Opened 10 years ago
Closed 10 years ago
#23040 closed Bug (invalid)
The CSRF protection seems to ignore the HTTP_X_CSRFTOKEN header and csrfmiddlewaretoken POST value in case the CSRF cookie is missing.
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | CSRF | Version: | 1.6 |
| Severity: | Normal | Keywords: | csrf |
| Cc: | Florian Apolloner | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
I have AJAX code which makes POST requests to a Django 1.6.4 application. The view has CSRF protection enabled via the django.middleware.csrf.CsrfViewMiddleware. If I do not pass a cookie but do pass the HTTP_X_CSRFTOKEN, it fails.
I am looking at the code of django.middleware.csrf.CsrfViewMiddleware and I see that on line 161 it checks to see if if csrf_token is None: after getting it from the cookie. If it is None, it returns. Only afterwards does it check the csrfmiddlewaretoken param and the HTTP_X_CSRFTOKEN request header.
This looks incorrect and the check for a missing csrf_token value should only be made after checking all the possible places for where it could be found.
Note:
See TracTickets
for help on using tickets.
No, this behavior is correct. Django compares the token from the cookie (which an attacker can't control) to the header/post-data which the attacker can control. Hence you will always need the cookie (sent by your browser automatically usually) and the header or post-data.