From cfd8c918390cd5317621124d224a009196f8755c Mon Sep 17 00:00:00 2001 From: Chris Jerdonek Date: Fri, 26 Mar 2021 02:47:32 -0700 Subject: [PATCH] Refs #32596 -- Optimized CsrfViewMiddleware._check_referer() to delay computing good_referer. --- django/middleware/csrf.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py index 82da2515d2f..18af1d619a9 100644 --- a/django/middleware/csrf.py +++ b/django/middleware/csrf.py @@ -274,6 +274,12 @@ class CsrfViewMiddleware(MiddlewareMixin): if referer.scheme != 'https': raise RejectRequest(REASON_INSECURE_REFERER) + if any( + is_same_domain(referer.netloc, host) + for host in self.csrf_trusted_origins_hosts + ): + return + # Allow matching the configured cookie domain. good_referer = ( settings.SESSION_COOKIE_DOMAIN if settings.CSRF_USE_SESSIONS @@ -286,18 +292,13 @@ class CsrfViewMiddleware(MiddlewareMixin): # request.get_host() includes the port. good_referer = request.get_host() except DisallowedHost: - pass + raise RejectRequest(REASON_BAD_REFERER % referer.geturl()) else: server_port = request.get_port() if server_port not in ('443', '80'): good_referer = '%s:%s' % (good_referer, server_port) - # Create an iterable of all acceptable HTTP referers. - good_hosts = self.csrf_trusted_origins_hosts - if good_referer is not None: - good_hosts = (*good_hosts, good_referer) - - if not any(is_same_domain(referer.netloc, host) for host in good_hosts): + if not is_same_domain(referer.netloc, good_referer): raise RejectRequest(REASON_BAD_REFERER % referer.geturl()) def process_request(self, request):