From c50e01e10717bf0e409437a61ce4f533647e0605 Mon Sep 17 00:00:00 2001 From: Awais Qureshi Date: Wed, 20 Sep 2023 15:49:47 +0500 Subject: [PATCH] feat!: Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme. (#33226) * feat!: Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme. * feat!: Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme. * fix: fix quality failure * feat!: Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme. --- lms/djangoapps/experiments/tests/test_views.py | 8 ++++++++ lms/envs/production.py | 5 +++++ lms/envs/test.py | 8 ++++++++ 3 files changed, 21 insertions(+) diff --git a/lms/djangoapps/experiments/tests/test_views.py b/lms/djangoapps/experiments/tests/test_views.py index ebd6bb74fb..1378fbd9f0 100644 --- a/lms/djangoapps/experiments/tests/test_views.py +++ b/lms/djangoapps/experiments/tests/test_views.py @@ -6,6 +6,7 @@ from unittest.mock import patch import six.moves.urllib.parse from datetime import timedelta +import django from django.conf import settings from django.core.handlers.wsgi import WSGIRequest from django.test.utils import override_settings @@ -166,6 +167,13 @@ class ExperimentDataViewSetTests(APITestCase, ModuleStoreTestCase): # lint-amne response = self.client.patch(url, data) assert response.status_code == 404 + def test_loads_valid_csrf_trusted_origins_list(self): + """checking CSRF_TRUSTED_ORIGINS here. in django4.2 they will require schemes""" + if django.VERSION[0] < 4: # for greater than django 3.2 use schemes. + assert settings.CSRF_TRUSTED_ORIGINS == ['.example.com'] + else: + assert settings.CSRF_TRUSTED_ORIGINS == ['https://*.example.com'] + def cross_domain_config(func): """Decorator for configuring a cross-domain request. """ diff --git a/lms/envs/production.py b/lms/envs/production.py index 756fd8a241..5c121461da 100644 --- a/lms/envs/production.py +++ b/lms/envs/production.py @@ -23,6 +23,7 @@ import os import yaml from corsheaders.defaults import default_headers as corsheaders_default_headers +import django from django.core.exceptions import ImproperlyConfigured from edx_django_utils.plugins import add_plugins from path import Path as path @@ -366,6 +367,10 @@ CSRF_COOKIE_SECURE = ENV_TOKENS.get('CSRF_COOKIE_SECURE', False) # Determines which origins are trusted for unsafe requests eg. POST requests. CSRF_TRUSTED_ORIGINS = ENV_TOKENS.get('CSRF_TRUSTED_ORIGINS', []) +# values are already updated above with default CSRF_TRUSTED_ORIGINS values but in +# case of new django version these values will override. +if django.VERSION[0] >= 4: # for greater than django 3.2 use schemes. + CSRF_TRUSTED_ORIGINS = ENV_TOKENS.get('CSRF_TRUSTED_ORIGINS_WITH_SCHEME', []) ############# CORS headers for cross-domain requests ################# diff --git a/lms/envs/test.py b/lms/envs/test.py index 284ebc915d..32352c8498 100644 --- a/lms/envs/test.py +++ b/lms/envs/test.py @@ -18,6 +18,7 @@ from collections import OrderedDict from uuid import uuid4 import openid.oidutil +import django from django.utils.translation import gettext_lazy from edx_django_utils.plugins import add_plugins from path import Path as path @@ -677,3 +678,10 @@ SUBSCRIPTIONS_BUY_SUBSCRIPTION_URL = f"{SUBSCRIPTIONS_ROOT_URL}/api/v1/stripe-su SUBSCRIPTIONS_MANAGE_SUBSCRIPTION_URL = None SUBSCRIPTIONS_MINIMUM_PRICE = '$39' SUBSCRIPTIONS_TRIAL_LENGTH = 7 +CSRF_TRUSTED_ORIGINS = ['.example.com'] +CSRF_TRUSTED_ORIGINS_WITH_SCHEME = ['https://*.example.com'] + +# values are already updated above with default CSRF_TRUSTED_ORIGINS values but in +# case of new django version these values will override. +if django.VERSION[0] >= 4: # for greater than django 3.2 use with schemes. + CSRF_TRUSTED_ORIGINS = CSRF_TRUSTED_ORIGINS_WITH_SCHEME