Refs #32596 -- Added early return on safe methods in CsrfViewMiddleware.process_view().

This commit is contained in:
Chris Jerdonek 2021-04-03 02:02:47 -07:00 committed by Mariusz Felisiak
parent cfd8c91839
commit 214b36f50a
1 changed files with 63 additions and 64 deletions

View File

@ -317,13 +317,14 @@ class CsrfViewMiddleware(MiddlewareMixin):
return None return None
# Assume that anything not defined as 'safe' by RFC7231 needs protection # Assume that anything not defined as 'safe' by RFC7231 needs protection
if request.method not in ('GET', 'HEAD', 'OPTIONS', 'TRACE'): if request.method in ('GET', 'HEAD', 'OPTIONS', 'TRACE'):
return self._accept(request)
if getattr(request, '_dont_enforce_csrf_checks', False): if getattr(request, '_dont_enforce_csrf_checks', False):
# Mechanism to turn off CSRF checks for test suite. # Mechanism to turn off CSRF checks for test suite. It comes after
# It comes after the creation of CSRF cookies, so that # the creation of CSRF cookies, so that everything else continues
# everything else continues to work exactly the same # to work exactly the same (e.g. cookies are sent, etc.), but
# (e.g. cookies are sent, etc.), but before any # before any branches that call reject().
# branches that call reject().
return self._accept(request) return self._accept(request)
# Reject the request if the Origin header doesn't match an allowed # Reject the request if the Origin header doesn't match an allowed
@ -332,8 +333,8 @@ class CsrfViewMiddleware(MiddlewareMixin):
if not self._origin_verified(request): if not self._origin_verified(request):
return self._reject(request, REASON_BAD_ORIGIN % request.META['HTTP_ORIGIN']) return self._reject(request, REASON_BAD_ORIGIN % request.META['HTTP_ORIGIN'])
elif request.is_secure(): elif request.is_secure():
# If the Origin header wasn't provided, reject HTTPS requests # If the Origin header wasn't provided, reject HTTPS requests if
# if the Referer header doesn't match an allowed value. # the Referer header doesn't match an allowed value.
# #
# Suppose user visits http://example.com/ # Suppose user visits http://example.com/
# An active network attacker (man-in-the-middle, MITM) sends a # An active network attacker (man-in-the-middle, MITM) sends a
@ -341,22 +342,21 @@ class CsrfViewMiddleware(MiddlewareMixin):
# submits it via JavaScript. # submits it via JavaScript.
# #
# The attacker will need to provide a CSRF cookie and token, but # The attacker will need to provide a CSRF cookie and token, but
# that's no problem for a MITM and the session-independent # that's no problem for a MITM and the session-independent secret
# secret we're using. So the MITM can circumvent the CSRF # we're using. So the MITM can circumvent the CSRF protection. This
# protection. This is true for any HTTP connection, but anyone # is true for any HTTP connection, but anyone using HTTPS expects
# using HTTPS expects better! For this reason, for # better! For this reason, for https://example.com/ we need
# https://example.com/ we need additional protection that treats # additional protection that treats http://example.com/ as
# http://example.com/ as completely untrusted. Under HTTPS, # completely untrusted. Under HTTPS, Barth et al. found that the
# Barth et al. found that the Referer header is missing for # Referer header is missing for same-domain requests in only about
# same-domain requests in only about 0.2% of cases or less, so # 0.2% of cases or less, so we can use strict Referer checking.
# we can use strict Referer checking.
try: try:
self._check_referer(request) self._check_referer(request)
except RejectRequest as exc: except RejectRequest as exc:
return self._reject(request, exc.reason) return self._reject(request, exc.reason)
# Access csrf_token via self._get_token() as rotate_token() may # Access csrf_token via self._get_token() as rotate_token() may have
# have been called by an authentication middleware during the # been called by an authentication middleware during the
# process_request() phase. # process_request() phase.
csrf_token = self._get_token(request) csrf_token = self._get_token(request)
if csrf_token is None: if csrf_token is None:
@ -366,21 +366,20 @@ class CsrfViewMiddleware(MiddlewareMixin):
return self._reject(request, REASON_NO_CSRF_COOKIE) return self._reject(request, REASON_NO_CSRF_COOKIE)
# Check non-cookie token for match. # Check non-cookie token for match.
request_csrf_token = "" request_csrf_token = ''
if request.method == "POST": if request.method == 'POST':
try: try:
request_csrf_token = request.POST.get('csrfmiddlewaretoken', '') request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')
except OSError: except OSError:
# Handle a broken connection before we've completed reading # Handle a broken connection before we've completed reading the
# the POST data. process_view shouldn't raise any # POST data. process_view shouldn't raise any exceptions, so
# exceptions, so we'll ignore and serve the user a 403 # we'll ignore and serve the user a 403 (assuming they're still
# (assuming they're still listening, which they probably # listening, which they probably aren't because of the error).
# aren't because of the error).
pass pass
if request_csrf_token == "": if request_csrf_token == '':
# Fall back to X-CSRFToken, to make things easier for AJAX, # Fall back to X-CSRFToken, to make things easier for AJAX, and
# and possible for PUT/DELETE. # possible for PUT/DELETE.
request_csrf_token = request.META.get(settings.CSRF_HEADER_NAME, '') request_csrf_token = request.META.get(settings.CSRF_HEADER_NAME, '')
request_csrf_token = _sanitize_token(request_csrf_token) request_csrf_token = _sanitize_token(request_csrf_token)