ErrorHandler no longer requires XSRF tokens.

Closes #638.

diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py
index 46b4ec1e73a5079843ccca368305fe11769baa25..6b1fdf9602b7a6df052dc011ecb34e158553a715 100644 (file)
--- a/tornado/test/web_test.py
+++ b/tornado/test/web_test.py
@@ -8,7 +8,7 @@ from tornado.template import DictLoader
 from tornado.testing import AsyncHTTPTestCase, ExpectLog
 from tornado.test.util import unittest
 from tornado.util import b, bytes_type, ObjectDict
-from tornado.web import RequestHandler, authenticated, Application, asynchronous, url, HTTPError, StaticFileHandler, _create_signature, create_signed_value
+from tornado.web import RequestHandler, authenticated, Application, asynchronous, url, HTTPError, StaticFileHandler, _create_signature, create_signed_value, ErrorHandler
 
 import binascii
 import datetime
@@ -959,3 +959,23 @@ class RaiseWithReasonTest(SimpleHandlerTestCase):
     def test_httperror_str(self):
         self.assertEqual(str(HTTPError(682, reason="Foo")), "HTTP 682: Foo")
 wsgi_safe.append(RaiseWithReasonTest)
+
+
+class ErrorHandlerXSRFTest(WebTestCase):
+    def get_handlers(self):
+        # note that if the handlers list is empty we get the default_host
+        # redirect fallback instead of a 404, so test with both an
+        # explicitly defined error handler and an implicit 404.
+        return [('/error', ErrorHandler, dict(status_code=417))]
+
+    def get_app_kwargs(self):
+        return dict(xsrf_cookies=True)
+
+    def test_error_xsrf(self):
+        response = self.fetch('/error', method='POST', body='')
+        self.assertEqual(response.code, 417)
+
+    def test_404_xsrf(self):
+        response = self.fetch('/404', method='POST', body='')
+        self.assertEqual(response.code, 404)
+wsgi_safe.append(ErrorHandlerXSRFTest)

diff --git a/tornado/web.py b/tornado/web.py
index c6d6fada07d01d16adf16a00835e1abf0aaec904..4d8362a6f3bd91990f5451c91691911f1f872c96 100644 (file)
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -1523,6 +1523,12 @@ class ErrorHandler(RequestHandler):
     def prepare(self):
         raise HTTPError(self._status_code)
 
+    def check_xsrf_cookie(self):
+        # POSTs to an ErrorHandler don't actually have side effects,
+        # so we don't need to check the xsrf token.  This allows POSTs
+        # to the wrong url to return a 404 instead of 403.
+        pass
+
 
 class RedirectHandler(RequestHandler):
     """Redirects the client to the given URL for all GET requests.

diff --git a/website/sphinx/releases/next.rst b/website/sphinx/releases/next.rst
index 8a1ba140a877ca5147694b09b8ea76647980204f..7a2d997f4b8bdc166ed04710b5bf948cf39a597b 100644 (file)
--- a/website/sphinx/releases/next.rst
+++ b/website/sphinx/releases/next.rst
@@ -183,3 +183,6 @@ In progress
 * `HTTPServer` now takes a ``protocol`` keyword argument which can be set
   to ``https`` if the server is behind an SSL-decoding proxy that does not
   set any supported X-headers.
+* `tornado.web.ErrorHandler` no longer requires XSRF tokens on ``POST``
+  requests, so posts to an unknown url will always return 404 instead of
+  complaining about XSRF tokens.