summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorClaude Paroz <claude@2xlibre.net>2015-01-05 18:23:57 +0100
committerClaude Paroz <claude@2xlibre.net>2015-01-06 08:45:10 +0100
commitd8fb557a519a419a53d648ce1ef12dad8673151f (patch)
tree572027e863af5386a62da128a82830b98c5bdebf
parent0e21fd4e4048718fe065a8ff080c1d0df8173883 (diff)
[1.7.x] Fixed #23815 -- Prevented UnicodeDecodeError in CSRF middleware
Thanks codeitloadit for the report, living180 for investigations and Tim Graham for the review. Backport of 27dd7e7271 from master.
-rw-r--r--django/middleware/csrf.py6
-rw-r--r--docs/releases/1.7.3.txt3
-rw-r--r--tests/csrf_tests/tests.py5
3 files changed, 13 insertions, 1 deletions
diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py
index eb7fe7d8cb..dfeefa4b4a 100644
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@@ -148,7 +148,11 @@ class CsrfViewMiddleware(object):
# Barth et al. found that the Referer header is missing for
# same-domain requests in only about 0.2% of cases or less, so
# we can use strict Referer checking.
- referer = request.META.get('HTTP_REFERER')
+ referer = force_text(
+ request.META.get('HTTP_REFERER'),
+ strings_only=True,
+ errors='replace'
+ )
if referer is None:
return self._reject(request, REASON_NO_REFERER)
diff --git a/docs/releases/1.7.3.txt b/docs/releases/1.7.3.txt
index 50b6b18f16..964c654920 100644
--- a/docs/releases/1.7.3.txt
+++ b/docs/releases/1.7.3.txt
@@ -17,3 +17,6 @@ Bugfixes
affect users who have subclassed
``django.contrib.auth.hashers.PBKDF2PasswordHasher`` to change the
default value.
+
+* Fixed a crash in the CSRF middleware when handling non-ASCII referer header
+ (:ticket:`23815`).
diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py
index 6199ca84bd..a2a8f1c925 100644
--- a/tests/csrf_tests/tests.py
+++ b/tests/csrf_tests/tests.py
@@ -300,6 +300,11 @@ class CsrfViewMiddlewareTest(TestCase):
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
self.assertNotEqual(None, req2)
self.assertEqual(403, req2.status_code)
+ # Non-ASCII
+ req.META['HTTP_REFERER'] = b'\xd8B\xf6I\xdf'
+ req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
+ self.assertNotEqual(None, req2)
+ self.assertEqual(403, req2.status_code)
@override_settings(ALLOWED_HOSTS=['www.example.com'])
def test_https_good_referer(self):