id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
34465	Handle malformed CSRF cookie	Miha Sedej	nobody	"If the CSRF cookie contains invalid characters then **CsrfViewMiddleware** middleware raises a 500 internal server error at each request.

https://github.com/django/django/blob/main/django/middleware/csrf.py#L65 can't handle invalid characters and raises **ValueError: substring not found** exception.

Some clients like https://github.com/pjperez/httping send malformed CSRF cookie value. See the example:
{{{
""\""HpgYRzmZcUTBq8HW5Ms1ZpCcoKX2SLRa Max-Age=43200 Path=/ SameSite=Lax\\054stmpdid=zdfUYW3e0iLhc4_VfBHhoOGTidnz6mkYVU4yuvIx8ID9biwIrPVyFUdfcsbhZpZw0BteEJ7rXXZVKcaoshDtLe4 Max-Age=220752000 Path=/ SameSite=Lax\"" Max-Age=43200 Path=/ SameSite=Lax\054stmpdid=OedsyDX-7s_guDKt1gZymYrTike8rzoZTmXpCeIMlGhPhR6LhfDh3Io3BlkdC3JoBuH4udHybYkC0LPy4_M9lpI Max-Age=220752000 Path=/ SameSite=Lax"" Max-Age=43200 Path=/ SameSite=Lax,stmpdid=nj7BSEFLimv_-VSAxllXPYtBSiTNpeK3ht6lrc9hKS92EW0vE4zPuP5-R5NNbsDBkNB7seF6Q2i06rrU2mSVZIA Max-Age=220752000 Path=/ SameSite=Lax
}}}

I recommend returning a 400 response code instead of raising a 500 internal server error."	Bug	closed	CSRF	4.1	Normal	needsinfo	csrf, 500 error	Ruchir Harbhajanka	Unreviewed	0	0	0	0	0	0