id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
19486	csrf_token tag is empty on Resolver404 error	SardarNL	nobody	"The tag {% csrf_token %} prints context.csrf_token, which is set by default django.core.context_processors.csrf, which uses django.middleware.csrf.get_token(), which looks in {{{ request.META['CSRF_COOKIE'] }}}, which is set by CsrfViewMiddleware.process_view(). So if process_view() isn't called, then there will be no {{{META['CSRF_COOKIE']}}}, then {% csrf_token %} would print nothing.

Lets look now at django.core.handlers.BaseHandler.get_response(). It first calls all process_request(), then resolves the view and *then* calls all process_view(). So, if none of your URL patterns match, then your CsrfViewMiddleware.process_view() will not be called. Resolver404 exception is http.Http404, so if no view is found, the handler will use resolver.resolve404() view to serve 404 page.

The problem: 404 page uses {% csrf_token %} to render a POST form to search view. It works if URL is matched by a view, but the view itself raises Http404. It doesn't work if URL is not matched by any pattern.

Solution:

  1) refactor CsrfViewMiddleware.process_view(), move setting {{{request.META['CSRF_COOKIE']}}} to a separate _method()
  2) call this method for resolver.resolve404() view or in get_token()

Possible problems: browser may ignore cookies set by 404 page.

Workaround: search page is using csrf_exempt at this moment.

Severity: minor"	Bug	closed	Core (Other)	1.4	Normal	wontfix	csrf		Unreviewed	0	0	0	0	0	0