Fixed #24496 -- Checked CSRF Referer against CSRF_COOKIE_DOMAIN.

django/http/request.py

@@ -16,6 +16,7 @@
 from django.utils.encoding import (
     escape_uri_path, force_bytes, force_str, force_text, iri_to_uri,
 )
+from django.utils.http import is_same_domain
 from django.utils.six.moves.urllib.parse import (
     parse_qsl, quote, urlencode, urljoin, urlsplit,
 )
@@ -527,15 +528,7 @@ def validate_host(host, allowed_hosts):
     host = host[:-1] if host.endswith('.') else host
 
     for pattern in allowed_hosts:
-        pattern = pattern.lower()
-        match = (
-            pattern == '*' or
-            pattern.startswith('.') and (
-                host.endswith(pattern) or host == pattern[1:]
-            ) or
-            pattern == host
-        )
-        if match:
+        if pattern == '*' or is_same_domain(host, pattern):
             return True
 
     return False

django/middleware/csrf.py

@@ -14,14 +14,17 @@
 from django.utils.cache import patch_vary_headers
 from django.utils.crypto import constant_time_compare, get_random_string
 from django.utils.encoding import force_text
-from django.utils.http import same_origin
+from django.utils.http import is_same_domain
+from django.utils.six.moves.urllib.parse import urlparse
 
 logger = logging.getLogger('django.request')
 
 REASON_NO_REFERER = "Referer checking failed - no Referer."
 REASON_BAD_REFERER = "Referer checking failed - %s does not match %s."
 REASON_NO_CSRF_COOKIE = "CSRF cookie not set."
 REASON_BAD_TOKEN = "CSRF token missing or incorrect."
+REASON_MALFORMED_REFERER = "Referer checking failed - Referer is malformed."
+REASON_INSECURE_REFERER = "Referer checking failed - Referer is insecure while host is secure."
 
 CSRF_KEY_LENGTH = 32
 
@@ -154,9 +157,28 @@ def process_view(self, request, callback, callback_args, callback_kwargs):
                 if referer is None:
                     return self._reject(request, REASON_NO_REFERER)
 
-                # Note that request.get_host() includes the port.
-                good_referer = 'https://%s/' % request.get_host()
-                if not same_origin(referer, good_referer):
+                referer = urlparse(referer)
+
+                # Make sure we have a valid URL for Referer.
+                if '' in (referer.scheme, referer.netloc):
+                    return self._reject(request, REASON_MALFORMED_REFERER)
+
+                # Ensure that our Referer is also secure.
+                if referer.scheme != 'https':
+                    return self._reject(request, REASON_INSECURE_REFERER)
+
+                # If there isn't a CSRF_COOKIE_DOMAIN, assume we need an exact
+                # match on host:port. If not, obey the cookie rules.
+                if settings.CSRF_COOKIE_DOMAIN is None:
+                    # request.get_host() includes the port.
+                    good_referer = request.get_host()
+                else:
+                    good_referer = settings.CSRF_COOKIE_DOMAIN
+                    server_port = request.META['SERVER_PORT']
+                    if server_port not in ('443', '80'):
+                        good_referer = '%s:%s' % (good_referer, server_port)
+
+                if not is_same_domain(referer.netloc, good_referer):
                     reason = REASON_BAD_REFERER % (referer, good_referer)
                     return self._reject(request, reason)
 

django/utils/http.py

@@ -253,18 +253,24 @@ def quote_etag(etag):
     return '"%s"' % etag.replace('\\', '\\\\').replace('"', '\\"')
 
 
-def same_origin(url1, url2):
+def is_same_domain(host, pattern):
     """
-    Checks if two URLs are 'same-origin'
+    Return ``True`` if the host is either an exact match or a match
+    to the wildcard pattern.
+
+    Any pattern beginning with a period matches a domain and all of its
+    subdomains. (e.g. ``.example.com`` matches ``example.com`` and
+    ``foo.example.com``). Anything else is an exact string match.
     """
-    p1, p2 = urlparse(url1), urlparse(url2)
-    try:
-        o1 = (p1.scheme, p1.hostname, p1.port or PROTOCOL_TO_PORT[p1.scheme])
-        o2 = (p2.scheme, p2.hostname, p2.port or PROTOCOL_TO_PORT[p2.scheme])
-        return o1 == o2
-    except (ValueError, KeyError):
+    if not pattern:
         return False
 
