Opened 4 years ago
Last modified 4 years ago
#31845 closed Bug
CSRF check fails when browsing with FQDN with trailing dot — at Initial Version
Reported by: | ippei | Owned by: | nobody |
---|---|---|---|
Component: | CSRF | Version: | 2.2 |
Severity: | Normal | Keywords: | |
Cc: | Florian Apolloner | Triage Stage: | Unreviewed |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
CSRF check seems to fail with "Referer checking failed" when user is browsing with FQDN with trailing dot.
At this line: https://github.com/django/django/blob/2.2.12/django/middleware/csrf.py#L280
while referer.netloc
has trailing dot, one of the good_hosts
comes from request.get_host()
which strips the trailing dot.
is_same_domain
does not consider domain strings with and without trailing dots the same domain.
We neither set CSRF_USE_SESSIONS nor CSRF_COOKIE_DOMAIN in settings.
(Our system uses DRF, but the original error seems to come from the CsrfViewMiddleware implementation.)
For now, we add CSRF_TRUSTED_ORIGINS our production domain with trailing dot to circumvent this issue.