[Django] #30017: Django should assume port 443 for https in django.utils.http.is_same_domain()

Thu, 06 Dec 2018 12:06:02 -0800 

#30017: Django should assume port 443 for https in
django.utils.http.is_same_domain()
-----------------------------------------+------------------------
               Reporter:  Tagar          |          Owner:  nobody
                   Type:  Bug            |         Status:  new
              Component:  HTTP handling  |        Version:  2.1
               Severity:  Normal         |       Keywords:
           Triage Stage:  Unreviewed     |      Has patch:  0
    Needs documentation:  0              |    Needs tests:  0
Patch needs improvement:  0              |  Easy pickings:  0
                  UI/UX:  0              |
-----------------------------------------+------------------------
 More complete explanation posted here -
 https://stackoverflow.com/questions/53658795/django-how-to-disable-
 referer-check

 the issue is probably in Django code here:
 
https://github.com/django/django/blob/22e8ab02863819093832de9f771bf40a62a6bd4a/django/middleware/csrf.py#L280

 referer variable there is a urlparse object (see
 https://docs.python.org/3/library/urllib.parse.html ) which contains
 "netloc" property with a port.

 Notice the error again - netlocs don't match because one has a port (443)
 and another doesn't have it (443 port is default for https):

 Referer checking failed -

 https://hue-dev.discover.abc.com/hue/accounts/login/?next=/
 does not match
 https://hue-dev.discover.abc.com:443/.

 so I guess it should be some sort of Referer field transformation made in
 nginx config to cut out 443 port explicitly (or add it).

 Referer check is failing because django.utils.http.is_same_domain() takes
 into account port
 (in referer.netloc ).

 Django should assume that port 443 is default for httpS, and not fail
 Referer check in this case.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/30017>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/048.f440456c1c910347848b4cf27d958de1%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to