[Django] #32817: Include in CsrfViewMiddleware's bad CSRF token message where the token is from
Django
from
------------------------------------------------+------------------------
Reporter: Chris Jerdonek | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: CSRF | Version: dev
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
Currently, if `CsrfViewMiddleware` encounters a bad CSRF token, it will
reject the request with a message like--
* "CSRF token incorrect"
* "CSRF token has incorrect length"
I noticed that it would be relatively easy to include in these messages
whether the token was obtained from `POST` data or a custom header, which
would be useful for troubleshooting. The new messages could look e.g.
like--
* "CSRF token (from POST) incorrect"
* "CSRF token (from 'X-CSRFToken' header) has incorrect length"
The changes to `CsrfViewMiddlewareTestMixin` proposed in #32800 would make
these cases easy to test.
--
Ticket URL: <https://code.djangoproject.com/ticket/32817>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
from
Reporter: Chris Jerdonek | Owner: nobody
Cleanup/optimization |
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Description changed by Chris Jerdonek:
Old description:
> Currently, if `CsrfViewMiddleware` encounters a bad CSRF token, it will
> reject the request with a message like--
>
> * "CSRF token incorrect"
> * "CSRF token has incorrect length"
>
> I noticed that it would be relatively easy to include in these messages
> whether the token was obtained from `POST` data or a custom header, which
> would be useful for troubleshooting. The new messages could look e.g.
> like--
>
> * "CSRF token (from POST) incorrect"
> * "CSRF token (from 'X-CSRFToken' header) has incorrect length"
>
> The changes to `CsrfViewMiddlewareTestMixin` proposed in #32800 would
> make these cases easy to test.
New description:
Currently, if `CsrfViewMiddleware` encounters a bad CSRF token, it will
reject the request with a message like--
* "CSRF token incorrect"
* "CSRF token has incorrect length"
I noticed that it would be relatively easy to include in these messages
whether the token was obtained from `POST` data or a custom header, which
would be useful for troubleshooting. The messages are specified
[https://github.com/django/django/blob/213850b4b9641bdcb714172999725ec9aa9c9e84/django/middleware/csrf.py#L411-L417
here in the code]. The new messages could look e.g. like--
* "CSRF token (from POST) incorrect"
* "CSRF token (from 'X-CSRFToken' header) has incorrect length"
The changes to `CsrfViewMiddlewareTestMixin` proposed in #32800 would make
these cases easy to test.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/32817#comment:1>
Django
from
Reporter: Chris Jerdonek | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: CSRF | Version: dev
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/32817#comment:2>
Django
from
Reporter: Chris Jerdonek | Owner: Chris
Type: | Jerdonek
Cleanup/optimization | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Chris Jerdonek):
* owner: nobody => Chris Jerdonek
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/32817#comment:3>
Django
from
Reporter: Chris Jerdonek | Owner: Chris
Type: | Jerdonek
Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Chris Jerdonek):
* has_patch: 0 => 1
Comment:
PR: https://github.com/django/django/pull/14518
--
Ticket URL: <https://code.djangoproject.com/ticket/32817#comment:4>
Django
from
Reporter: Chris Jerdonek | Owner: Chris
Type: | Jerdonek
Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/32817#comment:5>
Django
from
Reporter: Chris Jerdonek | Owner: Chris
Type: | Jerdonek
Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"999402f1428870cf9f078940880c8646174bb909" 999402f]:
{{{
#!CommitTicketReference repository=""
revision="999402f1428870cf9f078940880c8646174bb909"
Refs #32817 -- Combined the bad-or-missing CSRF token tests.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/32817#comment:6>
Django
from
Reporter: Chris Jerdonek | Owner: Chris
Type: | Jerdonek
Component: CSRF | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak <felisiak.mariusz@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"fcb75651f9b8c2f76ec037f1a68a0e5c99263d8c" fcb7565]:
{{{
#!CommitTicketReference repository=""
revision="fcb75651f9b8c2f76ec037f1a68a0e5c99263d8c"
Fixed #32817 -- Added the token source to CsrfViewMiddleware's bad token
error messages.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/32817#comment:9>
Django
from
Reporter: Chris Jerdonek | Owner: Chris
Type: | Jerdonek
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"1a284afb07ad8806b29044a8cdd0d0bb20165fa4" 1a284afb]:
{{{
#!CommitTicketReference repository=""
revision="1a284afb07ad8806b29044a8cdd0d0bb20165fa4"
Refs #32817 -- Added tests for bad CSRF token provided via X-CSRFToken or
custom header.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/32817#comment:8>
Django
from
Reporter: Chris Jerdonek | Owner: Chris
Type: | Jerdonek
Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"6837bd68a44ee8676a522bfe6121bd3e82cea677" 6837bd68]:
{{{
#!CommitTicketReference repository=""
revision="6837bd68a44ee8676a522bfe6121bd3e82cea677"
Refs #32817 -- Added post_token/meta_token/token_header arguments to
_get_POST_csrf_cookie_request().
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/32817#comment:7>