p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Refs #32596 -- Optimized CsrfViewMiddleware._check_referer() to delay computing good_referer.

This commit is contained in:
Chris Jerdonek 2021-03-26 02:47:32 -07:00 committed by Mariusz Felisiak
parent 71179a6124
commit cfd8c91839
1 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
django/middleware/csrf.py
View File

@ -274,6 +274,12 @@ class CsrfViewMiddleware(MiddlewareMixin):
if referer.scheme != 'https': if referer.scheme != 'https':
raise RejectRequest(REASON_INSECURE_REFERER) raise RejectRequest(REASON_INSECURE_REFERER)
if any(
is_same_domain(referer.netloc, host)
for host in self.csrf_trusted_origins_hosts
):
return
# Allow matching the configured cookie domain.
good_referer = ( good_referer = (
settings.SESSION_COOKIE_DOMAIN settings.SESSION_COOKIE_DOMAIN
if settings.CSRF_USE_SESSIONS if settings.CSRF_USE_SESSIONS
@ -286,18 +292,13 @@ class CsrfViewMiddleware(MiddlewareMixin):
# request.get_host() includes the port. # request.get_host() includes the port.
good_referer = request.get_host() good_referer = request.get_host()
except DisallowedHost: except DisallowedHost:
pass raise RejectRequest(REASON_BAD_REFERER % referer.geturl())
else: else:
server_port = request.get_port() server_port = request.get_port()
if server_port not in ('443', '80'): if server_port not in ('443', '80'):
good_referer = '%s:%s' % (good_referer, server_port) good_referer = '%s:%s' % (good_referer, server_port)
# Create an iterable of all acceptable HTTP referers. if not is_same_domain(referer.netloc, good_referer):
good_hosts = self.csrf_trusted_origins_hosts
if good_referer is not None:
good_hosts = (*good_hosts, good_referer)
if not any(is_same_domain(referer.netloc, host) for host in good_hosts):
raise RejectRequest(REASON_BAD_REFERER % referer.geturl()) raise RejectRequest(REASON_BAD_REFERER % referer.geturl())
def process_request(self, request): def process_request(self, request):