Fixed #32571 -- Made CsrfViewMiddleware handle invalid URLs in Referer header.

author: Adam Donaghy <adamdonaghy1994@gmail.com> 2021-03-19 20:42:05 +1100
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2021-03-19 11:19:19 +0100
commit: e49fdfa405fcacb59d7ff2f321a7ddbc65dfc68b (patch)
tree: 657eba12e59a2df2815ec5ee02788e3b0c73a4c6 /django/middleware/csrf.py
parent: 474cc420bf6bc1067e2aaa4b40cf6a08d62096f7 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py
index a17dde9276..2ee97ce8ce 100644
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@@ -298,7 +298,10 @@ class CsrfViewMiddleware(MiddlewareMixin):
                 if referer is None:
                     return self._reject(request, REASON_NO_REFERER)
 
-                referer = urlparse(referer)
+                try:
+                    referer = urlparse(referer)
+                except ValueError:
+                    return self._reject(request, REASON_MALFORMED_REFERER)
 
                 # Make sure we have a valid URL for Referer.
                 if '' in (referer.scheme, referer.netloc):
author	Adam Donaghy <adamdonaghy1994@gmail.com>	2021-03-19 20:42:05 +1100
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2021-03-19 11:19:19 +0100
commit	e49fdfa405fcacb59d7ff2f321a7ddbc65dfc68b (patch)
tree	657eba12e59a2df2815ec5ee02788e3b0c73a4c6 /django/middleware/csrf.py
parent	474cc420bf6bc1067e2aaa4b40cf6a08d62096f7 (diff)