id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
19778	csrf middleware report BAD_REFERER when HTTP_HOST contains port	jens.tinfors@…		"For a given request with the HTTP_HOST header set to 'www.example.com:443' and the HTTP_REFERER set to 'https://www.example.com/somepage' the same_origin check will report REASON_BAD_REFERER due to fact that HOST has port and REFERER does not. Perhaps, as in my case, a less competent firewall has tampered with the request on its way to the server.

Here's a failing test (that I added to tests/regressiontests/csrf_tests/tests.py):

{{{
   def test_https_good_referer_with_port(self):
        req = self._get_POST_request_with_token()
        req._is_secure_override = True
        req.META['HTTP_HOST'] = 'www.example.com:443'
        req.META['HTTP_REFERER'] = 'https://www.example.com/somepage'
        req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) 
        self.assertEqual(None, req2)
}}}

I know the port is a valid part of the same_origin check but I'm thinking that if it's missing from REFERER, the scheme is https and HTTP_HOST uses the default port, maybe we can skip the port from the same_origin check.

What do you think?

Incidentally, if I set a port number on the HTTP_REFERER the test still fails:
{{{
   def test_https_good_referer_with_port(self):
        req = self._get_POST_request_with_token()
        req._is_secure_override = True
        req.META['HTTP_HOST'] = 'www.example.com:443'
        req.META['HTTP_REFERER'] = 'https://www.example.com/somepage:443'
        req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) 
        self.assertEqual(None, req2)
}}}

kind regards /jens"	Bug	closed	CSRF	dev	Normal	wontfix			Accepted	1	0	0	1	0	0