summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--django/middleware/csrf.py5
-rw-r--r--tests/csrf_tests/tests.py6
2 files changed, 10 insertions, 1 deletions
diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py
index a17dde9276..2ee97ce8ce 100644
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@@ -298,7 +298,10 @@ class CsrfViewMiddleware(MiddlewareMixin):
if referer is None:
return self._reject(request, REASON_NO_REFERER)
- referer = urlparse(referer)
+ try:
+ referer = urlparse(referer)
+ except ValueError:
+ return self._reject(request, REASON_MALFORMED_REFERER)
# Make sure we have a valid URL for Referer.
if '' in (referer.scheme, referer.netloc):
diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py
index fb6168a044..30a58b864c 100644
--- a/tests/csrf_tests/tests.py
+++ b/tests/csrf_tests/tests.py
@@ -353,6 +353,12 @@ class CsrfViewMiddlewareTestMixin:
req.META['HTTP_REFERER'] = 'https://'
response = mw.process_view(req, post_form_view, (), {})
self.assertContains(response, malformed_referer_msg, status_code=403)
+ # Invalid URL
+ # >>> urlparse('https://[')
+ # ValueError: Invalid IPv6 URL
+ req.META['HTTP_REFERER'] = 'https://['
+ response = mw.process_view(req, post_form_view, (), {})
+ self.assertContains(response, malformed_referer_msg, status_code=403)
@override_settings(ALLOWED_HOSTS=['www.example.com'])
def test_https_good_referer(self):