Re: [Django] #32800: CsrfViewMiddleware unnecessarily masks CSRF cookie

Django Tue, 01 Jun 2021 00:27:13 -0700

#32800: CsrfViewMiddleware unnecessarily masks CSRF cookie
-------------------------------------+-------------------------------------
     Reporter:  Chris Jerdonek       |                    Owner:  nobody
         Type:                       |                   Status:  new
  Cleanup/optimization               |
    Component:  CSRF                 |                  Version:  dev
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------


Comment (by Chris Jerdonek):

 Thanks for your comment! I'm pretty sure that scenario is already handled
 by the current code (I'm just not 100% sure if there are tests for it).
 For example, you can see
 
[https://github.com/django/django/blob/c609d5149c9295207cd7b2e8154e7b80a18d834a/django/middleware/csrf.py#L405-L409
 in the code] that `_sanitize_token()` is called on the (non-cookie) CSRF
 token, and `_sanitize_token()`
 
[https://github.com/django/django/blob/c609d5149c9295207cd7b2e8154e7b80a18d834a/django/middleware/csrf.py#L127-L134
 has special logic] to mask the cookie before returning it if it was passed
 the short version of length `CSRF_SECRET_LENGTH`. (However, my preference
 is to put that logic in `_compare_masked_tokens()` so that we're not
 relying on any assumptions on the arguments passed to
 `_compare_masked_tokens()` like we currently are.). Note also that the
 code currently has backwards-compat logic to accept ''cookies'' that
 aren't masked (via the same call to `_sanitize_token()`.)

 FWIW, I did prepare a patch privately and saw no problems, and on the
 whole it seems slightly simpler. I even have a comment addressing the
 point you make:

 {{{#!python
 # Fall back to X-CSRFToken, to make things easier for AJAX, and
 # possible for PUT/DELETE.
 try:
     # This can have length CSRF_SECRET_LENGTH or CSRF_TOKEN_LENGTH,
     # depending on whether the client obtained the token from
     # the DOM or the cookie (and whether the cookie was masked
     # or unmasked).
     request_csrf_token = request.META[settings.CSRF_HEADER_NAME]
 except KeyError:
     return self._reject(request, REASON_CSRF_TOKEN_MISSING)
 }}}

-- 
Ticket URL: <https://code.djangoproject.com/ticket/32800#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.cdd5c9cd23cda96242d783a9885e81a1%40djangoproject.com.

Re: [Django] #32800: CsrfViewMiddleware unnecessarily masks CSRF cookie

Reply via email to