mirror of
https://github.com/zulip/zulip.git
synced 2025-10-23 04:52:12 +00:00
middleware: Remove unused cookie_domain setting.
Since commit 1d72629dc4, we have been
maintaining a patched copy of Django’s
SessionMiddleware.process_response in order to unconditionally ignore
our own optional cookie_domain setting that we don’t set.
Instead, let’s not do that.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
This commit is contained in:
Anders Kaseorg
committed by
Tim Abbott
Tim Abbott
parent
68257e28ce
commit
dce6b4a40f
@@ -6,16 +6,12 @@ from typing import Any, AnyStr, Dict, \
|
||||
Iterable, List, MutableMapping, Optional
|
||||
|
||||
from django.conf import settings
|
||||
from django.contrib.sessions.backends.base import UpdateError
|
||||
from django.contrib.sessions.middleware import SessionMiddleware
|
||||
from django.core.exceptions import DisallowedHost, SuspiciousOperation
|
||||
from django.core.exceptions import DisallowedHost
|
||||
from django.db import connection
|
||||
from django.http import HttpRequest, HttpResponse, StreamingHttpResponse
|
||||
from django.middleware.common import CommonMiddleware
|
||||
from django.shortcuts import render
|
||||
from django.utils.cache import patch_vary_headers
|
||||
from django.utils.deprecation import MiddlewareMixin
|
||||
from django.utils.http import http_date
|
||||
from django.utils.translation import ugettext as _
|
||||
from django.views.csrf import csrf_failure as html_csrf_failure
|
||||
|
||||
@@ -392,7 +388,7 @@ class FlushDisplayRecipientCache(MiddlewareMixin):
|
||||
flush_per_request_caches()
|
||||
return response
|
||||
|
||||
class SessionHostDomainMiddleware(SessionMiddleware):
|
||||
class HostDomainMiddleware(MiddlewareMixin):
|
||||
def process_response(self, request: HttpRequest, response: HttpResponse) -> HttpResponse:
|
||||
if getattr(response, "asynchronous", False):
|
||||
# This special Tornado "asynchronous" response is
|
||||
@@ -418,65 +414,6 @@ class SessionHostDomainMiddleware(SessionMiddleware):
|
||||
get_realm(subdomain)
|
||||
except Realm.DoesNotExist:
|
||||
return render(request, "zerver/invalid_realm.html", status=404)
|
||||
"""
|
||||
If request.session was modified, or if the configuration is to save the
|
||||
session every time, save the changes and set a session cookie or delete
|
||||
the session cookie if the session has been emptied.
|
||||
"""
|
||||
try:
|
||||
accessed = request.session.accessed
|
||||
modified = request.session.modified
|
||||
empty = request.session.is_empty()
|
||||
except AttributeError:
|
||||
pass
|
||||
else:
|
||||
# First check if we need to delete this cookie.
|
||||
# The session should be deleted only if the session is entirely empty
|
||||
if settings.SESSION_COOKIE_NAME in request.COOKIES and empty:
|
||||
response.delete_cookie(
|
||||
settings.SESSION_COOKIE_NAME,
|
||||
path=settings.SESSION_COOKIE_PATH,
|
||||
domain=settings.SESSION_COOKIE_DOMAIN,
|
||||
)
|
||||
else:
|
||||
if accessed:
|
||||
patch_vary_headers(response, ('Cookie',))
|
||||
if (modified or settings.SESSION_SAVE_EVERY_REQUEST) and not empty:
|
||||
if request.session.get_expire_at_browser_close():
|
||||
max_age = None
|
||||
expires = None
|
||||
else:
|
||||
max_age = request.session.get_expiry_age()
|
||||
expires_time = time.time() + max_age
|
||||
expires = http_date(expires_time)
|
||||
# Save the session data and refresh the client cookie.
|
||||
# Skip session save for 500 responses, refs #3881.
|
||||
if response.status_code != 500:
|
||||
try:
|
||||
request.session.save()
|
||||
except UpdateError:
|
||||
raise SuspiciousOperation(
|
||||
"The request's session was deleted before the "
|
||||
"request completed. The user may have logged "
|
||||
"out in a concurrent request, for example."
|
||||
)
|
||||
host = request.get_host().split(':')[0]
|
||||
|
||||
# The subdomains feature overrides the
|
||||
# SESSION_COOKIE_DOMAIN setting, since the setting
|
||||
# is a fixed value and with subdomains enabled,
|
||||
# the session cookie domain has to vary with the
|
||||
# subdomain.
|
||||
session_cookie_domain = host
|
||||
response.set_cookie(
|
||||
settings.SESSION_COOKIE_NAME,
|
||||
request.session.session_key, max_age=max_age,
|
||||
expires=expires, domain=session_cookie_domain,
|
||||
path=settings.SESSION_COOKIE_PATH,
|
||||
secure=settings.SESSION_COOKIE_SECURE or None,
|
||||
httponly=settings.SESSION_COOKIE_HTTPONLY or None,
|
||||
samesite=settings.SESSION_COOKIE_SAMESITE,
|
||||
)
|
||||
return response
|
||||
|
||||
class SetRemoteAddrFromForwardedFor(MiddlewareMixin):
|
||||
|
||||
@@ -165,7 +165,8 @@ MIDDLEWARE = (
|
||||
'zerver.middleware.RateLimitMiddleware',
|
||||
'zerver.middleware.FlushDisplayRecipientCache',
|
||||
'zerver.middleware.ZulipCommonMiddleware',
|
||||
'zerver.middleware.SessionHostDomainMiddleware',
|
||||
'zerver.middleware.HostDomainMiddleware',
|
||||
'django.contrib.sessions.middleware.SessionMiddleware',
|
||||
'django.middleware.locale.LocaleMiddleware',
|
||||
'django.middleware.csrf.CsrfViewMiddleware',
|
||||
'django.contrib.auth.middleware.AuthenticationMiddleware',
|
||||
@@ -387,11 +388,6 @@ if PRODUCTION:
|
||||
SESSION_COOKIE_SECURE = True
|
||||
CSRF_COOKIE_SECURE = True
|
||||
|
||||
# For get_updates hostname sharding.
|
||||
domain = get_config('django', 'cookie_domain', None)
|
||||
if domain is not None:
|
||||
CSRF_COOKIE_DOMAIN = '.' + domain
|
||||
|
||||
# Prevent Javascript from reading the CSRF token from cookies. Our code gets
|
||||
# the token from the DOM, which means malicious code could too. But hiding the
|
||||
# cookie will slow down some attackers.
|
||||
|
||||
Reference in New Issue
Block a user