Fixed #28699 -- Fixed CSRF validation with remote user middleware.

Ensured process_view() always accesses the CSRF token from the session or cookie, rather than the request, as rotate_token() may have been called by an authentication middleware during the process_request() phase.
author: Colton Hicks <coltonbhicks@gmail.com> 2020-01-31 23:42:24 -0800
committer: Carlton Gibson <carlton@noumenal.es> 2020-02-26 17:25:20 +0100
commit: f283ffaa84ef0a558eb466b8fc3fae7e6fbb547c (patch)
tree: 5ce717580435c427520bc64b6bcb954ffef63ceb /django/middleware
parent: bc1c03407649a37a8a3c26b8d0cb355ab2fc128e (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py
index 4ac2f23019..368b51f316 100644
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@@ -280,7 +280,10 @@ class CsrfViewMiddleware(MiddlewareMixin):
                     reason = REASON_BAD_REFERER % referer.geturl()
                     return self._reject(request, reason)
 
-            csrf_token = request.META.get('CSRF_COOKIE')
+            # Access csrf_token via self._get_token() as rotate_token() may
+            # have been called by an authentication middleware during the
+            # process_request() phase.
+            csrf_token = self._get_token(request)
             if csrf_token is None:
                 # No CSRF cookie. For POST requests, we insist on a CSRF cookie,
                 # and in this way we can avoid all CSRF attacks, including login
author	Colton Hicks <coltonbhicks@gmail.com>	2020-01-31 23:42:24 -0800
committer	Carlton Gibson <carlton@noumenal.es>	2020-02-26 17:25:20 +0100
commit	f283ffaa84ef0a558eb466b8fc3fae7e6fbb547c (patch)
tree	5ce717580435c427520bc64b6bcb954ffef63ceb /django/middleware
parent	bc1c03407649a37a8a3c26b8d0cb355ab2fc128e (diff)