From e49fdfa405fcacb59d7ff2f321a7ddbc65dfc68b Mon Sep 17 00:00:00 2001 From: Adam Donaghy Date: Fri, 19 Mar 2021 20:42:05 +1100 Subject: Fixed #32571 -- Made CsrfViewMiddleware handle invalid URLs in Referer header. --- django/middleware/csrf.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'django') diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py index a17dde9276..2ee97ce8ce 100644 --- a/django/middleware/csrf.py +++ b/django/middleware/csrf.py @@ -298,7 +298,10 @@ class CsrfViewMiddleware(MiddlewareMixin): if referer is None: return self._reject(request, REASON_NO_REFERER) - referer = urlparse(referer) + try: + referer = urlparse(referer) + except ValueError: + return self._reject(request, REASON_MALFORMED_REFERER) # Make sure we have a valid URL for Referer. if '' in (referer.scheme, referer.netloc): -- cgit v1.3