Opened 8 years ago

Closed 8 years ago

#26904 closed Uncategorized (needsinfo)

CSRF middleware ignores X-CSRFToken if token not in cookies

Reported by: mrmagooey Owned by: nobody
Component: CSRF Version: 1.9
Severity: Normal Keywords: csrf
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

This might be desired behaviour, but currently it seems that POST X-CSRFToken headers are ignored?

It seems that this line:

https://github.com/django/django/blob/master/django/middleware/csrf.py#L170

will set the csrf_token to None if the token is not available in the Cookies header, and then this line:

https://github.com/django/django/blob/master/django/middleware/csrf.py#L250

will cause the middleware to return early, and never check the value of X-CSRFToken header.

There is a comment around line 250 that this is desired behaviour, so I'm a bit confused. My python/django is a little rusty, so apologies if this is my bad.

Change History (1)

comment:1 by Tim Graham, 8 years ago

Component: UncategorizedCSRF
Resolution: needsinfo
Status: newclosed

Did you read the documentation for how CSRF protection works? It's not clear to me if this query belongs here (what's the bug?) or if it's more of a usage question, in which case see TicketClosingReasons/UseSupportChannels.

Note: See TracTickets for help on using tickets.
Back to Top