Opened 5 years ago

Closed 5 years ago

#23040 closed Bug (invalid)

The CSRF protection seems to ignore the HTTP_X_CSRFTOKEN header and csrfmiddlewaretoken POST value in case the CSRF cookie is missing.

Reported by: krystian@… Owned by: nobody
Component: CSRF Version: 1.6
Severity: Normal Keywords: csrf
Cc: Florian Apolloner Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no


I have AJAX code which makes POST requests to a Django 1.6.4 application. The view has CSRF protection enabled via the django.middleware.csrf.CsrfViewMiddleware. If I do not pass a cookie but do pass the HTTP_X_CSRFTOKEN, it fails.

I am looking at the code of django.middleware.csrf.CsrfViewMiddleware and I see that on line 161 it checks to see if if csrf_token is None: after getting it from the cookie. If it is None, it returns. Only afterwards does it check the csrfmiddlewaretoken param and the HTTP_X_CSRFTOKEN request header.

This looks incorrect and the check for a missing csrf_token value should only be made after checking all the possible places for where it could be found.

Change History (1)

comment:1 Changed 5 years ago by Florian Apolloner

Cc: Florian Apolloner added
Resolution: invalid
Status: newclosed

No, this behavior is correct. Django compares the token from the cookie (which an attacker can't control) to the header/post-data which the attacker can control. Hence you will always need the cookie (sent by your browser automatically usually) and the header or post-data.

Note: See TracTickets for help on using tickets.
Back to Top