#32800: CsrfViewMiddleware unnecessarily masks CSRF cookie -------------------------------------+------------------------------------- Reporter: Chris Jerdonek | Owner: nobody Type: | Status: new Cleanup/optimization | Component: CSRF | Version: dev Severity: Normal | Resolution: Keywords: | Triage Stage: | Unreviewed Has patch: 0 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------------+-------------------------------------
Comment (by Chris Jerdonek): Thanks for your comment! I'm pretty sure that scenario is already handled by the current code (I'm just not 100% sure if there are tests for it). For example, you can see [https://github.com/django/django/blob/c609d5149c9295207cd7b2e8154e7b80a18d834a/django/middleware/csrf.py#L405-L409 in the code] that `_sanitize_token()` is called on the (non-cookie) CSRF token, and `_sanitize_token()` [https://github.com/django/django/blob/c609d5149c9295207cd7b2e8154e7b80a18d834a/django/middleware/csrf.py#L127-L134 has special logic] to mask the cookie before returning it if it was passed the short version of length `CSRF_SECRET_LENGTH`. (However, my preference is to put that logic in `_compare_masked_tokens()` so that we're not relying on any assumptions on the arguments passed to `_compare_masked_tokens()` like we currently are.). Note also that the code currently has backwards-compat logic to accept ''cookies'' that aren't masked (via the same call to `_sanitize_token()`.) FWIW, I did prepare a patch privately and saw no problems, and on the whole it seems slightly simpler. I even have a comment addressing the point you make: {{{#!python # Fall back to X-CSRFToken, to make things easier for AJAX, and # possible for PUT/DELETE. try: # This can have length CSRF_SECRET_LENGTH or CSRF_TOKEN_LENGTH, # depending on whether the client obtained the token from # the DOM or the cookie (and whether the cookie was masked # or unmasked). request_csrf_token = request.META[settings.CSRF_HEADER_NAME] except KeyError: return self._reject(request, REASON_CSRF_TOKEN_MISSING) }}} -- Ticket URL: <https://code.djangoproject.com/ticket/32800#comment:4> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/067.cdd5c9cd23cda96242d783a9885e81a1%40djangoproject.com.