+    pattern = pattern.lower()
+    return (
+        pattern[0] == '.' and (host.endswith(pattern) or host == pattern[1:]) or
+        pattern == host
+    )
+
 
 def is_safe_url(url, host=None):
     """

docs/ref/csrf.txt

@@ -257,9 +257,14 @@ The CSRF protection is based on the following things:
    due to the fact that HTTP 'Set-Cookie' headers are (unfortunately) accepted
    by clients that are talking to a site under HTTPS.  (Referer checking is not
    done for HTTP requests because the presence of the Referer header is not
-   reliable enough under HTTP.)
-
-This ensures that only forms that have originated from your Web site can be used
+   reliable enough under HTTP.)  The referer is compared against the
+   :setting:`CSRF_COOKIE_DOMAIN` setting.  The :setting:`CSRF_COOKIE_DOMAIN`
+   setting supports subdomains.  For example, ".example.com" will allow
+   post requests from "www.example.com" and "api.example.com." If
+   :setting:`CSRF_COOKIE_DOMAIN` is not set, the referer must match the
+   ``Host`` header.
+
+This ensures that only forms that have originated from trusted domains can be used
 to POST data back.
 
 It deliberately ignores GET requests (and other requests that are defined as

tests/csrf_tests/tests.py

@@ -304,6 +304,7 @@ def test_https_bad_referer(self):
         req._is_secure_override = True
         req.META['HTTP_HOST'] = 'www.example.com'
         req.META['HTTP_REFERER'] = 'https://www.evil.org/somepage'
+        req.META['SERVER_PORT'] = '443'
         req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
         self.assertIsNotNone(req2)
         self.assertEqual(403, req2.status_code)
@@ -325,6 +326,20 @@ def test_https_malformed_referer(self):
         req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
         self.assertIsNotNone(req2)
         self.assertEqual(403, req2.status_code)
+        # missing scheme
+        # >>> urlparse('//example.com/')
+        # ParseResult(scheme='', netloc='example.com', path='/', params='', query='', fragment='')
+        req.META['HTTP_REFERER'] = '//example.com/'
+        req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
+        self.assertIsNotNone(req2)
+        self.assertEqual(403, req2.status_code)
+        # missing netloc
+        # >>> urlparse('https://')
+        # ParseResult(scheme='https', netloc='', path='', params='', query='', fragment='')
+        req.META['HTTP_REFERER'] = 'https://'
+        req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
+        self.assertIsNotNone(req2)
+        self.assertEqual(403, req2.status_code)
 
     @override_settings(ALLOWED_HOSTS=['www.example.com'])
     def test_https_good_referer(self):
@@ -352,6 +367,57 @@ def test_https_good_referer_2(self):
         req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
         self.assertIsNone(req2)
 
