#23815: CsrfViewMiddleware UnicodeDecodeError
-------------------------------------+-------------------------------------
     Reporter:  codeitloadit         |                    Owner:  nobody
         Type:  Bug                  |                   Status:  new
    Component:  HTTP handling        |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:  middleware           |             Triage Stage:  Accepted
  CsrfViewMiddleware                 |
  UnicodeDecodeError                 |
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by living180):

 I was able to reproduce with Django 1.7.2/Python 2.7.9.  Reproducing
 requires accessing Django using HTTPS, because the affected code is behind
 `if request.is_secure():`.  To achieve this, I used the `django-sslserver`
 application (https://github.com/teddziuba/django-sslserver) in conjunction
 with a simple project with the Django admin enabled.  Using the `requests`
 module to supply a bad `REFERER` header when POST-ing to the admin login
 page:

 {{{#!python
 import requests

 requests.post('https://localhost:8000/admin/login/',
               headers={'referer': '\xd8B\xf6I\xdf'},
               verify=False).text
 }}}

 I get the `UnicodeDecodeError`.

--
Ticket URL: <https://code.djangoproject.com/ticket/23815#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/070.3c38fbdd6b4ea905b324cb0ace591c40%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to