#10884 closed (fixed)
CSRF Middleware regular expression doesn't take in account spaces.
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | Contrib apps | Version: | dev |
| Severity: | Keywords: | csrf | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The CSRF protection middleware regular expression that looks for forms with method POST assumes that there are no spaces between the attribute name and the '=' sign or between the '=' sign and the attribute value.
This means that forms like this:
<form method = "post">
...
</form>
(which browsers generally accept and interpret correctly) won't be caught by the regexp, the inputs with the magic tokens be inserted, and the user will get a 403 Forbidden error. Moreover, additional whitespace is rather dificult to spot (and isn't obviously relevant to the issue of CSRF), making the whole thing rather frustrating to debug.
A very easy fix is to change the regular expression:
_POST_FORM_RE = \
re.compile(r'(<form\W[^>]*\bmethod\s*=\s*(\'|"|)POST(\'|"|)\b[^>]*>)', re.IGNORECASE)
Attachments (1)
Change History (3)
by , 15 years ago
| Attachment: | csrf_re_patch.diff added |
|---|
comment:1 by , 15 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
patch with new csrf form regexp