def test_custom_template_does_not_exist(self):
"""
An exception is raised if a nonexistent template is supplied.
"""
factory = RequestFactory()
request = factory.post('/')
with self.assertRaises(TemplateDoesNotExist):
csrf_failure(request, template_name="nonexistent.html")
def test_custom_template_does_not_exist(self):
"""
An exception is raised if a nonexistent template is supplied.
"""
factory = RequestFactory()
request = factory.post('/')
with self.assertRaises(TemplateDoesNotExist):
csrf_failure(request, template_name="nonexistent.html")
def csrf_failure(request,reason="",*args,**kwargs):
if "HTTP_ACCEPT" not in request.META:
return csrf.csrf_failure(request,reason=reason,*args,**kwargs)
if request.META["HTTP_ACCEPT"]!="application/json":
return csrf.csrf_failure(request,reason=reason,*args,**kwargs)
if settings.DEBUG:
content=b'{ "reason": "%s" }' % reason.encode()
else:
content=b'{}'
return HttpResponseForbidden(content,content_type="application/json")
def csrf_failure(request, reason=''):
"""
CSRF-failure view which converts the failed POST request into a GET
and calls the original view with a sensible error message presented
to the user.
:param request: the HttpRequest
:param reason: non-localised failure description
"""
if _csrf_failed_view.no_moj_csrf:
from django.views.csrf import csrf_failure
return csrf_failure(request, reason=reason)
# present a sensible error message to users
if reason == REASON_NO_CSRF_COOKIE:
reason = _('Please try again.') + ' ' + \
_('Make sure you haven’t disabled cookies.')
elif reason == REASON_NO_REFERER:
reason = _('Please try again.') + ' ' + \
_('Make sure you are using a modern web browser '
'such as Firefox or Google Chrome.')
else:
reason = _('Your browser failed a security check.') + ' ' + \
_('Please try again.')
messages.error(request, reason)
# convert into GET request and show view again
request.method = 'GET'
request.POST = QueryDict()
# call the original view but set response status to forbidden
response = _csrf_failed_view.callback(request, *_csrf_failed_view.args, **_csrf_failed_view.kwargs)
if response.status_code == 200:
response.status_code = 403
return response
def test_templatetag_with_csrf_failure(self):
# Generate a fictitious GET request
request = self.factory.get("/tests/test_403_csrf.html")
# Simulate a CSRF failure by calling the View directly
# This template is using the `provider_login_url` templatetag
response = csrf.csrf_failure(request,
template_name="tests/test_403_csrf.html")
# Ensure that CSRF failures with this template
# tag succeed with the expected 403 response
self.assertEqual(response.status_code, 403)
def debug_csrf_failure(request, reason=""):
"""
raised own CsrfFailure() exception to get the normal debug page on
Csrf failures.
See also:
https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/#rejected-requests
More Info: See DocString above.
"""
if not settings.DEBUG:
# Use original HttpResponseForbidden:
return csrf_failure(request, reason)
raise CsrfFailure("csrf failure debug: %r" % reason)
def csrf_failure(request, reason=""):
"""
Overrides the 403 CSRF failure template for bad origins in order to provide more
userful information about how to resolve the issue.
"""
if ("HTTP_ORIGIN" in request.META
and reason == REASON_BAD_ORIGIN % request.META["HTTP_ORIGIN"]):
context = {
"title": _("Forbidden"),
"main": _("CSRF verification failed. Request aborted."),
"reason": reason,
"origin": request.META["HTTP_ORIGIN"],
}
template = loader.get_template("error/403_csrf_bad_origin.html")
return HttpResponseForbidden(template.render(context),
content_type="text/html")
return csrf.csrf_failure(request, reason, "403_csrf.html")
def wrapper(request):
# On vérifie que le csrf est bon
encrypted_token = request.POST.get('csrfencrypt')
current_timestamp = time.time()
if encrypted_token:
# On déchiffre le token
clear_token = decrypt(encrypted_token)
timestamp, secret, session_id = clear_token.split('-')
print(clear_token)
# On vérifie les champs
if (secret == CSRF_SECRET_KEY and
session_id == request.session.session_key and
int(timestamp)//100 == time.time()//100): # A 99 secondes près
print('OK')
return func(request)
else:
print('NOP')
# Sinon, on redirige vers la page d'erreur
return csrf_failure(request)
def csrf_failure(request, reason=''):
"""
CSRF-failure view which converts the failed POST request into a GET
and calls the original view with a sensible error message presented
to the user.
:param request: the HttpRequest
:param reason: non-localised failure description
"""
if _csrf_failed_view.no_moj_csrf:
from django.views.csrf import csrf_failure
return csrf_failure(request, reason=reason)
# present a sensible error message to users
if reason == REASON_NO_CSRF_COOKIE:
reason = _('Please try again.') + ' ' + \
_('Make sure you haven’t disabled cookies.')
elif reason == REASON_NO_REFERER:
reason = _('Please try again.') + ' ' + \
_('Make sure you are using a modern web browser '
'such as Firefox or Google Chrome.')
else:
reason = _('Your browser failed a security check.') + ' ' + \
_('Please try again.')
messages.error(request, reason)
# convert into GET request and show view again
request.method = 'GET'
request.POST = QueryDict()
# call the original view but set response status to forbidden
response = _csrf_failed_view.callback(request, *_csrf_failed_view.args,
**_csrf_failed_view.kwargs)
if response.status_code == 200:
response.status_code = 403
return response
def csrf_failure(request, reason="", template_name=CSRF_FAILURE_TEMPLATE_NAME, force_display=False):
if not settings.DEBUG or force_display:
return render(request, 'errors/403_csrf.html', {})
return csrf.csrf_failure(request, reason=reason)
