Opened 4 years ago
Last modified 4 years ago
#31845 closed Bug
CSRF check fails when browsing with FQDN with trailing dot — at Version 1
| Reported by: | ippei | Owned by: | nobody |
|---|---|---|---|
| Component: | CSRF | Version: | 2.2 |
| Severity: | Normal | Keywords: | |
| Cc: | Florian Apolloner | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
CSRF check seems to fail with "Referer checking failed" when user is browsing with FQDN with trailing dot.
At this line: https://github.com/django/django/blob/2.2.12/django/middleware/csrf.py#L280
while referer.netloc has trailing dot, one of the good_hosts that is supposed to match comes from request.get_host() which strips the trailing dot.
is_same_domain does not consider domain strings with and without trailing dots the same domain.
We neither set CSRF_USE_SESSIONS nor CSRF_COOKIE_DOMAIN in settings.
(Our system uses DRF, but the original error seems to come from the CsrfViewMiddleware implementation.)
For now, we add CSRF_TRUSTED_ORIGINS our production domain with trailing dot to circumvent this issue.