#34695: security.E101 false positive with class-based views
-----------------------------------------+------------------------
               Reporter:  asottile       |          Owner:  nobody
                   Type:  Uncategorized  |         Status:  new
              Component:  Uncategorized  |        Version:  4.2
               Severity:  Normal         |       Keywords:
           Triage Stage:  Unreviewed     |      Has patch:  0
    Needs documentation:  0              |    Needs tests:  0
Patch needs improvement:  0              |  Easy pickings:  0
                  UI/UX:  0              |
-----------------------------------------+------------------------
 minimal example

 {{{
 class MyView(View):
     def dispatch(self, request, reason=''):
         ...

 view = MyView.as_view()
 }}}

 though this appears to work at runtime (at least in unsupported django 2.2
 which is what I'm trying to upgrade from), the framework gives an error:

 {{{
 ERRORS:
 ?: (security.E101) The CSRF failure view 'myview.view' does not take the
 correct number of arguments.
 }}}

 the reason stems from the use of `inspect.signature` on the view:

 {{{
 >>> sig = inspect.signature(view)
 >>> sig
 <Signature (self, request, reason='')>
 >>> sig.bind(None, reason=None)
 Traceback (most recent call last):
   File "/Users/asottile/.pyenv/versions/3.8.16/lib/python3.8/code.py",
 line 90, in runcode
     exec(code, self.locals)
   File "<console>", line 1, in <module>
   File "/Users/asottile/.pyenv/versions/3.8.16/lib/python3.8/inspect.py",
 line 3037, in bind
     return self._bind(args, kwargs)
   File "/Users/asottile/.pyenv/versions/3.8.16/lib/python3.8/inspect.py",
 line 2952, in _bind
     raise TypeError(msg) from None
 TypeError: missing a required argument: 'request'
 }}}

 
https://github.com/django/django/blob/649262a406168709686f97694493aa1f717c6c96/django/core/checks/security/csrf.py#L60

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34695>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107018926f3a001-24d1805e-ec83-4656-9560-8817d0e45129-000000%40eu-central-1.amazonses.com.

Reply via email to