CSRF referer checking too strict
|Reported by:||adam||Owned by:||lukeplant|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
I get this error:
CSRF verification failed. Request aborted.
Reason given for failure:
Using IE6 on my site. In the apache log the request looks like:
220.127.116.11 - - [15/Mar/2011:15:07:06 +0000] "POST / HTTP/1.1" 403 1030 "https://sub.domain.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
So it looks like the referer should not be required to start with a url including a trailing slash. That is a change to make:
good_referer = 'https://%s' % request.get_host()
Happy to provide a patch if people agree with my conclusions.
Change History (4)
comment:1 Changed 3 years ago by anonymous
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
comment:2 Changed 3 years ago by lukeplant
- Owner changed from nobody to lukeplant
- Status changed from new to assigned
- Triage Stage changed from Unreviewed to Accepted
comment:3 Changed 3 years ago by lukeplant
- Resolution set to fixed
- Status changed from assigned to closed