$OpenBSD: patch-django_middleware_csrf_py,v 1.1 2011/02/11 11:45:48 jasper Exp $

Security fix for SA43230.
http://www.djangoproject.com/weblog/2011/feb/08/security/

Patch from upstream svn -r15465.

--- django/middleware/csrf.py.orig	Thu Oct 28 04:58:51 2010
+++ django/middleware/csrf.py	Thu Feb 10 09:51:46 2011
@@ -130,31 +130,6 @@ class CsrfViewMiddleware(object):
                 # any branches that call reject()
                 return self._accept(request)
 
-            if request.is_ajax():
-                # .is_ajax() is based on the presence of X-Requested-With.  In
-                # the context of a browser, this can only be sent if using
-                # XmlHttpRequest.  Browsers implement careful policies for
-                # XmlHttpRequest:
-                #
-                #  * Normally, only same-domain requests are allowed.
-                #
-                #  * Some browsers (e.g. Firefox 3.5 and later) relax this
-                #    carefully:
-                #
-                #    * if it is a 'simple' GET or POST request (which can
-                #      include no custom headers), it is allowed to be cross
-                #      domain.  These requests will not be recognized as AJAX.
-                #
-                #    * if a 'preflight' check with the server confirms that the
-                #      server is expecting and allows the request, cross domain
-                #      requests even with custom headers are allowed. These
-                #      requests will be recognized as AJAX, but can only get
-                #      through when the developer has specifically opted in to
-                #      allowing the cross-domain POST request.
-                #
-                # So in all cases, it is safe to allow these requests through.
-                return self._accept(request)
-
             if request.is_secure():
                 # Strict referer checking for HTTPS
                 referer = request.META.get('HTTP_REFERER')
@@ -185,7 +160,11 @@ class CsrfViewMiddleware(object):
                 csrf_token = request.META["CSRF_COOKIE"]
 
             # check incoming token
-            request_csrf_token = request.POST.get('csrfmiddlewaretoken', None)
+            request_csrf_token = request.POST.get('csrfmiddlewaretoken', "")
+            if request_csrf_token == "":
+                # Fall back to X-CSRFToken, to make things easier for AJAX
+                request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')
+
             if request_csrf_token != csrf_token:
                 if cookie_is_new:
                     # probably a problem setting the CSRF cookie
