summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAdam Donaghy <adamdonaghy1994@gmail.com>2021-03-19 20:42:05 +1100
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2021-03-19 11:19:19 +0100
commite49fdfa405fcacb59d7ff2f321a7ddbc65dfc68b (patch)
tree657eba12e59a2df2815ec5ee02788e3b0c73a4c6
parent474cc420bf6bc1067e2aaa4b40cf6a08d62096f7 (diff)
Fixed #32571 -- Made CsrfViewMiddleware handle invalid URLs in Referer header.
Diffstat
-rw-r--r--django/middleware/csrf.py5
-rw-r--r--tests/csrf_tests/tests.py6
2 files changed, 10 insertions, 1 deletions
diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py
index a17dde9276..2ee97ce8ce 100644
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@@ -298,7 +298,10 @@ class CsrfViewMiddleware(MiddlewareMixin):
if referer is None:
return self._reject(request, REASON_NO_REFERER)
- referer = urlparse(referer)
+ try:
+ referer = urlparse(referer)
+ except ValueError:
+ return self._reject(request, REASON_MALFORMED_REFERER)
# Make sure we have a valid URL for Referer.
if '' in (referer.scheme, referer.netloc):
diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py
index fb6168a044..30a58b864c 100644
--- a/tests/csrf_tests/tests.py
+++ b/tests/csrf_tests/tests.py
@@ -353,6 +353,12 @@ class CsrfViewMiddlewareTestMixin:
req.META['HTTP_REFERER'] = 'https://'
response = mw.process_view(req, post_form_view, (), {})
self.assertContains(response, malformed_referer_msg, status_code=403)
+ # Invalid URL
+ # >>> urlparse('https://[')
+ # ValueError: Invalid IPv6 URL
+ req.META['HTTP_REFERER'] = 'https://['
+ response = mw.process_view(req, post_form_view, (), {})
+ self.assertContains(response, malformed_referer_msg, status_code=403)
@override_settings(ALLOWED_HOSTS=['www.example.com'])
def test_https_good_referer(self):
generated by cgit v1.3 (git 2.53.0) at 2026-06-30 22:21:02 +0000