Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix csrf 400 status lines #3742

Merged
merged 3 commits into from
Jan 29, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
fix BadCSRFOrigin and BadCSRFToken returning invalid HTTP status lines
  • Loading branch information
mmerickel committed Jan 29, 2024
commit d545eef5f5411c0236f04ead9e4e52d93d9a2451
22 changes: 10 additions & 12 deletions src/pyramid/exceptions.py
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,11 @@ class BadCSRFOrigin(HTTPBadRequest):
origin validation.
"""

title = "Bad CSRF Origin"
explanation = (
"Access is denied. This server can not verify that the origin or "
"referrer of your request matches the current site. Either your "
"browser supplied the wrong Origin or Referrer or it did not supply "
"one at all."
"Bad CSRF Origin. Access is denied. This server can not verify that "
"the origin or referrer of your request matches the current site. "
"Either your browser supplied the wrong Origin or Referrer or it did "
"not supply one at all."
)


Expand All @@ -25,14 +24,13 @@ class BadCSRFToken(HTTPBadRequest):
forgery token validation.
"""

title = 'Bad CSRF Token'
explanation = (
'Access is denied. This server can not verify that your cross-site '
'request forgery token belongs to your login session. Either you '
'supplied the wrong cross-site request forgery token or your session '
'no longer exists. This may be due to session timeout or because '
'browser is not supplying the credentials required, as can happen '
'when the browser has cookies turned off.'
'Bad CSRF token received. Access is denied. This server can not '
'verify that your cross-site request forgery token belongs to your '
'login session. Either you supplied the wrong cross-site request '
'forgery token or your session no longer exists. This may be due to '
'session timeout or because browser is not supplying the credentials '
'required, as can happen when the browser has cookies turned off.'
)


Expand Down
10 changes: 10 additions & 0 deletions tests/test_exceptions.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,22 @@ def test_bwcompat_forbidden(self):
self.assertTrue(one is two)


class TestBadCSRFOrigin(unittest.TestCase):
def test_response_equivalence(self):
from pyramid.exceptions import BadCSRFOrigin
from pyramid.httpexceptions import HTTPBadRequest

self.assertTrue(isinstance(BadCSRFOrigin(), HTTPBadRequest))
self.assertEqual(BadCSRFOrigin().status, HTTPBadRequest().status)


class TestBadCSRFToken(unittest.TestCase):
def test_response_equivalence(self):
from pyramid.exceptions import BadCSRFToken
from pyramid.httpexceptions import HTTPBadRequest

self.assertTrue(isinstance(BadCSRFToken(), HTTPBadRequest))
self.assertEqual(BadCSRFToken().status, HTTPBadRequest().status)


class TestNotFound(unittest.TestCase):
Expand Down