Opened 8 years ago
Closed 8 years ago
#26904 closed Uncategorized (needsinfo)
CSRF middleware ignores X-CSRFToken if token not in cookies
| Reported by: | mrmagooey | Owned by: | nobody |
|---|---|---|---|
| Component: | CSRF | Version: | 1.9 |
| Severity: | Normal | Keywords: | csrf |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
This might be desired behaviour, but currently it seems that POST X-CSRFToken headers are ignored?
It seems that this line:
https://github.com/django/django/blob/master/django/middleware/csrf.py#L170
will set the csrf_token to None if the token is not available in the Cookies header, and then this line:
https://github.com/django/django/blob/master/django/middleware/csrf.py#L250
will cause the middleware to return early, and never check the value of X-CSRFToken header.
There is a comment around line 250 that this is desired behaviour, so I'm a bit confused. My python/django is a little rusty, so apologies if this is my bad.
Change History (1)
comment:1 by , 8 years ago
| Component: | Uncategorized → CSRF |
|---|---|
| Resolution: | → needsinfo |
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Did you read the documentation for how CSRF protection works? It's not clear to me if this query belongs here (what's the bug?) or if it's more of a usage question, in which case see TicketClosingReasons/UseSupportChannels.