+    @override_settings(
+        ALLOWED_HOSTS=['www.example.com'],
+        CSRF_COOKIE_DOMAIN='.example.com',
+    )
+    def test_https_good_referer_matches_cookie_domain(self):
+        """
+        A POST HTTPS request with a good referer should be accepted from a
+        subdomain that's allowed by CSRF_COOKIE_DOMAIN.
+        """
+        req = self._get_POST_request_with_token()
+        req._is_secure_override = True
+        req.META['HTTP_HOST'] = 'www.example.com'
+        req.META['HTTP_REFERER'] = 'https://foo.example.com/'
+        req.META['SERVER_PORT'] = '443'
+        req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
+        self.assertIsNone(req2)
+
+    @override_settings(
+        ALLOWED_HOSTS=['www.example.com'],
+        CSRF_COOKIE_DOMAIN='.example.com',
+    )
+    def test_https_good_referer_matches_cookie_domain_with_different_port(self):
+        """
+        A POST HTTPS request with a good referer should be accepted from a
+        subdomain that's allowed by CSRF_COOKIE_DOMAIN and a non-443 port.
+        """
+        req = self._get_POST_request_with_token()
+        req._is_secure_override = True
+        req.META['HTTP_HOST'] = 'www.example.com'
+        req.META['HTTP_REFERER'] = 'https://foo.example.com:4443/'
+        req.META['SERVER_PORT'] = '4443'
+        req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
+        self.assertIsNone(req2)
+
+    @override_settings(
+        ALLOWED_HOSTS=['www.example.com'],
+        CSRF_COOKIE_DOMAIN='.example.com',
+    )
+    def test_https_reject_insecure_referer(self):
+        """
+        A POST HTTPS request from an insecure referer should be rejected.
+        """
+        req = self._get_POST_request_with_token()
+        req._is_secure_override = True
+        req.META['HTTP_HOST'] = 'www.example.com'
+        req.META['HTTP_REFERER'] = 'http://example.com/'
+        req.META['SERVER_PORT'] = '443'
+        req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
+        self.assertIsNotNone(req2)
+        self.assertEqual(403, req2.status_code)
+
     def test_ensures_csrf_cookie_no_middleware(self):
         """
         Tests that ensures_csrf_cookie decorator fulfils its promise

tests/utils_tests/test_http.py

@@ -10,31 +10,6 @@
 
 class TestUtilsHttp(unittest.TestCase):
 
-    def test_same_origin_true(self):
-        # Identical
-        self.assertTrue(http.same_origin('http://foo.com/', 'http://foo.com/'))
-        # One with trailing slash - see #15617
-        self.assertTrue(http.same_origin('http://foo.com', 'http://foo.com/'))
-        self.assertTrue(http.same_origin('http://foo.com/', 'http://foo.com'))
-        # With port
-        self.assertTrue(http.same_origin('https://foo.com:8000', 'https://foo.com:8000/'))
-        # No port given but according to RFC6454 still the same origin
-        self.assertTrue(http.same_origin('http://foo.com', 'http://foo.com:80/'))
-        self.assertTrue(http.same_origin('https://foo.com', 'https://foo.com:443/'))
-
-    def test_same_origin_false(self):
-        # Different scheme
-        self.assertFalse(http.same_origin('http://foo.com', 'https://foo.com'))
-        # Different host
-        self.assertFalse(http.same_origin('http://foo.com', 'http://goo.com'))
-        # Different host again
-        self.assertFalse(http.same_origin('http://foo.com', 'http://foo.com.evil.com'))
-        # Different port
-        self.assertFalse(http.same_origin('http://foo.com:8000', 'http://foo.com:8001'))
-        # No port given
-        self.assertFalse(http.same_origin('http://foo.com', 'http://foo.com:8000/'))
-        self.assertFalse(http.same_origin('https://foo.com', 'https://foo.com:8000/'))
-
     def test_urlencode(self):
         # 2-tuples (the norm)
         result = http.urlencode((('a', 1), ('b', 2), ('c', 3)))
@@ -157,6 +132,25 @@ def test_urlquote(self):
             http.urlunquote_plus('Paris+&+Orl%C3%A9ans'),
             'Paris & Orl\xe9ans')
 
+    def test_is_same_domain_good(self):
+        for pair in (
+            ('example.com', 'example.com'),
+            ('example.com', '.example.com'),
+            ('foo.example.com', '.example.com'),
+            ('example.com:8888', 'example.com:8888'),
+            ('example.com:8888', '.example.com:8888'),
+            ('foo.example.com:8888', '.example.com:8888'),
+        ):
+            self.assertTrue(http.is_same_domain(*pair))
+
+    def test_is_same_domain_bad(self):
+        for pair in (
+            ('example2.com', 'example.com'),
+            ('foo.example.com', 'example.com'),
+            ('example.com:9999', 'example.com:8888'),
+        ):
+            self.assertFalse(http.is_same_domain(*pair))
+
 
 class ETagProcessingTests(unittest.TestCase):
     def test_parsing(self):