From: Ben Darnell Date: Sun, 25 Nov 2012 17:01:14 +0000 (-0500) Subject: ErrorHandler no longer requires XSRF tokens. X-Git-Tag: v3.0.0~211 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=12c4e9ff2116cdd9771be6dcfd3f526331203e33;p=thirdparty%2Ftornado.git ErrorHandler no longer requires XSRF tokens. Closes #638. --- diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py index 46b4ec1e7..6b1fdf960 100644 --- a/tornado/test/web_test.py +++ b/tornado/test/web_test.py @@ -8,7 +8,7 @@ from tornado.template import DictLoader from tornado.testing import AsyncHTTPTestCase, ExpectLog from tornado.test.util import unittest from tornado.util import b, bytes_type, ObjectDict -from tornado.web import RequestHandler, authenticated, Application, asynchronous, url, HTTPError, StaticFileHandler, _create_signature, create_signed_value +from tornado.web import RequestHandler, authenticated, Application, asynchronous, url, HTTPError, StaticFileHandler, _create_signature, create_signed_value, ErrorHandler import binascii import datetime @@ -959,3 +959,23 @@ class RaiseWithReasonTest(SimpleHandlerTestCase): def test_httperror_str(self): self.assertEqual(str(HTTPError(682, reason="Foo")), "HTTP 682: Foo") wsgi_safe.append(RaiseWithReasonTest) + + +class ErrorHandlerXSRFTest(WebTestCase): + def get_handlers(self): + # note that if the handlers list is empty we get the default_host + # redirect fallback instead of a 404, so test with both an + # explicitly defined error handler and an implicit 404. + return [('/error', ErrorHandler, dict(status_code=417))] + + def get_app_kwargs(self): + return dict(xsrf_cookies=True) + + def test_error_xsrf(self): + response = self.fetch('/error', method='POST', body='') + self.assertEqual(response.code, 417) + + def test_404_xsrf(self): + response = self.fetch('/404', method='POST', body='') + self.assertEqual(response.code, 404) +wsgi_safe.append(ErrorHandlerXSRFTest) diff --git a/tornado/web.py b/tornado/web.py index c6d6fada0..4d8362a6f 100644 --- a/tornado/web.py +++ b/tornado/web.py @@ -1523,6 +1523,12 @@ class ErrorHandler(RequestHandler): def prepare(self): raise HTTPError(self._status_code) + def check_xsrf_cookie(self): + # POSTs to an ErrorHandler don't actually have side effects, + # so we don't need to check the xsrf token. This allows POSTs + # to the wrong url to return a 404 instead of 403. + pass + class RedirectHandler(RequestHandler): """Redirects the client to the given URL for all GET requests. diff --git a/website/sphinx/releases/next.rst b/website/sphinx/releases/next.rst index 8a1ba140a..7a2d997f4 100644 --- a/website/sphinx/releases/next.rst +++ b/website/sphinx/releases/next.rst @@ -183,3 +183,6 @@ In progress * `HTTPServer` now takes a ``protocol`` keyword argument which can be set to ``https`` if the server is behind an SSL-decoding proxy that does not set any supported X-headers. +* `tornado.web.ErrorHandler` no longer requires XSRF tokens on ``POST`` + requests, so posts to an unknown url will always return 404 instead of + complaining about XSRF tokens.