Opened 4 years ago

Closed 4 years ago

#32571 closed Bug (fixed)

CsrfViewMiddleware assumes referer header can be parsed

Reported by: Chris Jerdonek Owned by: AdamDonna
Component: CSRF Version: 3.1
Severity: Normal Keywords: referer, CSRF, CsrfViewMiddleware
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Django's CsrfViewMiddleware assumes that the HTTP referer header is valid when checking it. Specifically, it doesn't handle the case of urlparse() raising a ValueError in this line (e.g. for urls like 'https://['):
https://github.com/django/django/blob/45814af6197cfd8f4dc72ee43b90ecde305a1d5a/django/middleware/csrf.py#L244

Change History (6)

comment:1 by Mariusz Felisiak, 4 years ago

Triage Stage: UnreviewedAccepted

comment:2 by AdamDonna, 4 years ago

Should the response in this scenario be something like this line? Or would a different response reason make more sense https://github.com/django/django/blob/45814af6197cfd8f4dc72ee43b90ecde305a1d5a/django/middleware/csrf.py#L248

in reply to:  2 comment:3 by Mariusz Felisiak, 4 years ago

Replying to AdamDonna:

Should the response in this scenario be something like this line? Or would a different response reason make more sense https://github.com/django/django/blob/45814af6197cfd8f4dc72ee43b90ecde305a1d5a/django/middleware/csrf.py#L248

Yes, we should reject immediately.

comment:4 by AdamDonna, 4 years ago

Great i've got a PR up for this. Are there any docs that need to be updated?
https://github.com/django/django/pull/14151

in reply to:  4 comment:5 by Mariusz Felisiak, 4 years ago

Has patch: set
Owner: changed from nobody to AdamDonna
Status: newassigned
Triage Stage: AcceptedReady for checkin

Replying to AdamDonna:

Great i've got a PR up for this. Are there any docs that need to be updated?
https://github.com/django/django/pull/14151

No need, thanks.

comment:6 by Mariusz Felisiak <felisiak.mariusz@…>, 4 years ago

Resolution: fixed
Status: assignedclosed

In e49fdfa4:

Fixed #32571 -- Made CsrfViewMiddleware handle invalid URLs in Referer header.

Note: See TracTickets for help on using tickets.
Back to Top