#15617: CSRF referer checking too strict
---------------------------+---------------------------
Reporter: adam | Owner: nobody
Status: new | Milestone:
Component: Uncategorized | Version: 1.3-beta
Keywords: | Triage Stage: Unreviewed
Has patch: 0 |
---------------------------+---------------------------
I get this error:
Forbidden (403)
CSRF verification failed. Request aborted.
Reason given for failure:
Referer checking failed - https://sub.domain.com does not match
https://sum.domain.com/.
Using IE6 on my site. In the apache log the request looks like:
86.24.194.171 - - [15/Mar/2011:15:07:06 +0000] "POST / HTTP/1.1" 403 1030
"https://sub.domain.com"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152;
.NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
So it looks like the referer should not be required to start with a url
including a trailing slash. That is a change to make:
good_referer = 'https://%s' % request.get_host()
Happy to provide a patch if people agree with my conclusions.
--
Ticket URL: <http://code.djangoproject.com/ticket/15617>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
