Opened 10 years ago
Closed 10 years ago
#23040 closed Bug (invalid)
The CSRF protection seems to ignore the HTTP_X_CSRFTOKEN header and csrfmiddlewaretoken POST value in case the CSRF cookie is missing.
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | CSRF | Version: | 1.6 |
Severity: | Normal | Keywords: | csrf |
Cc: | Florian Apolloner | Triage Stage: | Unreviewed |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description
I have AJAX code which makes POST requests to a Django 1.6.4 application. The view has CSRF protection enabled via the django.middleware.csrf.CsrfViewMiddleware. If I do not pass a cookie but do pass the HTTP_X_CSRFTOKEN, it fails.
I am looking at the code of django.middleware.csrf.CsrfViewMiddleware and I see that on line 161 it checks to see if if csrf_token is None: after getting it from the cookie. If it is None, it returns. Only afterwards does it check the csrfmiddlewaretoken param and the HTTP_X_CSRFTOKEN request header.
This looks incorrect and the check for a missing csrf_token value should only be made after checking all the possible places for where it could be found.
No, this behavior is correct. Django compares the token from the cookie (which an attacker can't control) to the header/post-data which the attacker can control. Hence you will always need the cookie (sent by your browser automatically usually) and the header or post-data.