Opened 4 years ago

Last modified 4 years ago

#31845 closed Bug

CSRF check fails when browsing with FQDN with trailing dot — at Version 1

Reported by: ippei Owned by: nobody
Component: CSRF Version: 2.2
Severity: Normal Keywords:
Cc: Florian Apolloner Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by ippei)

CSRF check seems to fail with "Referer checking failed" when user is browsing with FQDN with trailing dot.

At this line: https://github.com/django/django/blob/2.2.12/django/middleware/csrf.py#L280
while referer.netloc has trailing dot, one of the good_hosts that is supposed to match comes from request.get_host() which strips the trailing dot.
is_same_domain does not consider domain strings with and without trailing dots the same domain.

We neither set CSRF_USE_SESSIONS nor CSRF_COOKIE_DOMAIN in settings.
(Our system uses DRF, but the original error seems to come from the CsrfViewMiddleware implementation.)

For now, we add CSRF_TRUSTED_ORIGINS our production domain with trailing dot to circumvent this issue.

Change History (1)

comment:1 by ippei, 4 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.
Back to Top