The CSRF protection seems to ignore the HTTP_X_CSRFTOKEN header and csrfmiddlewaretoken POST value in case the CSRF cookie is missing.
|Reported by:||Owned by:||nobody|
|Cc:||Florian Apolloner||Triage Stage:||Unreviewed|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
I have AJAX code which makes POST requests to a Django 1.6.4 application. The view has CSRF protection enabled via the django.middleware.csrf.CsrfViewMiddleware. If I do not pass a cookie but do pass the HTTP_X_CSRFTOKEN, it fails.
I am looking at the code of django.middleware.csrf.CsrfViewMiddleware and I see that on line 161 it checks to see if if csrf_token is None: after getting it from the cookie. If it is None, it returns. Only afterwards does it check the csrfmiddlewaretoken param and the HTTP_X_CSRFTOKEN request header.
This looks incorrect and the check for a missing csrf_token value should only be made after checking all the possible places for where it could be found.