#26094 closed Bug (fixed)
CSRF fails behind proxy (settings.USE_X_FORWARDED_PORT=True)
| Reported by: | Jose M Herrero | Owned by: | nobody |
|---|---|---|---|
| Component: | CSRF | Version: | 1.9 |
| Severity: | Release blocker | Keywords: | csrf |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
I use gunicorn behind nginx and a load balancer, CSRF fails since 1.9 (the code was introduced here https://github.com/django/django/commit/b0c56b895fd2694d7f5d4595bdbbc41916607f45)
The problem is that if settings.CSRF_COOKIE_DOMAIN is defined it uses request.METASERVER_PORT to check that the port is the same and fails behind a proxy.
Using request method get_port() takes is into account and I find that is more correct that useing the header directly.
Patch is on:
https://github.com/chemary/django/commit/081685242dac206783024e1834d1f178b5b8b9b9
Change History (4)
comment:1 by , 9 years ago
| Easy pickings: | unset |
|---|---|
| Patch needs improvement: | set |
| Severity: | Normal → Release blocker |
| Summary: | CSRF fails behind proxy → CSRF fails behind proxy (settings.USE_X_FORWARDED_PORT=True) |
| Triage Stage: | Unreviewed → Accepted |
comment:2 by , 9 years ago
| Patch needs improvement: | unset |
|---|
comment:3 by , 9 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
In 2d28144c: