Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixed #20411 -- Don't let invalid referers blow up CSRF same origin c…

…hecks.

Thanks to edevil for the report and saz for the patch.
  • Loading branch information...
commit 051cb1f4c60ac8e7087d92ef34ed41e6684d8b9b 1 parent 9012a9e
@apollo13 apollo13 authored
Showing with 17 additions and 1 deletion.
  1. +4 −1 django/utils/http.py
  2. +13 −0 tests/csrf_tests/tests.py
View
5 django/utils/http.py
@@ -226,7 +226,10 @@ def same_origin(url1, url2):
Checks if two URLs are 'same-origin'
"""
p1, p2 = urllib_parse.urlparse(url1), urllib_parse.urlparse(url2)
- return (p1.scheme, p1.hostname, p1.port) == (p2.scheme, p2.hostname, p2.port)
+ try:
+ return (p1.scheme, p1.hostname, p1.port) == (p2.scheme, p2.hostname, p2.port)
+ except ValueError:
+ return False
def is_safe_url(url, host=None):
"""
View
13 tests/csrf_tests/tests.py
@@ -284,6 +284,19 @@ def test_https_bad_referer(self):
self.assertEqual(403, req2.status_code)
@override_settings(ALLOWED_HOSTS=['www.example.com'])
+ def test_https_malformed_referer(self):
+ """
+ Test that a POST HTTPS request with a bad referer is rejected
+ """
+ req = self._get_POST_request_with_token()
+ req._is_secure_override = True
+ req.META['HTTP_HOST'] = 'www.example.com'
+ req.META['HTTP_REFERER'] = 'http://http://www.example.com/'
+ req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
+ self.assertNotEqual(None, req2)
+ self.assertEqual(403, req2.status_code)
+
+ @override_settings(ALLOWED_HOSTS=['www.example.com'])
def test_https_good_referer(self):
"""
Test that a POST HTTPS request with a good referer is accepted
Please sign in to comment.
Something went wrong with that request. Please try again.