Opened 16 years ago

Closed 16 years ago

Last modified 13 years ago

#10884 closed (fixed)

CSRF Middleware regular expression doesn't take in account spaces.

Reported by: Ryszard Szopa <ryszard.szopa@…> Owned by: nobody
Component: Contrib apps Version: dev
Severity: Keywords: csrf
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The CSRF protection middleware regular expression that looks for forms with method POST assumes that there are no spaces between the attribute name and the '=' sign or between the '=' sign and the attribute value.
This means that forms like this:

<form method = "post">
    ...
</form>

(which browsers generally accept and interpret correctly) won't be caught by the regexp, the inputs with the magic tokens be inserted, and the user will get a 403 Forbidden error. Moreover, additional whitespace is rather dificult to spot (and isn't obviously relevant to the issue of CSRF), making the whole thing rather frustrating to debug.

A very easy fix is to change the regular expression:

_POST_FORM_RE = \
    re.compile(r'(<form\W[^>]*\bmethod\s*=\s*(\'|"|)POST(\'|"|)\b[^>]*>)', re.IGNORECASE)

Attachments (1)

csrf_re_patch.diff (677 bytes ) - added by Ryszard Szopa <ryszard.szopa@…> 16 years ago.
patch with new csrf form regexp

Download all attachments as: .zip

Change History (3)

by Ryszard Szopa <ryszard.szopa@…>, 16 years ago

Attachment: csrf_re_patch.diff added

patch with new csrf form regexp

comment:1 by Luke Plant, 16 years ago

Resolution: fixed
Status: newclosed

(In [10617]) Fixed #10884 - more lenient regexp for matching forms in CSRF post-processing

Thanks to Ryszard Szopa for the report and fix

comment:2 by Jacob, 13 years ago

milestone: 1.1

Milestone 1.1 deleted

Note: See TracTickets for help on using tickets.
Back to Top