#32795: Reject requests earlier if the CSRF token is missing or has the wrong
format
-------------------------------------+-------------------------------------
Reporter: Chris Jerdonek | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Chris Jerdonek):
One way to implement this would be to change
[https://github.com/django/django/blob/b746596f5f0e1fcac791b0f7c8bfc3d69dfef2ff/django/middleware/csrf.py#L109-L123
_sanitize_token()] to raise a new internal `InvalidTokenFormat` exception
with an appropriate reason string if the token has the wrong length or
contains invalid characters, instead of calling `_get_new_csrf_token()`.
Then, the two places that call `_sanitize_token()` can handle the
exception differently: (1) In `process_view()`, the request could be
rejected using the exception's message. This is similar to how
`process_view()` now handles `RejectRequest` exceptions raised by
`_check_referer()`. (2) In `_get_token()`, the exception could be handled
by calling `_get_new_csrf_token()`.
--
Ticket URL: <https://code.djangoproject.com/ticket/32795#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/067.dbf786a8652c9f944142f4c4ef8dc42d%40djangoproject.com.
