diff -r 6641e941ef1e -r ff1a9aa48cfd app/django/contrib/csrf/middleware.py --- a/app/django/contrib/csrf/middleware.py Tue Oct 14 12:36:55 2008 +0000 +++ b/app/django/contrib/csrf/middleware.py Tue Oct 14 16:00:59 2008 +0000 @@ -2,44 +2,45 @@ Cross Site Request Forgery Middleware. This module provides a middleware that implements protection -against request forgeries from other sites. +against request forgeries from other sites. +""" -""" +import re +import itertools + from django.conf import settings from django.http import HttpResponseForbidden +from django.utils.hashcompat import md5_constructor from django.utils.safestring import mark_safe -import md5 -import re -import itertools _ERROR_MSG = mark_safe('

403 Forbidden

Cross Site Request Forgery detected. Request aborted.

') _POST_FORM_RE = \ re.compile(r'(]*\bmethod=(\'|"|)POST(\'|"|)\b[^>]*>)', re.IGNORECASE) - -_HTML_TYPES = ('text/html', 'application/xhtml+xml') + +_HTML_TYPES = ('text/html', 'application/xhtml+xml') def _make_token(session_id): - return md5.new(settings.SECRET_KEY + session_id).hexdigest() + return md5_constructor(settings.SECRET_KEY + session_id).hexdigest() class CsrfMiddleware(object): """Django middleware that adds protection against Cross Site - Request Forgeries by adding hidden form fields to POST forms and - checking requests for the correct value. - - In the list of middlewares, SessionMiddleware is required, and must come - after this middleware. CsrfMiddleWare must come after compression + Request Forgeries by adding hidden form fields to POST forms and + checking requests for the correct value. + + In the list of middlewares, SessionMiddleware is required, and must come + after this middleware. CsrfMiddleWare must come after compression middleware. - - If a session ID cookie is present, it is hashed with the SECRET_KEY - setting to create an authentication token. This token is added to all - outgoing POST forms and is expected on all incoming POST requests that + + If a session ID cookie is present, it is hashed with the SECRET_KEY + setting to create an authentication token. This token is added to all + outgoing POST forms and is expected on all incoming POST requests that have a session ID cookie. - - If you are setting cookies directly, instead of using Django's session + + If you are setting cookies directly, instead of using Django's session framework, this middleware will not work. """ - + def process_request(self, request): if request.method == 'POST': try: @@ -54,10 +55,10 @@ request_csrf_token = request.POST['csrfmiddlewaretoken'] except KeyError: return HttpResponseForbidden(_ERROR_MSG) - + if request_csrf_token != csrf_token: return HttpResponseForbidden(_ERROR_MSG) - + return None def process_response(self, request, response): @@ -66,7 +67,7 @@ cookie = response.cookies[settings.SESSION_COOKIE_NAME] csrf_token = _make_token(cookie.value) except KeyError: - # No outgoing cookie to set session, but + # No outgoing cookie to set session, but # a session might already exist. try: session_id = request.COOKIES[settings.SESSION_COOKIE_NAME] @@ -74,12 +75,12 @@ except KeyError: # no incoming or outgoing cookie pass - + if csrf_token is not None and \ response['Content-Type'].split(';')[0] in _HTML_TYPES: - + # ensure we don't add the 'id' attribute twice (HTML validity) - idattributes = itertools.chain(("id='csrfmiddlewaretoken'",), + idattributes = itertools.chain(("id='csrfmiddlewaretoken'",), itertools.repeat('')) def add_csrf_field(match): """Returns the matched
tag plus the added element"""