#23800: Middleware CSRF validation is unclear for PUT and DELETE
------------------------------+--------------------
Reporter: MarkLC | Owner: nobody
Type: Bug | Status: new
Component: contrib.csrf | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------
This may be a duplication of https://code.djangoproject.com/ticket/23040
depending on whether its a bug or just that some of the comments in
middleware/csrf.py are a bit unclear.
To re-produce this bug, make a PUT or DELETE request to an endpoint that
you are using the csrf_exempt decorator (in my use-case its not from the
browser but from a component using its own Basic Auth with Django) and you
will get a 403.
This is due to code in the line 161 of the process_view function in
middleware/csrf.py which checks if the cookie is missing and if so it
rejects the request. The comments say that it is for POST
requests only, so I'm unsure whether the intention was for PUT and DELETE
to fall under that category in which case I can add a patch to make the
comments
explicitly mention PUT and DELETE. Otherwise I will add a patch so that
PUT and DELETE are allowed through to the view which is only a few lines.
Can anyone clarify for me whether it is by intention that PUT and DELETE
also fail here if they don't have a CSRF cookie set?
Thanks
--
Ticket URL: <https://code.djangoproject.com/ticket/23800>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/049.e1edabc8ae649be7e85b057d2900a5fa%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
