Opened 5 years ago

Closed 5 years ago

#31089 closed Bug (fixed)

May be CSRF middleware logical error

Reported by: sinyawskiy Owned by: nobody
Component: CSRF Version: 2.2
Severity: Normal Keywords: CSRF Token
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

In file middleware/csrf.py in class CsrfViewMiddleware in process view: DJANGO (2.2.8 and other)

We check the request for a token.
Check that method is not in (GET, HEAD, OPTIONS, TRACE), then
(In line 284) check CSRF cookie, than if not token -> reject. Check request finished in this line always.

But in line 293. We check POST data. Need to exists both cookie and data value csrfmiddlewaretoken ??? Why?
And in line 304. If not method POST we check PUT and DELETE, get token value from request header. Need to exists both cookie and header value X-CSRFToken? Why?

In my opinion. CSRF need check in COOKIE after PUT POST DELETE methods, and reject if not set token in all methods and in COOKIE to.

Thank you very much.

Change History (1)

comment:1 by sinyawskiy, 5 years ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.
Back to Top