mirror of https://github.com/django/django.git
Fixed #32578 -- Fixed crash in CsrfViewMiddleware when a request with Origin header has an invalid host.
This commit is contained in:
parent
5b618f239c
commit
ff514309e1
|
@ -226,9 +226,14 @@ class CsrfViewMiddleware(MiddlewareMixin):
|
|||
|
||||
def _origin_verified(self, request):
|
||||
request_origin = request.META['HTTP_ORIGIN']
|
||||
try:
|
||||
good_host = request.get_host()
|
||||
except DisallowedHost:
|
||||
pass
|
||||
else:
|
||||
good_origin = '%s://%s' % (
|
||||
'https' if request.is_secure() else 'http',
|
||||
request.get_host(),
|
||||
good_host,
|
||||
)
|
||||
if request_origin == good_origin:
|
||||
return True
|
||||
|
|
|
@ -319,6 +319,15 @@ class CsrfViewMiddlewareTestMixin:
|
|||
response = mw.process_view(req, token_view, (), {})
|
||||
self.assertEqual(response.status_code, 403)
|
||||
|
||||
def test_origin_malformed_host(self):
|
||||
req = self._get_POST_no_csrf_cookie_request()
|
||||
req._is_secure_override = True
|
||||
req.META['HTTP_HOST'] = '@malformed'
|
||||
req.META['HTTP_ORIGIN'] = 'https://www.evil.org'
|
||||
mw = CsrfViewMiddleware(token_view)
|
||||
response = mw.process_view(req, token_view, (), {})
|
||||
self.assertEqual(response.status_code, 403)
|
||||
|
||||
@override_settings(DEBUG=True)
|
||||
def test_https_malformed_referer(self):
|
||||
"""
|
||||
|
|
Loading…
Reference in New Issue