Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#15617 closed (fixed)

CSRF referer checking too strict

Reported by: adam Owned by: lukeplant
Component: Uncategorized Version: 1.3-beta
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


I get this error:

Forbidden (403)
CSRF verification failed. Request aborted.

Reason given for failure:

Referer checking failed - does not match

Using IE6 on my site. In the apache log the request looks like: - - [15/Mar/2011:15:07:06 +0000] "POST / HTTP/1.1" 403 1030 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"

So it looks like the referer should not be required to start with a url including a trailing slash. That is a change to make:

good_referer = 'https://%s' % request.get_host()

Happy to provide a patch if people agree with my conclusions.

Change History (4)

comment:1 Changed 5 years ago by anonymous

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

The above urls should all be the same except for the trailing slash. I've obfuscated the url because the site is not yet public.

comment:2 Changed 5 years ago by lukeplant

  • Owner changed from nobody to lukeplant
  • Status changed from new to assigned
  • Triage Stage changed from Unreviewed to Accepted

This is definitely a bug. However, the fix is not so simple, because we are using 'startswith' to check the referer, and with the proposed change, could be matched by . That is almost certainly why I added that slash.

The correct way to do with is to compare the (protocol, domain, port) triple, as specified here:

We could do with a 'same_origin' utility function that is properly tested and implements the above check using urlparse, and then is used by the middleware.

comment:3 Changed 5 years ago by lukeplant

  • Resolution set to fixed
  • Status changed from assigned to closed

In [15840]:

Fixed #15617 - CSRF referer checking too strict

Thanks to adam for the report.

comment:4 Changed 5 years ago by lukeplant

In [15844]:

[1.2.X] Fixed #15617 - CSRF referer checking too strict

Thanks to adam for the report.

Backport of [15840] from trunk.

Note: See TracTickets for help on using tickets.
Back to Top