
					
						2016-01-20 18:19:24 -05:00 
						 
				 
			
				
					
						
							
							
								Josh Soref 
							
						 
					 
					
						
						
							
						
						93452a70e8 
					 
					
						
						
							
							Fixed many spelling mistakes in code, comments, and docs.  
						
						
						
						
					 
					
						2015-12-03 12:48:24 -05:00 
						 
				 
			
				
					
						
							
							
								Matt Robenolt 
							
						 
					 
					
						
						
							
						
						b0c56b895f 
					 
					
						
						
							
							Fixed   #24496  -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.  
						
						... 
						
						
						
						Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews. 
						
						
					 
					
						2015-09-16 12:21:50 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Kehn 
							
						 
					 
					
						
						
							
						
						e687794f6b 
					 
					
						
						
							
							Cleaned up docstrings in csrf_tests/tests.py.  
						
						
						
						
					 
					
						2015-09-05 09:20:57 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Kehn 
							
						 
					 
					
						
						
							
						
						ab26b65b2f 
					 
					
						
						
							
							Fixed   #25334  -- Provided a way to allow cross-origin unsafe requests over HTTPS.  
						
						... 
						
						
						
						Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other
domains that are included during the CSRF Referer header verification
for secure (HTTPS) requests. 
						
						
					 
					
						2015-09-05 09:19:57 -04:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						70be31bba7 
					 
					
						
						
							
							Fixed   #24836  -- Made force_text() resolve lazy objects.  
						
						
						
						
					 
					
						2015-05-27 09:48:53 -04:00 
						 
				 
			
				
					
						
							
							
								Simon Charette 
							
						 
					 
					
						
						
							
						
						be67400b47 
					 
					
						
						
							
							Refs  #24652  -- Used SimpleTestCase where appropriate.  
						
						
						
						
					 
					
						2015-05-20 13:46:13 -04:00 
						 
				 
			
				
					
						
							
							
								Jay Cox 
							
						 
					 
					
						
						
							
						
						eef95ea96f 
					 
					
						
						
							
							Fixed   #24696  -- Made CSRF_COOKIE computation lazy.  
						
						... 
						
						
						
						Only compute the CSRF_COOKIE when it is actually used. This is a
significant speedup for clients not using cookies.
Changed result of the “test_token_node_no_csrf_cookie” test:  It gets
a valid CSRF token now which seems like the correct behavior.
Changed auth_tests.test_views.LoginTest.test_login_csrf_rotate to
use get_token() to trigger CSRF cookie inclusion instead of changing
request.META["CSRF_COOKIE_USED"] directly. 
						
						
					 
					
						2015-05-02 19:45:14 -04:00 
						 
				 
			
				
					
						
							
							
								Grzegorz Slusarek 
							
						 
					 
					
						
						
							
						
						668d53cd12 
					 
					
						
						
							
							Fixed   #21495  -- Added settings.CSRF_HEADER_NAME  
						
						
						
						
					 
					
						2015-03-05 15:03:40 -05:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						0ed7d15563 
					 
					
						
						
							
							Sorted imports with isort; refs  #23860 .  
						
						
						
						
					 
					
						2015-02-06 08:16:28 -05:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						011f21b4fa 
					 
					
						
						
							
							Used None-related assertions in CSRF tests  
						
						... 
						
						
						
						Thanks Markus Holtermann for spotting this. 
						
						
					 
					
						2015-01-06 08:48:01 +01:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						27dd7e7271 
					 
					
						
						
							
							Fixed   #23815  -- Prevented UnicodeDecodeError in CSRF middleware  
						
						... 
						
						
						
						Thanks codeitloadit for the report, living180 for investigations
and Tim Graham for the review. 
						
						
					 
					
						2015-01-06 08:42:58 +01:00 
						 
				 
			
				
					
						
							
							
								Aymeric Augustin 
							
						 
					 
					
						
						
							
						
						92e8f1f302 
					 
					
						
						
							
							Moved context_processors from django.core to django.template.  
						
