Re: [Django] #28488: Django 1.11 to 1.11.4 raises CSRF verification failed if settings.DEBUG is False

Fri, 11 Aug 2017 14:31:08 -0700 

#28488: Django 1.11 to 1.11.4 raises CSRF verification failed if settings.DEBUG 
is
False
-------------------------------------+-------------------------------------
     Reporter:  Ruben Alves          |                    Owner:  nobody
         Type:  Bug                  |                   Status:  new
    Component:  CSRF                 |                  Version:  1.11
     Severity:  Release blocker      |               Resolution:
     Keywords:  csrf failed          |             Triage Stage:
  settings debug false production    |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Ruben Alves):

 Ok, I've added some logs on `django.middleware.csrf`, and this is what I
 have:

 Between lines 208 and 209
 
(https://github.com/django/django/blob/stable/1.11.x/django/middleware/csrf.py#L208)
 I've added a log and the value of `csrf_token` is
 `vcdodHkRb8jlxQP5fnTjuQp5i3PMWYYEBOYfpOFkCEjWWwHMpJ9uqaPGI6vGi6hS`

 The `if request.is_secure():` is `True` on line 228
 
(https://github.com/django/django/blob/stable/1.11.x/django/middleware/csrf.py#L228)


 The value of  `request_csrf_token` on line 311
 
(https://github.com/django/django/blob/stable/1.11.x/django/middleware/csrf.py#L311)
 before we call `request_csrf_token = _sanitize_token(request_csrf_token)`
 is `tMgl4aTrdjOEShUax3Gz1CJLbvnhBWiEVzmzgTxSclDuP01lBfwoE2R6dDyljaCQ`

 After `_sanitize_token` be called, the value of `request_csrf_token` is
 the same, and the value of `csrf_token` is
 `vcdodHkRb8jlxQP5fnTjuQp5i3PMWYYEBOYfpOFkCEjWWwHMpJ9uqaPGI6vGi6hS`.

 Finally `_compare_salted_tokens(request_csrf_token, csrf_token)` on line
 313 returns `False`
 
(https://github.com/django/django/blob/stable/1.11.x/django/middleware/csrf.py#L313).

-- 
Ticket URL: <https://code.djangoproject.com/ticket/28488#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/068.ab6791223df19a6e59c059f04e0fb6b0%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to