Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#30091 closed Cleanup/optimization (fixed)

Incorrect middleware ordering allows invalid HTTP_HOST header to cause CsrfViewMiddleware failure when using CSRF_USE_SESSIONS.

Reported by: Mark Gregson Owned by: Carlton Gibson
Component: Documentation Version: dev
Severity: Normal Keywords: middleware
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I've observed that when using CSRF_USE_SESSIONS = True and with SessionMiddleware correctly placed before CsrfViewMiddleware that a request with an invalid HTTP_HOST header raises an exception and, while preparing a response for this exception, the CsrfViewMiddleware raises an unhandled ImproperlyConfigured exception and an internal server error is returned to the browser.

I expect that an HTTP 400 will be returned to the user for an invalid HTTP_HOST header and that the CsrfViewMiddleware will not raise an exception.

To reproduce, configure the application as above, set up a new hostname (one that is not in ALLOWED_HOSTS) pointing at the Django application (using the hosts file, for example), and then request that hostname.

Attachments (2)

error_log.txt (3.8 KB ) - added by Mark Gregson 6 years ago.
min_example.diff (1.5 KB ) - added by Mark Gregson 6 years ago.
Patch to create minimal project reproducing the bug

Download all attachments as: .zip

Change History (11)

by Mark Gregson, 6 years ago

Attachment: error_log.txt added

comment:1 by Carlton Gibson, 6 years ago

Hi Mark. Do you have an example project you can upload demonstrating this issue? Thanks!

comment:2 by Mark Gregson, 6 years ago

Hi Carlton. Not one I can easily share. I'll see if I can create a minimal project that reproduces it.

by Mark Gregson, 6 years ago

Attachment: min_example.diff added

Patch to create minimal project reproducing the bug

comment:3 by Mark Gregson, 6 years ago

Okay, I've just attached a minimal working example. I've provided it as a patch to a 'django-admin startproject' site template using Django 1.11.18. You should just be able to do:

  1. django-admin startproject mysite
  2. cd mysite
  3. patch -p1 < min_example.diff

In this example I've configured ALLOWED_HOSTS = ['localhost'] and added '127.0.0.1 dummy' to my /etc/hosts file. Requesting http://dummy:8000/ reproduces the ImproperlyConfigured exception.

While producing this example I found that placing CommonMiddleware before SessionMiddleware was also required to reproduce the bug. I'm unsure if this is a configuration error; but I couldn't see anything about ordering of those two middleware classes when I scanned the documentation just now.

Cheers
Mark

Last edited 6 years ago by Mark Gregson (previous) (diff)

comment:4 by Carlton Gibson, 6 years ago

Hey Mark. Super effort. Thank you. I’ll have a look at the project and get back to you. 👍

comment:5 by Carlton Gibson, 6 years ago

Component: UncategorizedDocumentation
Has patch: set
Keywords: middleware added
Owner: changed from nobody to Carlton Gibson
Status: newassigned
Triage Stage: UnreviewedAccepted
Type: BugCleanup/optimization
Version: 1.11master

OK, this is a documentation issue.

Error views are wrapped with @requires_csrf_token, so SessionMiddleware must appear before any middleware that may raise an exception when using CSRF_USE_SESSIONS.

The default project template has this correct, so you have to "opt-in" to this error.

PR

Thanks for the report and the project to reproduce Mark!

comment:6 by Carlton Gibson, 6 years ago

Summary: Invalid HTTP_HOST header causes CsrfViewMiddleware failureIncorrect middleware ordering allows invalid HTTP_HOST header to cause CsrfViewMiddleware failure when using CSRF_USE_SESSIONS.

comment:7 by Mark Gregson, 6 years ago

Thanks Carlton. Appreciate the quick review.

comment:8 by Tim Graham <timograham@…>, 6 years ago

Resolution: fixed
Status: assignedclosed

In 89d39dc:

[2.2.x] Fixed #30091 -- Doc'd middleware ordering requirements with CSRF_USE_SESSIONS.

Backport of bae66e759faee8513da4b11d3fd16b044b415bdb from master.

comment:9 by Tim Graham <timograham@…>, 6 years ago

In bae66e75:

Fixed #30091 -- Doc'd middleware ordering requirements with CSRF_USE_SESSIONS.

Note: See TracTickets for help on using tickets.
Back to Top