Fixed #32571 -- Made CsrfViewMiddleware handle invalid URLs in Referer header.

2025-10-24 06:06:09 +00:00 · 2021-03-19 20:42:05 +11:00
parent 474cc420bf
commit e49fdfa405
2 changed files with 10 additions and 1 deletions
--- a/tests/csrf_tests/tests.py
+++ b/tests/csrf_tests/tests.py
@@ -353,6 +353,12 @@ class CsrfViewMiddlewareTestMixin:
        req.META['HTTP_REFERER'] = 'https://'
        response = mw.process_view(req, post_form_view, (), {})
        self.assertContains(response, malformed_referer_msg, status_code=403)
+        # Invalid URL
+        # >>> urlparse('https://[')
+        # ValueError: Invalid IPv6 URL
+        req.META['HTTP_REFERER'] = 'https://['
+        response = mw.process_view(req, post_form_view, (), {})
+        self.assertContains(response, malformed_referer_msg, status_code=403)

    @override_settings(ALLOWED_HOSTS=['www.example.com'])
    def test_https_good_referer(self):