From f283ffaa84ef0a558eb466b8fc3fae7e6fbb547c Mon Sep 17 00:00:00 2001 From: Colton Hicks Date: Fri, 31 Jan 2020 23:42:24 -0800 Subject: Fixed #28699 -- Fixed CSRF validation with remote user middleware. Ensured process_view() always accesses the CSRF token from the session or cookie, rather than the request, as rotate_token() may have been called by an authentication middleware during the process_request() phase. --- django/middleware/csrf.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'django') diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py index 4ac2f23019..368b51f316 100644 --- a/django/middleware/csrf.py +++ b/django/middleware/csrf.py @@ -280,7 +280,10 @@ class CsrfViewMiddleware(MiddlewareMixin): reason = REASON_BAD_REFERER % referer.geturl() return self._reject(request, reason) - csrf_token = request.META.get('CSRF_COOKIE') + # Access csrf_token via self._get_token() as rotate_token() may + # have been called by an authentication middleware during the + # process_request() phase. + csrf_token = self._get_token(request) if csrf_token is None: # No CSRF cookie. For POST requests, we insist on a CSRF cookie, # and in this way we can avoid all CSRF attacks, including login -- cgit v1.3