#15617 closed (fixed)
CSRF referer checking too strict
| Reported by: | adam | Owned by: | Luke Plant |
|---|---|---|---|
| Component: | Uncategorized | Version: | 1.3-beta |
| Severity: | Keywords: | ||
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
I get this error:
Forbidden (403)
CSRF verification failed. Request aborted.
Reason given for failure:
Referer checking failed - https://sub.domain.com does not match https://sum.domain.com/.
Using IE6 on my site. In the apache log the request looks like:
86.24.194.171 - - [15/Mar/2011:15:07:06 +0000] "POST / HTTP/1.1" 403 1030 "https://sub.domain.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
So it looks like the referer should not be required to start with a url including a trailing slash. That is a change to make:
good_referer = 'https://%s' % request.get_host()
Happy to provide a patch if people agree with my conclusions.
Change History (4)
comment:1 by , 14 years ago
comment:2 by , 14 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
| Triage Stage: | Unreviewed → Accepted |
This is definitely a bug. However, the fix is not so simple, because we are using 'startswith' to check the referer, and with the proposed change, https://example.com could be matched by https://example.com.evil.com . That is almost certainly why I added that slash.
The correct way to do with is to compare the (protocol, domain, port) triple, as specified here: http://www.w3.org/Security/wiki/Same_Origin_Policy
We could do with a 'same_origin' utility function that is properly tested and implements the above check using urlparse, and then is used by the middleware.
The above urls should all be the same except for the trailing slash. I've obfuscated the url because the site is not yet public.