Opened 5 years ago

Closed 20 months ago

#16976 closed Bug (needsinfo)

Bug in Internet Explorer which can lead to exception in Django CSRF framework

Reported by: Anton Morozov Owned by: nobody
Component: CSRF Version: 1.3
Severity: Normal Keywords: ie, internet explorer, http, https, idn, csrf
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I have found a bug in Inernet Explorer which can lead to exception in Django in some cases.

This exception can be reproduced in these conditions:

  1. Internet Explorer (7+, but i have not test it in IE 10 beta).
  2. Django powered site with enabled CSRF protection.
  3. IDN domain on HTTPS (i. e. https://пример.испытание).
  4. JavaScript sends POST request through XMLHTTPRequest (Ajax).

In this case IE sends to server wrong Referer header, in unicode istead of punycode format (https://пример.испытание istead of https://xn--e1afmkfd.xn--80akhbyknj4f like other browsers). At the same time the Host header is right (in punycode).

This leads to the following exception:

Traceback (most recent call last):

  File "/path/to/django/core/handlers/base.py", line 105, in get_response
    response = middleware_method(request, callback, callback_args, callback_kwargs)

  File "/path/to/middleware/csrf.py", line 169, in process_view
    logger.warning('Forbidden (%s): %s' % (reason, request.path),

UnicodeDecodeError: 'ascii' codec can't decode byte 0xd0 in position 45: ordinal not in range(128)

But even without exception the request will not pass the referer test, as HTTP_REFERER and HTTP_HOST variables will be different.

I have prepared the micro django project with which you can reproduce the problem: settings.py and testcase.py in attachment (remember about IDN domain and HTTPS).

To solve the problem we need to check and correct HTTP_REFERER value at the stage of getting enviroment variables, in HTTP handler. In my projects I use custom WSGI handler (fixwsgi.py in attachment). On its basis it is possible to write a patch for django.core.handlers.wsgi.WSGIRequest and django.core.handlers.modpython.ModPythonRequest.

Sorry for my bad english. I wish common sense is understandable.

Attachments (3)

settings.py (38 bytes) - added by Anton Morozov 5 years ago.
Settings file for test case
testcase.py (1.2 KB) - added by Anton Morozov 5 years ago.
Test case micro project
fixedwsgi.py (874 bytes) - added by Anton Morozov 5 years ago.
Custom WSGI handler that solves the problem

Download all attachments as: .zip

Change History (7)

Changed 5 years ago by Anton Morozov

Attachment: settings.py added

Settings file for test case

Changed 5 years ago by Anton Morozov

Attachment: testcase.py added

Test case micro project

Changed 5 years ago by Anton Morozov

Attachment: fixedwsgi.py added

Custom WSGI handler that solves the problem

comment:1 Changed 5 years ago by Luke Plant

Component: HTTP handlingcontrib.csrf
Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset
Triage Stage: UnreviewedAccepted

I can't test as I don't have an IDN domain, but accepted on the basis of your description.

comment:2 in reply to:  1 Changed 5 years ago by Anton Morozov

Replying to lukeplant:

I can't test as I don't have an IDN domain, but accepted on the basis of your description.

Luke, if you give me your IP I can set it as A record on subdomain of my IDN.

comment:3 Changed 5 years ago by Anton Morozov

Summary: Bug in Inernet Explorer which can lead to exception in Django CSRF frameworkBug in Internet Explorer which can lead to exception in Django CSRF framework

comment:4 Changed 20 months ago by Tim Graham

Resolution: needsinfo
Status: newclosed

As this seems to be related to a bug in older versions of IE (unknown if it's a problem with newer versions) and there hasn't been any activity in 3 years, I suggest we close this ticket until it's confirmed to still be a problem.

Note: See TracTickets for help on using tickets.
Back to Top