mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-08-19 02:01:29 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

[1.6.x] Prevented leaking the CSRF token through caching.

Browse source 
This is a security fix. Disclosure will follow shortly.

Backport of c083e3815a from master
This commit is contained in:
Aymeric Augustin 2014-04-20 16:27:33 -04:00 committed by Tim Graham
parent 4352a50871
commit d63e20942f
2 changed files with 37 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

28
tests/cache/tests.py vendored
View file

@ -19,12 +19,14 @@ from django.core import management
from django.core.cache import get_cache
from django.core.cache.backends.base import (CacheKeyWarning,
InvalidCacheBackendError)
from django.core.context_processors import csrf
from django.db import router, transaction
from django.core.cache.utils import make_template_fragment_key
from django.http import (HttpResponse, HttpRequest, StreamingHttpResponse,
QueryDict)
from django.middleware.cache import (FetchFromCacheMiddleware,
UpdateCacheMiddleware, CacheMiddleware)
from django.middleware.csrf import CsrfViewMiddleware
from django.template import Template
from django.template.response import TemplateResponse
from django.test import TestCase, TransactionTestCase, RequestFactory
@ -1578,6 +1580,10 @@ def hello_world_view(request, value):
return HttpResponse('Hello World %s' % value)
def csrf_view(request):
return HttpResponse(csrf(request)['csrf_token'])
@override_settings(
CACHE_MIDDLEWARE_ALIAS='other',
CACHE_MIDDLEWARE_KEY_PREFIX='middlewareprefix',
@ -1797,6 +1803,28 @@ class CacheMiddlewareTest(IgnorePendingDeprecationWarningsMixin, TestCase):
response = other_with_prefix_view(request, '16')
self.assertEqual(response.content, b'Hello World 16')
def test_sensitive_cookie_not_cached(self):
"""
Django must prevent caching of responses that set a user-specific (and
maybe security sensitive) cookie in response to a cookie-less request.
"""
csrf_middleware = CsrfViewMiddleware()
cache_middleware = CacheMiddleware()
request = self.factory.get('/view/')
self.assertIsNone(cache_middleware.process_request(request))
csrf_middleware.process_view(request, csrf_view, (), {})
response = csrf_view(request)
response = csrf_middleware.process_response(request, response)
response = cache_middleware.process_response(request, response)
# Inserting a CSRF cookie in a cookie-less request prevented caching.
self.assertIsNone(cache_middleware.process_request(request))
@override_settings(
CACHE_MIDDLEWARE_KEY_PREFIX='settingsprefix',
CACHE_MIDDLEWARE_SECONDS=1,