#23815: CsrfViewMiddleware UnicodeDecodeError
-------------------------+-------------------------------------------------
Reporter: | Owner: nobody
codeitloadit | Status: new
Type: | Version: 1.6
Uncategorized | Keywords: middleware CsrfViewMiddleware
Component: HTTP | UnicodeDecodeError
handling | Has patch: 0
Severity: Normal | UI/UX: 0
Triage Stage: |
Unreviewed |
Easy pickings: 0 |
-------------------------+-------------------------------------------------
The csrf middleware is raising an exception when the HTTP_REFERER contains
non-ascii characters. Since this code is attempting to validate the
referer, I would expect these request to just be rejected and return 403.
Here is the code in `django/middleware/csrf.py`:
{{{
referer = request.META.get('HTTP_REFERER')
if referer is None:
return self._reject(request, REASON_NO_REFERER)
# Note that request.get_host() includes the port.
good_referer = 'https://%s/' % request.get_host()
if not same_origin(referer, good_referer):
reason = REASON_BAD_REFERER % (referer, good_referer)
return self._reject(request, reason)
}}}
This issue is very similar to
[https://code.djangoproject.com/ticket/20356] which was patched by
[https://github.com/django/django/commit/8fd44b2551b9cca765b216a31306f9c6935f1492]
which just encodes the referer like so:
{{{
referer = force_text(request.META.get('HTTP_REFERER', ''),
errors='replace')
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/23815>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/055.d260cd268d764dba25ab2836e9a69563%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
