Opened 13 years ago
Closed 10 years ago
#16976 closed Bug (needsinfo)
Bug in Internet Explorer which can lead to exception in Django CSRF framework
| Reported by: | Anton Morozov | Owned by: | nobody |
|---|---|---|---|
| Component: | CSRF | Version: | 1.3 |
| Severity: | Normal | Keywords: | ie, internet explorer, http, https, idn, csrf |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
I have found a bug in Inernet Explorer which can lead to exception in Django in some cases.
This exception can be reproduced in these conditions:
- Internet Explorer (7+, but i have not test it in IE 10 beta).
- Django powered site with enabled CSRF protection.
- IDN domain on HTTPS (i. e. https://пример.испытание).
- JavaScript sends POST request through XMLHTTPRequest (Ajax).
In this case IE sends to server wrong Referer header, in unicode istead of punycode format (https://пример.испытание istead of https://xn--e1afmkfd.xn--80akhbyknj4f like other browsers). At the same time the Host header is right (in punycode).
This leads to the following exception:
Traceback (most recent call last):
File "/path/to/django/core/handlers/base.py", line 105, in get_response
response = middleware_method(request, callback, callback_args, callback_kwargs)
File "/path/to/middleware/csrf.py", line 169, in process_view
logger.warning('Forbidden (%s): %s' % (reason, request.path),
UnicodeDecodeError: 'ascii' codec can't decode byte 0xd0 in position 45: ordinal not in range(128)
But even without exception the request will not pass the referer test, as HTTP_REFERER and HTTP_HOST variables will be different.
I have prepared the micro django project with which you can reproduce the problem: settings.py and testcase.py in attachment (remember about IDN domain and HTTPS).
To solve the problem we need to check and correct HTTP_REFERER value at the stage of getting enviroment variables, in HTTP handler. In my projects I use custom WSGI handler (fixwsgi.py in attachment). On its basis it is possible to write a patch for django.core.handlers.wsgi.WSGIRequest and django.core.handlers.modpython.ModPythonRequest.
Sorry for my bad english. I wish common sense is understandable.
Attachments (3)
Change History (7)
by , 13 years ago
| Attachment: | settings.py added |
|---|
follow-up: 2 comment:1 by , 13 years ago
| Component: | HTTP handling → contrib.csrf |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
I can't test as I don't have an IDN domain, but accepted on the basis of your description.
comment:2 by , 13 years ago
Replying to lukeplant:
I can't test as I don't have an IDN domain, but accepted on the basis of your description.
Luke, if you give me your IP I can set it as A record on subdomain of my IDN.
comment:3 by , 13 years ago
| Summary: | Bug in Inernet Explorer which can lead to exception in Django CSRF framework → Bug in Internet Explorer which can lead to exception in Django CSRF framework |
|---|
comment:4 by , 10 years ago
| Resolution: | → needsinfo |
|---|---|
| Status: | new → closed |
As this seems to be related to a bug in older versions of IE (unknown if it's a problem with newer versions) and there hasn't been any activity in 3 years, I suggest we close this ticket until it's confirmed to still be a problem.
Settings file for test case