mirror of https://github.com/django/django.git
Refs #32579 -- Fixed cookie domain comment in CsrfViewMiddleware.process_view().
This commit is contained in:
parent
70332e6c43
commit
f3825248a2
|
@ -311,24 +311,24 @@ class CsrfViewMiddleware(MiddlewareMixin):
|
||||||
if referer.scheme != 'https':
|
if referer.scheme != 'https':
|
||||||
return self._reject(request, REASON_INSECURE_REFERER)
|
return self._reject(request, REASON_INSECURE_REFERER)
|
||||||
|
|
||||||
# If there isn't a CSRF_COOKIE_DOMAIN, require an exact match
|
|
||||||
# match on host:port. If not, obey the cookie rules (or those
|
|
||||||
# for the session cookie, if CSRF_USE_SESSIONS).
|
|
||||||
good_referer = (
|
good_referer = (
|
||||||
settings.SESSION_COOKIE_DOMAIN
|
settings.SESSION_COOKIE_DOMAIN
|
||||||
if settings.CSRF_USE_SESSIONS
|
if settings.CSRF_USE_SESSIONS
|
||||||
else settings.CSRF_COOKIE_DOMAIN
|
else settings.CSRF_COOKIE_DOMAIN
|
||||||
)
|
)
|
||||||
if good_referer is not None:
|
if good_referer is None:
|
||||||
server_port = request.get_port()
|
# If no cookie domain is configured, allow matching the
|
||||||
if server_port not in ('443', '80'):
|
# current host:port exactly if it's permitted by
|
||||||
good_referer = '%s:%s' % (good_referer, server_port)
|
# ALLOWED_HOSTS.
|
||||||
else:
|
|
||||||
try:
|
try:
|
||||||
# request.get_host() includes the port.
|
# request.get_host() includes the port.
|
||||||
good_referer = request.get_host()
|
good_referer = request.get_host()
|
||||||
except DisallowedHost:
|
except DisallowedHost:
|
||||||
pass
|
pass
|
||||||
|
else:
|
||||||
|
server_port = request.get_port()
|
||||||
|
if server_port not in ('443', '80'):
|
||||||
|
good_referer = '%s:%s' % (good_referer, server_port)
|
||||||
|
|
||||||
# Create an iterable of all acceptable HTTP referers.
|
# Create an iterable of all acceptable HTTP referers.
|
||||||
good_hosts = self.csrf_trusted_origins_hosts
|
good_hosts = self.csrf_trusted_origins_hosts
|
||||||
|
|
Loading…
Reference in New Issue