CSRF Middleware regular expression doesn't take in account spaces.
|Reported by:||Ryszard Szopa <ryszard.szopa@…>||Owned by:||nobody|
|Has patch:||yes||Needs documentation:|
|Needs tests:||Patch needs improvement:|
The CSRF protection middleware regular expression that looks for forms with method POST assumes that there are no spaces between the attribute name and the '=' sign or between the '=' sign and the attribute value.
This means that forms like this:
<form method = "post"> ... </form>
(which browsers generally accept and interpret correctly) won't be caught by the regexp, the inputs with the magic tokens be inserted, and the user will get a 403 Forbidden error. Moreover, additional whitespace is rather dificult to spot (and isn't obviously relevant to the issue of CSRF), making the whole thing rather frustrating to debug.
A very easy fix is to change the regular expression:
_POST_FORM_RE = \ re.compile(r'(<form\W[^>]*\bmethod\s*=\s*(\'|"|)POST(\'|"|)\b[^>]*>)', re.IGNORECASE)