#19778: csrf middleware report BAD_REFERER when HTTP_HOST contains port --------------------------------+-------------------- Reporter: jens.tinfors@… | Owner: nobody Type: Uncategorized | Status: new Component: contrib.csrf | Version: 1.4 Severity: Normal | Keywords: Triage Stage: Unreviewed | Has patch: 0 Easy pickings: 0 | UI/UX: 0 --------------------------------+-------------------- For a given request with the HTTP_HOST header set to 'www.example.com:443' and the HTTP_REFERER set to 'https://www.example.com/somepage' the same_origin check will report REASON_BAD_REFERER due to fact that HOST has port and REFERER does not. Perhaps, as in my case, a less competent firewall has tampered with the request on its way to the server.
Here's a failing test (that I added to tests/regressiontests/csrf_tests/tests.py): {{{ def test_https_good_referer_with_port(self): req = self._get_POST_request_with_token() req._is_secure_override = True req.META['HTTP_HOST'] = 'www.example.com:443' req.META['HTTP_REFERER'] = 'https://www.example.com/somepage' req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) self.assertEqual(None, req2) }}} I know the port is a valid part of the same_origin check but I'm thinking that if it's missing from REFERER, the scheme is https and HTTP_HOST uses the default port, maybe we can skip the port from the same_origin check. What do you think? Incidentally, if I set a port number on the HTTP_REFERER the test still fails: {{{ def test_https_good_referer_with_port(self): req = self._get_POST_request_with_token() req._is_secure_override = True req.META['HTTP_HOST'] = 'www.example.com:443' req.META['HTTP_REFERER'] = 'https://www.example.com/somepage:443' req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) self.assertEqual(None, req2) }}} kind regards /jens -- Ticket URL: <https://code.djangoproject.com/ticket/19778> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.