Opened 10 years ago

Closed 10 years ago

#23800 closed Bug (invalid)

Middleware CSRF validation is unclear for PUT and DELETE

Reported by: Mark Lacomber Owned by: nobody
Component: CSRF Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

This may be a duplication of https://code.djangoproject.com/ticket/23040 depending on whether its a bug or just that some of the comments in middleware/csrf.py are a bit unclear.

To re-produce this bug, make a PUT or DELETE request to an endpoint that you are using the csrf_exempt decorator (in my use-case its not from the browser but from a component using its own Basic Auth with Django) and you will get a 403.

This is due to code in the line 161 of the process_view function in middleware/csrf.py which checks if the cookie is missing and if so it rejects the request. The comments say that it is for POST
requests only, so I'm unsure whether the intention was for PUT and DELETE to fall under that category in which case I can add a patch to make the comments
explicitly mention PUT and DELETE. Otherwise I will add a patch so that PUT and DELETE are allowed through to the view which is only a few lines.

Can anyone clarify for me whether it is by intention that PUT and DELETE also fail here if they don't have a CSRF cookie set?

Thanks

Change History (1)

comment:1 by Tomáš Ehrlich, 10 years ago

Resolution: invalid
Status: newclosed

During POST request, the CSRF token is taken from request.POST, all other "unsafe" methods, PUT, PATCH, DELETE, should set the X-CSRFToken as described in documentation.

Note: See TracTickets for help on using tickets.
Back to Top