mirror of
				https://github.com/django/django.git
				synced 2025-10-25 14:46:09 +00:00 
			
		
		
		
	Fixed #20411 -- Don't let invalid referers blow up CSRF same origin checks.
Thanks to edevil for the report and saz for the patch.
This commit is contained in:
		| @@ -226,7 +226,10 @@ def same_origin(url1, url2): | ||||
|     Checks if two URLs are 'same-origin' | ||||
|     """ | ||||
|     p1, p2 = urllib_parse.urlparse(url1), urllib_parse.urlparse(url2) | ||||
|     return (p1.scheme, p1.hostname, p1.port) == (p2.scheme, p2.hostname, p2.port) | ||||
|     try: | ||||
|         return (p1.scheme, p1.hostname, p1.port) == (p2.scheme, p2.hostname, p2.port) | ||||
|     except ValueError: | ||||
|         return False | ||||
|  | ||||
| def is_safe_url(url, host=None): | ||||
|     """ | ||||
|   | ||||
| @@ -283,6 +283,19 @@ class CsrfViewMiddlewareTest(TestCase): | ||||
|         self.assertNotEqual(None, req2) | ||||
|         self.assertEqual(403, req2.status_code) | ||||
|  | ||||
|     @override_settings(ALLOWED_HOSTS=['www.example.com']) | ||||
|     def test_https_malformed_referer(self): | ||||
|         """ | ||||
|         Test that a POST HTTPS request with a bad referer is rejected | ||||
|         """ | ||||
|         req = self._get_POST_request_with_token() | ||||
|         req._is_secure_override = True | ||||
|         req.META['HTTP_HOST'] = 'www.example.com' | ||||
|         req.META['HTTP_REFERER'] = 'http://http://www.example.com/' | ||||
|         req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) | ||||
|         self.assertNotEqual(None, req2) | ||||
|         self.assertEqual(403, req2.status_code) | ||||
|  | ||||
|     @override_settings(ALLOWED_HOSTS=['www.example.com']) | ||||
|     def test_https_good_referer(self): | ||||
|         """ | ||||
|   | ||||
		Reference in New Issue
	
	Block a user