						
						
						
					 
					
						2014-12-28 17:00:07 +01:00 
						 
				 
			
				
					
						
							
							
								Berker Peksag 
							
						 
					 
					
						
						
							
						
						f7969b0920 
					 
					
						
						
							
							Fixed   #23620  -- Used more specific assertions in the Django test suite.  
						
						
						
						
					 
					
						2014-11-03 11:56:37 -05:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						815e7a5721 
					 
					
						
						
							
							Fixed   #20128  -- Made CsrfViewMiddleware ignore IOError when reading POST data.  
						
						... 
						
						
						
						Thanks Walter Doekes. 
						
						
					 
					
						2014-06-25 07:08:16 -04:00 
						 
				 
			
				
					
						
							
							
								Roger Hu 
							
						 
					 
					
						
						
							
						
						9b729ddd8f 
					 
					
						
						
							
							Fixed   #22185  -- Added settings.CSRF_COOKIE_AGE  
						
						... 
						
						
						
						Thanks Paul McMillan for the review. 
						
						
					 
					
						2014-03-06 08:28:43 -05:00 
						 
				 
			
				
					
						
							
							
								Aymeric Augustin 
							
						 
					 
					
						
						
							
						
						e32095616c 
					 
					
						
						
							
							Imported override_settings from its new location.  
						
						
						
						
					 
					
						2013-12-23 21:37:56 +01:00 
						 
				 
			
				
					
						
							
							
								Aymeric Augustin 
							
						 
					 
					
						
						
							
						
						6e895f9e06 
					 
					
						
						
							
							Removed superfluous models.py files.  
						
						... 
						
						
						
						Added comments in the three empty models.py files that are still needed.
Adjusted the test runner to add applications corresponding to test
labels to INSTALLED_APPS even when they don't have a models module. 
						
						
					 
					
						2013-12-17 11:16:48 +01:00 
						 
				 
			
				
					
						
							
							
								Jason Myers 
							
						 
					 
					
						
						
							
						
						7a61c68c50 
					 
					
						
						
							
							PEP8 cleanup  
						
						... 
						
						
						
						Signed-off-by: Jason Myers <jason@jasonamyers.com > 
						
						
					 
					
						2013-11-02 23:50:49 -05:00 
						 
				 
			
				
					
						
							
							
								Alex Gaynor 
							
						 
					 
					
						
						
							
						
						9d740eb8b1 
					 
					
						
						
							
							Fix all violators of E231  
						
						
						
						
					 
					
						2013-10-26 12:15:03 -07:00 
						 
				 
			
				
					
						
							
							
								Alex Gaynor 
							
						 
					 
					
						
						
							
						
						9d11522599 
					 
					
						
						
							
							Removed some more unused local vars  
						
						
						
						
					 
					
						2013-09-08 12:20:01 -07:00 
						 
				 
			
				
					
						
							
							
								Olivier Sels 
							
						 
					 
					
						
						
							
						
						63a9555d57 
					 
					
						
						
							
							Fixed   #19436  -- Don't log warnings in ensure_csrf_cookie.  
						
						
						
						
					 
					
						2013-05-18 16:17:46 +02:00 
						 
				 
			
				
					
						
							
							
								Florian Apolloner 
							
						 
					 
					
						
						
							
						
						051cb1f4c6 
					 
					
						
						
							
							Fixed   #20411  -- Don't let invalid referers blow up CSRF same origin checks.  
						
						... 
						
						
						
						Thanks to edevil for the report and saz for the patch. 
						
						
					 
					
						2013-05-18 12:32:47 +02:00 
						 
				 
			
				
					
						
							
							
								Florian Apolloner 
							
						 
					 
					
						
						
							
						
						89f40e3624 
					 
					
						
						
							
							Merged regressiontests and modeltests into the test root.  
						
						
						
						
					 
					
						2013-02-26 14:36:57 +01:00