Skip to content
/ django Public

Fixed #36874 -- Optimized CSRF token generation a bit. #20566

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tim-lansen wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fixed #36874 -- Optimized CSRF token generation a bit. #20566

tim-lansen wants to merge 1 commit into from
+12 −2

Conversation

@tim-lansen
Copy link

@tim-lansen tim-lansen commented Jan 21, 2026

Trac ticket number

ticket-36874

Branch description

The functions _mask_cipher_secret and _unmask_cipher_secret now use pre-built translation table to get character indices.

AI Assistance Disclosure (REQUIRED)

  • No AI tools were used in preparing this PR.
  • If AI tools were used, I have disclosed which ones, and fully reviewed and verified their output.

Checklist

  • This PR follows the contribution guidelines.
  • This PR does not disclose a security vulnerability (see vulnerability reporting).
  • This PR targets the main branch.
  • The commit message is written in past tense, mentions the ticket number, and ends with a period.
  • I have checked the "Has patch" ticket flag in the Trac system.
  • I have added or updated relevant tests.
  • I have added or updated relevant docs, including release notes if applicable.
  • I have attached screenshots in both light and dark modes for any UI changes.
@github-actions github-actions bot added the no ticket Based on PR title, no linked Trac ticket label Jan 21, 2026
@tim-lansen tim-lansen changed the title Implemented ticket_36874 using pre-built translation table. Jan 21, 2026
@github-actions github-actions bot removed the no ticket Based on PR title, no linked Trac ticket label Jan 21, 2026
github-actions[bot]
github-actions bot reviewed Jan 21, 2026
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello! Thank you for your contribution 💪

As it's your first contribution be sure to check out the patch review checklist.

If you're fixing a ticket from Trac make sure to set the "Has patch" flag and include a link to this PR in the ticket!

If you have any design or process questions then you can ask in the Django forum.

Welcome aboard ⛵️!
@github-actions
Copy link

github-actions bot commented Jan 21, 2026

���� Coverage Report for Changed Files

-------------
Diff Coverage
Diff: origin/main...HEAD, staged and unstaged changes
-------------
django/middleware/csrf.py (100%)
-------------
Total:   8 lines
Missing: 0 lines
Coverage: 100%
-------------

Note: Missing lines are warnings only. Some lines may not be covered by SQLite tests as they are database-specific.

For more information about code coverage on pull requests, see the contributing documentation.
jacobtylerwalls
jacobtylerwalls reviewed Jan 27, 2026
View reviewed changes
Copy link
Member

@jacobtylerwalls jacobtylerwalls left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR 👍
django/middleware/csrf.py
CSRF_SESSION_KEY = "_csrftoken"


def _make_xlat(chars: str):
Copy link
Member

@jacobtylerwalls jacobtylerwalls Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove the annotation.
django/middleware/csrf.py
return xlat


CSRF_XLAT = _make_xlat(CSRF_ALLOWED_CHARS)
Copy link
Member

@jacobtylerwalls jacobtylerwalls Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's find another name without mentioning XLAT.
django/middleware/csrf.py


def _make_xlat(chars: str):
xlat = [0 for _ in range(1 + max((ord(x) for x in chars)))]
Copy link
Member

@jacobtylerwalls jacobtylerwalls Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By populating the table with zeroes, this silences ValueErrors. Can you keep this performance tweak from introducing any behavior changes by ensuring some error is still emitted?

(I acknowledge the responsibility for checking for valid characters is in _check_token_format().)
@jacobtylerwalls jacobtylerwalls changed the title Implemented #36874 using pre-built translation table. Jan 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants

@tim-lansen @jacobtylerwalls