[Django] #19778: csrf middleware report BAD_REFERER when HTTP_HOST contains port

[Django]

#19778: csrf middleware report BAD_REFERER when HTTP_HOST contains port
--------------------------------+--------------------
     Reporter:  jens.tinfors@…  |      Owner:  nobody
         Type:  Uncategorized   |     Status:  new
    Component:  contrib.csrf    |    Version:  1.4
     Severity:  Normal          |   Keywords:
 Triage Stage:  Unreviewed      |  Has patch:  0
Easy pickings:  0               |      UI/UX:  0
--------------------------------+--------------------
 For a given request with the HTTP_HOST header set to 'www.example.com:443'
 and the HTTP_REFERER set to 'https://www.example.com/somepage' the
 same_origin check will report REASON_BAD_REFERER due to fact that HOST has
 port and REFERER does not. Perhaps, as in my case, a less competent
 firewall has tampered with the request on its way to the server.

 Here's a failing test (that I added to
 tests/regressiontests/csrf_tests/tests.py):

 {{{
    def test_https_good_referer_with_port(self):
         req = self._get_POST_request_with_token()
         req._is_secure_override = True
         req.META['HTTP_HOST'] = 'www.example.com:443'
         req.META['HTTP_REFERER'] = 'https://www.example.com/somepage'
         req2 = CsrfViewMiddleware().process_view(req, post_form_view, (),
 {})
         self.assertEqual(None, req2)
 }}}

 I know the port is a valid part of the same_origin check but I'm thinking
 that if it's missing from REFERER, the scheme is https and HTTP_HOST uses
 the default port, maybe we can skip the port from the same_origin check.

 What do you think?

 Incidentally, if I set a port number on the HTTP_REFERER the test still
 fails:
 {{{
    def test_https_good_referer_with_port(self):
         req = self._get_POST_request_with_token()
         req._is_secure_override = True
         req.META['HTTP_HOST'] = 'www.example.com:443'
         req.META['HTTP_REFERER'] = 'https://www.example.com/somepage:443'
         req2 = CsrfViewMiddleware().process_view(req, post_form_view, (),
 {})
         self.assertEqual(None, req2)
 }}}

 kind regards /jens

-- 
Ticket URL: <https://code.djangoproject.com/ticket/19778>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.