Refs #32579 -- Fixed cookie domain comment in CsrfViewMiddleware.process_view().

This commit is contained in:
Chris Jerdonek 2021-03-24 03:56:33 -07:00 committed by Mariusz Felisiak
parent 70332e6c43
commit f3825248a2
1 changed files with 8 additions and 8 deletions

View File

@ -311,24 +311,24 @@ class CsrfViewMiddleware(MiddlewareMixin):
if referer.scheme != 'https': if referer.scheme != 'https':
return self._reject(request, REASON_INSECURE_REFERER) return self._reject(request, REASON_INSECURE_REFERER)
# If there isn't a CSRF_COOKIE_DOMAIN, require an exact match
# match on host:port. If not, obey the cookie rules (or those
# for the session cookie, if CSRF_USE_SESSIONS).
good_referer = ( good_referer = (
settings.SESSION_COOKIE_DOMAIN settings.SESSION_COOKIE_DOMAIN
if settings.CSRF_USE_SESSIONS if settings.CSRF_USE_SESSIONS
else settings.CSRF_COOKIE_DOMAIN else settings.CSRF_COOKIE_DOMAIN
) )
if good_referer is not None: if good_referer is None:
server_port = request.get_port() # If no cookie domain is configured, allow matching the
if server_port not in ('443', '80'): # current host:port exactly if it's permitted by
good_referer = '%s:%s' % (good_referer, server_port) # ALLOWED_HOSTS.
else:
try: try:
# request.get_host() includes the port. # request.get_host() includes the port.
good_referer = request.get_host() good_referer = request.get_host()
except DisallowedHost: except DisallowedHost:
pass pass
else:
server_port = request.get_port()
if server_port not in ('443', '80'):
good_referer = '%s:%s' % (good_referer, server_port)
# Create an iterable of all acceptable HTTP referers. # Create an iterable of all acceptable HTTP referers.
good_hosts = self.csrf_trusted_origins_hosts good_hosts = self.csrf_trusted_origins_hosts