diff options
| author | Claude Paroz <claude@2xlibre.net> | 2015-01-05 18:23:57 +0100 |
|---|---|---|
| committer | Claude Paroz <claude@2xlibre.net> | 2015-01-06 08:45:10 +0100 |
| commit | d8fb557a519a419a53d648ce1ef12dad8673151f (patch) | |
| tree | 572027e863af5386a62da128a82830b98c5bdebf | |
| parent | 0e21fd4e4048718fe065a8ff080c1d0df8173883 (diff) | |
[1.7.x] Fixed #23815 -- Prevented UnicodeDecodeError in CSRF middleware
Thanks codeitloadit for the report, living180 for investigations
and Tim Graham for the review.
Backport of 27dd7e7271 from master.
| -rw-r--r-- | django/middleware/csrf.py | 6 | ||||
| -rw-r--r-- | docs/releases/1.7.3.txt | 3 | ||||
| -rw-r--r-- | tests/csrf_tests/tests.py | 5 |
3 files changed, 13 insertions, 1 deletions
diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py index eb7fe7d8cb..dfeefa4b4a 100644 --- a/django/middleware/csrf.py +++ b/django/middleware/csrf.py @@ -148,7 +148,11 @@ class CsrfViewMiddleware(object): # Barth et al. found that the Referer header is missing for # same-domain requests in only about 0.2% of cases or less, so # we can use strict Referer checking. - referer = request.META.get('HTTP_REFERER') + referer = force_text( + request.META.get('HTTP_REFERER'), + strings_only=True, + errors='replace' + ) if referer is None: return self._reject(request, REASON_NO_REFERER) diff --git a/docs/releases/1.7.3.txt b/docs/releases/1.7.3.txt index 50b6b18f16..964c654920 100644 --- a/docs/releases/1.7.3.txt +++ b/docs/releases/1.7.3.txt @@ -17,3 +17,6 @@ Bugfixes affect users who have subclassed ``django.contrib.auth.hashers.PBKDF2PasswordHasher`` to change the default value. + +* Fixed a crash in the CSRF middleware when handling non-ASCII referer header + (:ticket:`23815`). diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py index 6199ca84bd..a2a8f1c925 100644 --- a/tests/csrf_tests/tests.py +++ b/tests/csrf_tests/tests.py @@ -300,6 +300,11 @@ class CsrfViewMiddlewareTest(TestCase): req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) self.assertNotEqual(None, req2) self.assertEqual(403, req2.status_code) + # Non-ASCII + req.META['HTTP_REFERER'] = b'\xd8B\xf6I\xdf' + req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) + self.assertNotEqual(None, req2) + self.assertEqual(403, req2.status_code) @override_settings(ALLOWED_HOSTS=['www.example.com']) def test_https_good_referer(self): |
