Fixed #26094 -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True).

2025-10-24 14:16:09 +00:00 · 2016-01-18 15:04:41 +01:00
parent a1fba4e843
commit 2d28144c95
3 changed files with 21 additions and 1 deletions
--- a/tests/csrf_tests/tests.py
+++ b/tests/csrf_tests/tests.py
@@ -375,6 +375,23 @@ class CsrfViewMiddlewareTest(SimpleTestCase):
        req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
        self.assertIsNone(req2)

+    @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_COOKIE_DOMAIN='.example.com', USE_X_FORWARDED_PORT=True)
+    def test_https_good_referer_behind_proxy(self):
+        """
+        A POST HTTPS request is accepted when USE_X_FORWARDED_PORT=True.
+        """
+        req = self._get_POST_request_with_token()
+        req._is_secure_override = True
+        req.META.update({
+            'HTTP_HOST': '10.0.0.2',
+            'HTTP_REFERER': 'https://www.example.com/somepage',
+            'SERVER_PORT': '8080',
+            'HTTP_X_FORWARDED_HOST': 'www.example.com',
+            'HTTP_X_FORWARDED_PORT': '443',
+        })
+        req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
+        self.assertIsNone(req2)
+
    @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_TRUSTED_ORIGINS=['dashboard.example.com'])
    def test_https_csrf_trusted_origin_allowed(self):
        """