mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-03-28 10:10:45 +00:00
Code Issues 32 Releases Wiki Activity

Fixed #20411 -- Don't let invalid referers blow up CSRF same origin checks.

Browse Source 
Thanks to edevil for the report and saz for the patch.
This commit is contained in:
Florian Apolloner 2013-05-18 12:32:47 +02:00
parent 9012a9e200
commit 051cb1f4c6
2 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
django/utils/http.py
View File

@ -226,7 +226,10 @@ def same_origin(url1, url2):
Checks if two URLs are 'same-origin' Checks if two URLs are 'same-origin'
""" """
p1, p2 = urllib_parse.urlparse(url1), urllib_parse.urlparse(url2) p1, p2 = urllib_parse.urlparse(url1), urllib_parse.urlparse(url2)
return (p1.scheme, p1.hostname, p1.port) == (p2.scheme, p2.hostname, p2.port) try:
return (p1.scheme, p1.hostname, p1.port) == (p2.scheme, p2.hostname, p2.port)
except ValueError:
return False
def is_safe_url(url, host=None): def is_safe_url(url, host=None):
""" """

13
tests/csrf_tests/tests.py
View File

@ -283,6 +283,19 @@ class CsrfViewMiddlewareTest(TestCase):
self.assertNotEqual(None, req2) self.assertNotEqual(None, req2)
self.assertEqual(403, req2.status_code) self.assertEqual(403, req2.status_code)
@override_settings(ALLOWED_HOSTS=['www.example.com'])
def test_https_malformed_referer(self):
"""
Test that a POST HTTPS request with a bad referer is rejected
"""
req = self._get_POST_request_with_token()
req._is_secure_override = True
req.META['HTTP_HOST'] = 'www.example.com'
req.META['HTTP_REFERER'] = 'http://http://www.example.com/'
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
self.assertNotEqual(None, req2)
self.assertEqual(403, req2.status_code)
@override_settings(ALLOWED_HOSTS=['www.example.com']) @override_settings(ALLOWED_HOSTS=['www.example.com'])
def test_https_good_referer(self): def test_https_good_referer(self):
""" """