Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#26094 closed Bug (fixed)

CSRF fails behind proxy (settings.USE_X_FORWARDED_PORT=True)

Reported by: Jose M Herrero Owned by: nobody
Component: CSRF Version: 1.9
Severity: Release blocker Keywords: csrf
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I use gunicorn behind nginx and a load balancer, CSRF fails since 1.9 (the code was introduced here https://github.com/django/django/commit/b0c56b895fd2694d7f5d4595bdbbc41916607f45)

The problem is that if settings.CSRF_COOKIE_DOMAIN is defined it uses request.METASERVER_PORT? to check that the port is the same and fails behind a proxy.

Using request method get_port() takes is into account and I find that is more correct that useing the header directly.

Patch is on:
https://github.com/chemary/django/commit/081685242dac206783024e1834d1f178b5b8b9b9

Change History (4)

comment:1 Changed 4 years ago by Tim Graham

Easy pickings: unset
Patch needs improvement: set
Severity: NormalRelease blocker
Summary: CSRF fails behind proxyCSRF fails behind proxy (settings.USE_X_FORWARDED_PORT=True)
Triage Stage: UnreviewedAccepted

comment:2 Changed 4 years ago by Tim Graham

Patch needs improvement: unset

comment:3 Changed 4 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: newclosed

In 2d28144c:

Fixed #26094 -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True).

comment:4 Changed 4 years ago by Tim Graham <timograham@…>

In 076d459:

[1.9.x] Fixed #26094 -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True).

Backport of 2d28144c9519f4e4397c70f045c2b1d31437bf69 from master

Note: See TracTickets for help on using tickets.
Back to Top