body=urllib_parse.urlencode(dict(_xsrf=self.xsrf_token)))
self.assertEqual(response.code, 403)
+ def test_xsrf_success_short_token(self):
+ with ExpectLog(gen_log, ".*XSRF cookie does not match POST"):
+ response = self.fetch(
+ "/", method="POST",
+ body=urllib_parse.urlencode(dict(_xsrf='deadbeef')))
+ self.assertEqual(response.code, 403)
+
+ def test_xsrf_success_non_hex_token(self):
+ with ExpectLog(gen_log, ".*XSRF cookie is not a hexadecimal"):
+ response = self.fetch(
+ "/", method="POST",
+ body=urllib_parse.urlencode(dict(_xsrf='xoxo')))
+ self.assertEqual(response.code, 400)
+
def test_xsrf_fail_cookie_no_body(self):
with ExpectLog(gen_log, ".*'_xsrf' argument missing"):
response = self.fetch(
else:
# Treat unknown versions as not present instead of failing.
return None, None, None
- elif len(cookie) == 32:
+ else:
version = 1
- token = binascii.a2b_hex(utf8(cookie))
+ try:
+ token = binascii.a2b_hex(utf8(cookie))
+ except TypeError:
+ raise HTTPError(400, "XSRF cookie is not a hexadecimal")
# We don't have a usable timestamp in older versions.
timestamp = int(time.time())
return (version, token, timestamp)
- else:
- return None, None, None
def check_xsrf_cookie(self):
"""Verifies that the ``_xsrf`` cookie matches the ``_xsrf`` argument.
projects / thirdparty / tornado.git / commitdiff
