#28488: Django 1.11 to 1.11.4 raises CSRF verification failed if settings.DEBUG
is
False
-------------------------------------+-------------------------------------
Reporter: Ruben Alves | Owner: nobody
Type: Bug | Status: new
Component: CSRF | Version: 1.11
Severity: Release blocker | Resolution:
Keywords: csrf failed | Triage Stage:
settings debug false production | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Ruben Alves):
I finally solved my problem.
The problem is: If a user just get a `404` page, a new `CSRF Token` is
generated, invalidating the `CSRF Token` that was originally loaded with
`{% csrf_token %}`.
**How I've discovered**
On the WebSite that I work, we have a page with the URI `/en/courses/`.
On that page, on the `.html` file we include a JavaScript: `<script
src="/static/js/app.js"></script>`
The `app.js` was trying to load a file named `assets/js/particles.json`
using the relative path, so the final URL of the static file was
`/en/courses/assets/js/particles.json`. Load the `particles.json` is the
only thing that `app.js` was doing. Nothing else.
That `particles.json` doesn't exist on our system.
After successfully load `/en/courses/`, the Django Server was receiving a
request for `/en/courses/assets/js/particles.json` that raises a `404`
error for the static file, but this error `404` is not even noticed by the
users because this JS file was doing nothing.
After I remove this `<script src="/static/js/app.js"></script>`,
everything worked fine.
Then with debugs on the `django.middleware.csrf.CsrfViewMiddleware` I
could confirm that if I reload a page 1000 times, the `CSRF Token`
returned by `_unsalt_cipher_token`
(https://github.com/django/django/blob/stable/1.11.x/django/middleware/csrf.py#L62)
is always the same. But if I just try to access a page that doesn't exist,
then `_unsalt_cipher_token` returns a different value (a new token is
generated).
Unbelievable that a single `javascript` that doesn't even exist has broken
my system and took me 3 days to find out.
--
Ticket URL: <https://code.djangoproject.com/ticket/28488#comment:12>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/068.787bdda637744e298af6e7ca390663eb%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
