Merge pull request #3742 from Pylons/fix-csrf-400-status

Fix csrf 400 status lines
Pylons · Jan 29, 2024 · e77b72d · e77b72d
2 parents 8de7b1f + 3abbab6
commit e77b72d
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 12 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -44,6 +44,13 @@ Bug Fixes
 
   See https://github.com/Pylons/pyramid/pull/3741/files
 
+- Applications raising ``pyramid.exceptions.BadCSRFToken`` and
+  ``pyramid.exceptions.BadCSRFOrigin`` were returning invalid HTTP status
+  lines with values like ``400 Bad CSRF Origin`` instead of
+  ``400 Bad Request``.
+
+  See https://github.com/Pylons/pyramid/pull/3742
+
 Backward Incompatibilities
 --------------------------
 

diff --git a/src/pyramid/exceptions.py b/src/pyramid/exceptions.py
@@ -10,12 +10,11 @@ class BadCSRFOrigin(HTTPBadRequest):
     origin validation.
     """
 
-    title = "Bad CSRF Origin"
     explanation = (
-        "Access is denied. This server can not verify that the origin or "
-        "referrer of your request matches the current site. Either your "
-        "browser supplied the wrong Origin or Referrer or it did not supply "
-        "one at all."
+        "Bad CSRF Origin. Access is denied. This server can not verify that "
+        "the origin or referrer of your request matches the current site. "
+        "Either your browser supplied the wrong Origin or Referrer or it did "
+        "not supply one at all."
     )
 
 
@@ -25,14 +24,13 @@ class BadCSRFToken(HTTPBadRequest):
     forgery token validation.
     """
 
-    title = 'Bad CSRF Token'
     explanation = (
-        'Access is denied.  This server can not verify that your cross-site '
-        'request forgery token belongs to your login session.  Either you '
-        'supplied the wrong cross-site request forgery token or your session '
-        'no longer exists.  This may be due to session timeout or because '
-        'browser is not supplying the credentials required, as can happen '
-        'when the browser has cookies turned off.'
+        'Bad CSRF token received. Access is denied. This server can not '
+        'verify that your cross-site request forgery token belongs to your '
+        'login session. Either you supplied the wrong cross-site request '
+        'forgery token or your session no longer exists. This may be due to '
+        'session timeout or because browser is not supplying the credentials '
+        'required, as can happen when the browser has cookies turned off.'
     )
 
 

diff --git a/tests/test_exceptions.py b/tests/test_exceptions.py
@@ -16,12 +16,22 @@ def test_bwcompat_forbidden(self):
         self.assertTrue(one is two)
 
 
+class TestBadCSRFOrigin(unittest.TestCase):
+    def test_response_equivalence(self):
+        from pyramid.exceptions import BadCSRFOrigin
+        from pyramid.httpexceptions import HTTPBadRequest
+
+        self.assertTrue(isinstance(BadCSRFOrigin(), HTTPBadRequest))
+        self.assertEqual(BadCSRFOrigin().status, HTTPBadRequest().status)
+
+
 class TestBadCSRFToken(unittest.TestCase):
     def test_response_equivalence(self):
         from pyramid.exceptions import BadCSRFToken
         from pyramid.httpexceptions import HTTPBadRequest
 
         self.assertTrue(isinstance(BadCSRFToken(), HTTPBadRequest))
+        self.assertEqual(BadCSRFToken().status, HTTPBadRequest().status)
 
 
 class TestNotFound(unittest.TestCase):