[Django] #34465: Handle malformed CSRF cookie

Thu, 06 Apr 2023 06:19:58 -0700 

#34465: Handle malformed CSRF cookie
--------------------------------------+---------------------------------
               Reporter:  tresko      |          Owner:  nobody
                   Type:  Bug         |         Status:  new
              Component:  CSRF        |        Version:  4.1
               Severity:  Normal      |       Keywords:  csrf, 500 error
           Triage Stage:  Unreviewed  |      Has patch:  0
    Needs documentation:  0           |    Needs tests:  0
Patch needs improvement:  0           |  Easy pickings:  0
                  UI/UX:  0           |
--------------------------------------+---------------------------------
 If the CSRF cookie contains invalid characters then **CsrfViewMiddleware**
 middleware raises a 500 internal server error at each request.

 https://github.com/django/django/blob/main/django/middleware/csrf.py#L65
 can't handle invalid characters and raises **ValueError: substring not
 found** exception.

 Some clients like https://github.com/pjperez/httping send malformed CSRF
 cookie value. See the example:
 {{{
 "\"HpgYRzmZcUTBq8HW5Ms1ZpCcoKX2SLRa Max-Age=43200 Path=/
 
SameSite=Lax\\054stmpdid=zdfUYW3e0iLhc4_VfBHhoOGTidnz6mkYVU4yuvIx8ID9biwIrPVyFUdfcsbhZpZw0BteEJ7rXXZVKcaoshDtLe4
 Max-Age=220752000 Path=/ SameSite=Lax\" Max-Age=43200 Path=/
 SameSite=Lax\054stmpdid=OedsyDX-
 7s_guDKt1gZymYrTike8rzoZTmXpCeIMlGhPhR6LhfDh3Io3BlkdC3JoBuH4udHybYkC0LPy4_M9lpI
 Max-Age=220752000 Path=/ SameSite=Lax" Max-Age=43200 Path=/
 SameSite=Lax,stmpdid=nj7BSEFLimv_-
 VSAxllXPYtBSiTNpeK3ht6lrc9hKS92EW0vE4zPuP5-R5NNbsDBkNB7seF6Q2i06rrU2mSVZIA
 Max-Age=220752000 Path=/ SameSite=Lax
 }}}

 I recommend returning a 400 response code instead of raising a 500
 internal server error.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34465>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107018756b93efe-a3eca85e-3e7e-49c1-8a70-b0f04448817f-000000%40eu-central-1.amazonses.com.

Reply via email to