id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
16976	Bug in Internet Explorer which can lead to exception in Django CSRF framework	Anton Morozov	nobody	"I have found a bug in Inernet Explorer which can lead to exception in Django in some cases.

This exception can be reproduced in these conditions:

1. Internet Explorer (7+, but i have not test it in IE 10 beta).
2. Django powered site with enabled CSRF protection.
3. IDN domain on HTTPS (i. e. https://пример.испытание).
4. JavaScript sends POST request through XMLHTTPRequest (Ajax).

In this case IE sends to server wrong Referer header, in unicode istead of punycode format (https://пример.испытание istead of https://xn--e1afmkfd.xn--80akhbyknj4f like other browsers). At the same time the Host header is right (in punycode).

This leads to the following exception:

{{{
Traceback (most recent call last):

  File ""/path/to/django/core/handlers/base.py"", line 105, in get_response
    response = middleware_method(request, callback, callback_args, callback_kwargs)

  File ""/path/to/middleware/csrf.py"", line 169, in process_view
    logger.warning('Forbidden (%s): %s' % (reason, request.path),

UnicodeDecodeError: 'ascii' codec can't decode byte 0xd0 in position 45: ordinal not in range(128)
}}}

But even without exception the request will not pass the referer test, as HTTP_REFERER and HTTP_HOST variables will be different.

I have prepared the micro django project with which you can reproduce the problem: settings.py and testcase.py in attachment (remember about IDN domain and HTTPS).

To solve the problem we need to check and correct HTTP_REFERER value at the stage of getting enviroment variables, in HTTP handler. In my projects I use custom WSGI handler (fixwsgi.py in attachment). On its basis it is possible to write a patch for django.core.handlers.wsgi.WSGIRequest and django.core.handlers.modpython.ModPythonRequest.

Sorry for my bad english. I wish common sense is understandable."	Bug	closed	CSRF	1.3	Normal	needsinfo	ie, internet explorer, http, https, idn, csrf		Accepted	0	0	0	0	0	0