Fixed #32578 -- Fixed crash in CsrfViewMiddleware when a request with Origin header has an invalid host.

author: Chris Jerdonek <chris.jerdonek@gmail.com> 2021-03-25 00:35:49 -0700
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2021-03-25 10:34:58 +0100
commit: ff514309e178e3955012050ead9b8fc66dc21a5b (patch)
tree: f0886ac5b7de231fe9b799c07a6bd6dd63a17bfc /django/middleware
parent: 5b618f239ceb884c9380cf42361c7cc69bf1e208 (diff)
1 files changed, 11 insertions, 6 deletions
diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py
index 7909dc1b80..f323ffb13d 100644
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@@ -226,12 +226,17 @@ class CsrfViewMiddleware(MiddlewareMixin):
 
     def _origin_verified(self, request):
         request_origin = request.META['HTTP_ORIGIN']
-        good_origin = '%s://%s' % (
-            'https' if request.is_secure() else 'http',
-            request.get_host(),
-        )
-        if request_origin == good_origin:
-            return True
+        try:
+            good_host = request.get_host()
+        except DisallowedHost:
+            pass
+        else:
+            good_origin = '%s://%s' % (
+                'https' if request.is_secure() else 'http',
+                good_host,
+            )
+            if request_origin == good_origin:
+                return True
         if request_origin in self.allowed_origins_exact:
             return True
         try:
author	Chris Jerdonek <chris.jerdonek@gmail.com>	2021-03-25 00:35:49 -0700
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2021-03-25 10:34:58 +0100
commit	ff514309e178e3955012050ead9b8fc66dc21a5b (patch)
tree	f0886ac5b7de231fe9b799c07a6bd6dd63a17bfc /django/middleware
parent	5b618f239ceb884c9380cf42361c7cc69bf1e208 (diff)