Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Use referer checking in absence of origin header

Instead of doing checks for both origin and referer header all the
time, do referer checks only in case of origin header's absence.

Given the purpose of the origin header, it can be relied upon at least
to a level equivalent (or even more) than referer header.

Signed-off-by: Rohan Jain <crodjer@gmail.com>
  • Loading branch information...
commit 97733cea93a76e3ad5f60d1f174e6ff2afcd1577 1 parent cd6d781
@crodjer authored
Showing with 27 additions and 26 deletions.
  1. +27 −26 django/middleware/csrf.py
View
53 django/middleware/csrf.py
@@ -135,34 +135,35 @@ def process_view(self, request, callback, callback_args, callback_kwargs):
)
return self._reject(request, reason)
+ else:
+ # Do a strict referer check in case an origin check succeds.
+ # As far as CSRF is concerned, attackers who are in a position
+ # to perform CSRF attack are not in a position to fake referer
+ # headers.
+
+ referer = request.META.get('HTTP_REFERER')
+ if referer is None:
+ logger.warning('Forbidden (%s): %s',
+ REASON_NO_REFERER, request.path,
+ extra={
+ 'status_code': 403,
+ 'request': request,
+ }
+ )
+ return self._reject(request, REASON_NO_REFERER)
- # Do a strict referer check in case an origin check succeds.
- # As far as CSRF is concerned, attackers who are in a position to
- # perform CSRF attack are not in a position to fake referer headers.
- referer = request.META.get('HTTP_REFERER')
- if referer is None:
- logger.warning('Forbidden (%s): %s',
- REASON_NO_REFERER, request.path,
- extra={
- 'status_code': 403,
- 'request': request,
- }
- )
-
- return self._reject(request, REASON_NO_REFERER)
-
- # Make sure that the http referer matches the permitted domains
- # pattern.
- if not domain_permitted(referer, permitted_domains):
- reason = REASON_BAD_REFERER % (referer)
- logger.warning('Forbidden (%s): %s', reason, request.path,
- extra={
- 'status_code': 403,
- 'request': request,
- }
- )
- return self._reject(request, reason)
+ # Make sure that the http referer matches the permitted domains
+ # pattern.
+ if not domain_permitted(referer, permitted_domains):
+ reason = REASON_BAD_REFERER % (referer)
+ logger.warning('Forbidden (%s): %s', reason, request.path,
+ extra={
+ 'status_code': 403,
+ 'request': request,
+ }
+ )
+ return self._reject(request, reason)
# Legacy token checking method.
# TODO: Handle this with permitted domains. Cookies won't work

0 comments on commit 97733ce

Please sign in to comment.
Something went wrong with that request. Please try again.