Re: [Django] #32571: CsrfViewMiddleware assumes referer header can be parsed

2021-03-19 Thread Django 
#32571: CsrfViewMiddleware assumes referer header can be parsed
-+-
 Reporter:  Chris Jerdonek   |Owner:  AdamDonna
 Type:  Bug  |   Status:  closed
Component:  CSRF |  Version:  3.1
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
  referer,CSRF,CsrfViewMiddleware|  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Mariusz Felisiak ):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 In [changeset:"e49fdfa405fcacb59d7ff2f321a7ddbc65dfc68b" e49fdfa4]:
 {{{
 #!CommitTicketReference repository=""
 revision="e49fdfa405fcacb59d7ff2f321a7ddbc65dfc68b"
 Fixed #32571 -- Made CsrfViewMiddleware handle invalid URLs in Referer
 header.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.9e86f90bcb64e78174ef5f2c4b28bb3b%40djangoproject.com.

Re: [Django] #32571: CsrfViewMiddleware assumes referer header can be parsed

2021-03-19 Thread Django 
#32571: CsrfViewMiddleware assumes referer header can be parsed
-+-
 Reporter:  Chris Jerdonek   |Owner:  AdamDonna
 Type:  Bug  |   Status:  assigned
Component:  CSRF |  Version:  3.1
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Ready for
  referer,CSRF,CsrfViewMiddleware|  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Mariusz Felisiak):

 * owner:  nobody => AdamDonna
 * status:  new => assigned
 * has_patch:  0 => 1
 * stage:  Accepted => Ready for checkin


Comment:

 Replying to [comment:4 AdamDonna]:
 > Great i've got a PR up for this. Are there any docs that need to be
 updated?
 > https://github.com/django/django/pull/14151

 No need, thanks.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.c04848acc3313554ccbebf01233a646f%40djangoproject.com.

Re: [Django] #32571: CsrfViewMiddleware assumes referer header can be parsed

2021-03-19 Thread Django 
#32571: CsrfViewMiddleware assumes referer header can be parsed
-+-
 Reporter:  Chris Jerdonek   |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  CSRF |  Version:  3.1
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
  referer,CSRF,CsrfViewMiddleware|
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by AdamDonna):

 Great i've got a PR up for this. Are there any docs that need to be
 updated?
 https://github.com/django/django/pull/14151

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.33e19ec7ed4026ae2bb27ec99e784612%40djangoproject.com.

Re: [Django] #32571: CsrfViewMiddleware assumes referer header can be parsed

2021-03-19 Thread Django 
#32571: CsrfViewMiddleware assumes referer header can be parsed
-+-
 Reporter:  Chris Jerdonek   |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  CSRF |  Version:  3.1
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
  referer,CSRF,CsrfViewMiddleware|
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Mariusz Felisiak):

 Replying to [comment:2 AdamDonna]:
 > Should the response in this scenario be something like this line? Or
 would a different response reason make more sense
 
https://github.com/django/django/blob/45814af6197cfd8f4dc72ee43b90ecde305a1d5a/django/middleware/csrf.py#L248

 Yes, we should reject immediately.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.86933a64b81175d576405e519750d1a8%40djangoproject.com.

Re: [Django] #32571: CsrfViewMiddleware assumes referer header can be parsed

2021-03-19 Thread Django 
#32571: CsrfViewMiddleware assumes referer header can be parsed
-+-
 Reporter:  Chris Jerdonek   |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  CSRF |  Version:  3.1
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
  referer,CSRF,CsrfViewMiddleware|
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by AdamDonna):

 Should the response in this scenario be something like this line? Or would
 a different response reason make more sense
 
https://github.com/django/django/blob/45814af6197cfd8f4dc72ee43b90ecde305a1d5a/django/middleware/csrf.py#L248

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.40105f201944fb7bd40dc627478bedc1%40djangoproject.com.

Re: [Django] #32571: CsrfViewMiddleware assumes referer header can be parsed

2021-03-18 Thread Django 
#32571: CsrfViewMiddleware assumes referer header can be parsed
-+-
 Reporter:  Chris Jerdonek   |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  CSRF |  Version:  3.1
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
  referer,CSRF,CsrfViewMiddleware|
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Mariusz Felisiak):

 * stage:  Unreviewed => Accepted


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.a0312be9b08c2fb6851013baba4c04ff%40djangoproject.com.

[Django] #32571: CsrfViewMiddleware assumes referer header can be parsed

2021-03-18 Thread Django 
#32571: CsrfViewMiddleware assumes referer header can be parsed
-+-
   Reporter:  Chris  |  Owner:  nobody
  Jerdonek   |
   Type:  Bug| Status:  new
  Component:  CSRF   |Version:  3.1
   Severity:  Normal |   Keywords:
   Triage Stage: |  referer,CSRF,CsrfViewMiddleware
  Unreviewed |  Has patch:  0
Needs documentation:  0  |Needs tests:  0
Patch needs improvement:  0  |  Easy pickings:  0
  UI/UX:  0  |
-+-
 Django's `CsrfViewMiddleware` assumes that the HTTP referer header is
 valid when checking it. Specifically, it doesn't handle the case of
 `urlparse()` raising a `ValueError` in this line (e.g. for urls like
 `'https://['`):
 
https://github.com/django/django/blob/45814af6197cfd8f4dc72ee43b90ecde305a1d5a/django/middleware/csrf.py#L244

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/052.3e0a595b2b7f546945620632676d4cde%40djangoproject.com.