From d545eef5f5411c0236f04ead9e4e52d93d9a2451 Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Sun, 28 Jan 2024 21:34:28 -0700 Subject: [PATCH 1/2] fix BadCSRFOrigin and BadCSRFToken returning invalid HTTP status lines --- src/pyramid/exceptions.py | 22 ++++++++++------------ tests/test_exceptions.py | 10 ++++++++++ 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/src/pyramid/exceptions.py b/src/pyramid/exceptions.py index 16aeb7e4ff..9f19a4bb4d 100644 --- a/src/pyramid/exceptions.py +++ b/src/pyramid/exceptions.py @@ -10,12 +10,11 @@ class BadCSRFOrigin(HTTPBadRequest): origin validation. """ - title = "Bad CSRF Origin" explanation = ( - "Access is denied. This server can not verify that the origin or " - "referrer of your request matches the current site. Either your " - "browser supplied the wrong Origin or Referrer or it did not supply " - "one at all." + "Bad CSRF Origin. Access is denied. This server can not verify that " + "the origin or referrer of your request matches the current site. " + "Either your browser supplied the wrong Origin or Referrer or it did " + "not supply one at all." ) @@ -25,14 +24,13 @@ class BadCSRFToken(HTTPBadRequest): forgery token validation. """ - title = 'Bad CSRF Token' explanation = ( - 'Access is denied. This server can not verify that your cross-site ' - 'request forgery token belongs to your login session. Either you ' - 'supplied the wrong cross-site request forgery token or your session ' - 'no longer exists. This may be due to session timeout or because ' - 'browser is not supplying the credentials required, as can happen ' - 'when the browser has cookies turned off.' + 'Bad CSRF token received. Access is denied. This server can not ' + 'verify that your cross-site request forgery token belongs to your ' + 'login session. Either you supplied the wrong cross-site request ' + 'forgery token or your session no longer exists. This may be due to ' + 'session timeout or because browser is not supplying the credentials ' + 'required, as can happen when the browser has cookies turned off.' ) diff --git a/tests/test_exceptions.py b/tests/test_exceptions.py index e7a2871a51..d5f247c2a6 100644 --- a/tests/test_exceptions.py +++ b/tests/test_exceptions.py @@ -16,12 +16,22 @@ def test_bwcompat_forbidden(self): self.assertTrue(one is two) +class TestBadCSRFOrigin(unittest.TestCase): + def test_response_equivalence(self): + from pyramid.exceptions import BadCSRFOrigin + from pyramid.httpexceptions import HTTPBadRequest + + self.assertTrue(isinstance(BadCSRFOrigin(), HTTPBadRequest)) + self.assertEqual(BadCSRFOrigin().status, HTTPBadRequest().status) + + class TestBadCSRFToken(unittest.TestCase): def test_response_equivalence(self): from pyramid.exceptions import BadCSRFToken from pyramid.httpexceptions import HTTPBadRequest self.assertTrue(isinstance(BadCSRFToken(), HTTPBadRequest)) + self.assertEqual(BadCSRFToken().status, HTTPBadRequest().status) class TestNotFound(unittest.TestCase): From f3da484e6a3550ce1dd5d3f1f34e058e82c21aa5 Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Sun, 28 Jan 2024 21:38:50 -0700 Subject: [PATCH 2/2] add changelog for #3742 --- CHANGES.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGES.rst b/CHANGES.rst index b4a62f94ef..d1cf0717d4 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -36,6 +36,13 @@ Bug Fixes Thanks to Masashi Yamane of LAC Co., Ltd for reporting this issue. +- Applications raising ``pyramid.exceptions.BadCSRFToken`` and + ``pyramid.exceptions.BadCSRFOrigin`` were returning invalid HTTP status + lines with values like ``400 Bad CSRF Origin`` instead of + ``400 Bad Request``. + + See https://github.com/Pylons/pyramid/pull/3742 + Backward Incompatibilities --------------------------