Opened 4 years ago
Closed 4 years ago
#31089 closed Bug (fixed)
May be CSRF middleware logical error
| Reported by: | sinyawskiy | Owned by: | nobody |
|---|---|---|---|
| Component: | CSRF | Version: | 2.2 |
| Severity: | Normal | Keywords: | CSRF Token |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
In file middleware/csrf.py in class CsrfViewMiddleware in process view: DJANGO (2.2.8 and other)
We check the request for a token.
Check that method is not in (GET, HEAD, OPTIONS, TRACE), then
(In line 284) check CSRF cookie, than if not token -> reject. Check request finished in this line always.
But in line 293. We check POST data. Need to exists both cookie and data value csrfmiddlewaretoken ??? Why?
And in line 304. If not method POST we check PUT and DELETE, get token value from request header. Need to exists both cookie and header value X-CSRFToken? Why?
In my opinion. CSRF need check in COOKIE after PUT POST DELETE methods, and reject if not set token in all methods and in COOKIE to.
Thank you very much.