id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 16976 Bug in Internet Explorer which can lead to exception in Django CSRF framework Anton Morozov nobody "I have found a bug in Inernet Explorer which can lead to exception in Django in some cases. This exception can be reproduced in these conditions: 1. Internet Explorer (7+, but i have not test it in IE 10 beta). 2. Django powered site with enabled CSRF protection. 3. IDN domain on HTTPS (i. e. https://пример.испытание). 4. JavaScript sends POST request through XMLHTTPRequest (Ajax). In this case IE sends to server wrong Referer header, in unicode istead of punycode format (https://пример.испытание istead of https://xn--e1afmkfd.xn--80akhbyknj4f like other browsers). At the same time the Host header is right (in punycode). This leads to the following exception: {{{ Traceback (most recent call last): File ""/path/to/django/core/handlers/base.py"", line 105, in get_response response = middleware_method(request, callback, callback_args, callback_kwargs) File ""/path/to/middleware/csrf.py"", line 169, in process_view logger.warning('Forbidden (%s): %s' % (reason, request.path), UnicodeDecodeError: 'ascii' codec can't decode byte 0xd0 in position 45: ordinal not in range(128) }}} But even without exception the request will not pass the referer test, as HTTP_REFERER and HTTP_HOST variables will be different. I have prepared the micro django project with which you can reproduce the problem: settings.py and testcase.py in attachment (remember about IDN domain and HTTPS). To solve the problem we need to check and correct HTTP_REFERER value at the stage of getting enviroment variables, in HTTP handler. In my projects I use custom WSGI handler (fixwsgi.py in attachment). On its basis it is possible to write a patch for django.core.handlers.wsgi.WSGIRequest and django.core.handlers.modpython.ModPythonRequest. Sorry for my bad english. I wish common sense is understandable." Bug closed CSRF 1.3 Normal needsinfo ie, internet explorer, http, https, idn, csrf Accepted 0 0 0 0 0 0