Fixed #20128 -- Made CsrfViewMiddleware ignore IOError when reading POST data.

Thanks Walter Doekes.

Fixed #20128 -- Made CsrfViewMiddleware ignore IOError when reading POST data.
Thanks Walter Doekes.
815e7a57 · Tim Graham · fd4ccd04 · 815e7a57 · 815e7a57
Kaydet (Commit) 815e7a57 authored Haz 25, 2014 tarafından Tim Graham
Hide whitespace changes
Inline Side-by-side

Showing with 50 additions and 1 deletion

csrf.py django/middleware/csrf.py +9 -1

tests.py tests/csrf_tests/tests.py +41 -0

No files found.
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@@ -167,7 +167,15 @@ class CsrfViewMiddleware(object):
            # Check non-cookie token for match.
            request_csrf_token = ""
            if request.method == "POST":
-                request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')
+                try:
+                    request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')
+                except IOError:
+                    # Handle a broken connection before we've completed reading
+                    # the POST data. process_view shouldn't raise any
+                    # exceptions, so we'll ignore and serve the user a 403
+                    # (assuming they're still listening, which they probably
+                    # aren't because of the error).
+                    pass

            if request_csrf_token == "":
                # Fall back to X-CSRFToken, to make things easier for AJAX,

--- a/tests/csrf_tests/tests.py
+++ b/tests/csrf_tests/tests.py
@@ -428,3 +428,44 @@ class CsrfViewMiddlewareTest(TestCase):
            resp2 = CsrfViewMiddleware().process_response(req, resp)
            max_age = resp2.cookies.get('csrfcookie').get('max-age')
            self.assertEqual(max_age, '')
+
+    def test_post_data_read_failure(self):
+        """
+        #20128 -- IOErrors during POST data reading should be caught and
+        treated as if the POST data wasn't there.
+        """
+        class CsrfPostRequest(HttpRequest):
+            """
+            HttpRequest that can raise an IOError when accessing POST data
+            """
+            def __init__(self, token, raise_error):
+                super(CsrfPostRequest, self).__init__()
+                self.method = 'POST'
+
+                self.raise_error = False
+                self.COOKIES[settings.CSRF_COOKIE_NAME] = token
+                self.POST['csrfmiddlewaretoken'] = token
+                self.raise_error = raise_error
+
+            def _load_post_and_files(self):
+                raise IOError('error reading input data')
+
+            def _get_post(self):
+                if self.raise_error:
+                    self._load_post_and_files()
+                return self._post
+
+            def _set_post(self, post):
+                self._post = post
+
+            POST = property(_get_post, _set_post)
+
+        token = 'ABC'
+
+        req = CsrfPostRequest(token, raise_error=False)
+        resp = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
+        self.assertEqual(resp, None)
+
+        req = CsrfPostRequest(token, raise_error=True)
+        resp = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
+        self.assertEqual(resp.status_code, 403)