Opened 13 years ago

Closed 13 years ago

Last modified 13 years ago

#15617 closed (fixed)

CSRF referer checking too strict

Reported by: adam Owned by: Luke Plant
Component: Uncategorized Version: 1.3-beta
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I get this error:

Forbidden (403)
CSRF verification failed. Request aborted.

Reason given for failure:

Referer checking failed - https://sub.domain.com does not match https://sum.domain.com/.

Using IE6 on my site. In the apache log the request looks like:

86.24.194.171 - - [15/Mar/2011:15:07:06 +0000] "POST / HTTP/1.1" 403 1030 "https://sub.domain.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"

So it looks like the referer should not be required to start with a url including a trailing slash. That is a change to make:

good_referer = 'https://%s' % request.get_host()

Happy to provide a patch if people agree with my conclusions.

Change History (4)

comment:1 by anonymous, 13 years ago

The above urls should all be the same except for the trailing slash. I've obfuscated the url because the site is not yet public.

comment:2 by Luke Plant, 13 years ago

Owner: changed from nobody to Luke Plant
Status: newassigned
Triage Stage: UnreviewedAccepted

This is definitely a bug. However, the fix is not so simple, because we are using 'startswith' to check the referer, and with the proposed change, https://example.com could be matched by https://example.com.evil.com . That is almost certainly why I added that slash.

The correct way to do with is to compare the (protocol, domain, port) triple, as specified here: http://www.w3.org/Security/wiki/Same_Origin_Policy

We could do with a 'same_origin' utility function that is properly tested and implements the above check using urlparse, and then is used by the middleware.

comment:3 by Luke Plant, 13 years ago

Resolution: fixed
Status: assignedclosed

In [15840]:

Fixed #15617 - CSRF referer checking too strict

Thanks to adam for the report.

comment:4 by Luke Plant, 13 years ago

In [15844]:

[1.2.X] Fixed #15617 - CSRF referer checking too strict

Thanks to adam for the report.

Backport of [15840] from trunk.

Note: See TracTickets for help on using tickets.
Back to Top