Opened 8 years ago
Closed 8 years ago
#26904 closed Uncategorized (needsinfo)
CSRF middleware ignores X-CSRFToken if token not in cookies
Reported by: | mrmagooey | Owned by: | nobody |
---|---|---|---|
Component: | CSRF | Version: | 1.9 |
Severity: | Normal | Keywords: | csrf |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
This might be desired behaviour, but currently it seems that POST X-CSRFToken
headers are ignored?
It seems that this line:
https://github.com/django/django/blob/master/django/middleware/csrf.py#L170
will set the csrf_token
to None
if the token is not available in the Cookies header, and then this line:
https://github.com/django/django/blob/master/django/middleware/csrf.py#L250
will cause the middleware to return early, and never check the value of X-CSRFToken
header.
There is a comment around line 250 that this is desired behaviour, so I'm a bit confused. My python/django is a little rusty, so apologies if this is my bad.
Change History (1)
comment:1 by , 8 years ago
Component: | Uncategorized → CSRF |
---|---|
Resolution: | → needsinfo |
Status: | new → closed |
Did you read the documentation for how CSRF protection works? It's not clear to me if this query belongs here (what's the bug?) or if it's more of a usage question, in which case see TicketClosingReasons/UseSupportChannels.