id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
31089	May be CSRF middleware logical error	sinyawskiy	nobody	"In file middleware/csrf.py in class CsrfViewMiddleware in process view: DJANGO (2.2.8 and other)

We check the request for a token.
Check that method is not in (GET, HEAD, OPTIONS, TRACE), then 
(In line 284) check CSRF cookie, than if not token -> reject. Check request finished in this line always.

But in line 293. We check POST data. Need to exists both cookie and data value csrfmiddlewaretoken ??? Why?
And in line 304. If not method POST we check PUT and DELETE, get token value from request header. Need to exists both cookie and header value X-CSRFToken? Why?

In my opinion. CSRF need check in COOKIE after PUT POST DELETE methods, and reject if not set token in  all methods and in COOKIE to.

Thank you very much.
"	Bug	closed	CSRF	2.2	Normal	fixed	CSRF Token		Unreviewed	0	0	0	0	1	0