Merge remote-tracking branch 'tictail/branch3.2'

Closes #1097
2014-07-08 22:27:35 -04:00 · 2014-07-08 22:27:35 -04:00 · dba499ceb0
parent 9788e4f1ed ab688e7a1b
commit dba499ceb0
2 changed files with 19 additions and 4 deletions
--- a/tornado/test/web_test.py
+++ b/tornado/test/web_test.py
@ -2193,6 +2193,20 @@ class XSRFTest(SimpleHandlerTestCase):
                headers=self.cookie_headers())
        self.assertEqual(response.code, 403)

+    def test_xsrf_success_short_token(self):
+        response = self.fetch(
+            "/", method="POST",
+            body=urllib_parse.urlencode(dict(_xsrf='deadbeef')),
+            headers=self.cookie_headers(token='deadbeef'))
+        self.assertEqual(response.code, 200)
+
+    def test_xsrf_success_non_hex_token(self):
+        response = self.fetch(
+            "/", method="POST",
+            body=urllib_parse.urlencode(dict(_xsrf='xoxo')),
+            headers=self.cookie_headers(token='xoxo'))
+        self.assertEqual(response.code, 200)
+
    def test_xsrf_success_post_body(self):
        response = self.fetch(
            "/", method="POST",
--- a/tornado/web.py
+++ b/tornado/web.py
@ -1128,14 +1128,15 @@ class RequestHandler(object):
            else:
                # Treat unknown versions as not present instead of failing.
                return None, None, None
-        elif len(cookie) == 32:
+        else:
            version = 1
-            token = binascii.a2b_hex(utf8(cookie))
+            try:
+                token = binascii.a2b_hex(utf8(cookie))
+            except (binascii.Error, TypeError):
+                token = utf8(cookie)
            # We don't have a usable timestamp in older versions.
            timestamp = int(time.time())
            return (version, token, timestamp)
-        else:
-            return None, None, None

    def check_xsrf_cookie(self):
        """Verifies that the ``_xsrf`` cookie matches the ``_xsrf`` argument.