#20411: Invalid Referer header blows up on CSRF protection middleware
-------------------------------+-------------------------------------
Reporter: edevil | Owner: nobody
Type: Bug | Status: new
Component: HTTP handling | Version: 1.5
Severity: Normal | Keywords: referer valueerror csrf
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+-------------------------------------
If a client sends an invalid Referer header such as
'http://http://xxx.pt/', the CSRF middleware will blow up with an error:
{{{
ERROR 2013-05-15 17:38:56,542 django.request:212 22023 140475533584128
Internal Server Error: /
Traceback (most recent call last):
File "/servers/python-environments/discosite/local/lib/python2.7/site-
packages/django/core/handlers/base.py", line 109, in get_response
response = middleware_method(request, callback, callback_args,
callback_kwargs)
File "/servers/python-environments/discosite/local/lib/python2.7/site-
packages/django/middleware/csrf.py", line 148, in process_view
if not same_origin(referer, good_referer):
File "/servers/python-environments/discosite/local/lib/python2.7/site-
packages/django/utils/http.py", line 229, in same_origin
return (p1.scheme, p1.hostname, p1.port) == (p2.scheme, p2.hostname,
p2.port)
File "/usr/lib/python2.7/urlparse.py", line 110, in port
port = int(port, 10)
ValueError: invalid literal for int() with base 10: ''
}}}
Either we catch the Exception or we are more careful when comparing.
--
Ticket URL: <https://code.djangoproject.com/ticket/20411>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
