Opened 21 months ago
Closed 21 months ago
#34465 closed Bug (needsinfo)
Handle malformed CSRF cookie
Reported by: | Miha Sedej | Owned by: | nobody |
---|---|---|---|
Component: | CSRF | Version: | 4.1 |
Severity: | Normal | Keywords: | csrf, 500 error |
Cc: | Ruchir Harbhajanka | Triage Stage: | Unreviewed |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
If the CSRF cookie contains invalid characters then CsrfViewMiddleware middleware raises a 500 internal server error at each request.
https://github.com/django/django/blob/main/django/middleware/csrf.py#L65 can't handle invalid characters and raises ValueError: substring not found exception.
Some clients like https://github.com/pjperez/httping send malformed CSRF cookie value. See the example:
"\"HpgYRzmZcUTBq8HW5Ms1ZpCcoKX2SLRa Max-Age=43200 Path=/ SameSite=Lax\\054stmpdid=zdfUYW3e0iLhc4_VfBHhoOGTidnz6mkYVU4yuvIx8ID9biwIrPVyFUdfcsbhZpZw0BteEJ7rXXZVKcaoshDtLe4 Max-Age=220752000 Path=/ SameSite=Lax\" Max-Age=43200 Path=/ SameSite=Lax\054stmpdid=OedsyDX-7s_guDKt1gZymYrTike8rzoZTmXpCeIMlGhPhR6LhfDh3Io3BlkdC3JoBuH4udHybYkC0LPy4_M9lpI Max-Age=220752000 Path=/ SameSite=Lax" Max-Age=43200 Path=/ SameSite=Lax,stmpdid=nj7BSEFLimv_-VSAxllXPYtBSiTNpeK3ht6lrc9hKS92EW0vE4zPuP5-R5NNbsDBkNB7seF6Q2i06rrU2mSVZIA Max-Age=220752000 Path=/ SameSite=Lax
I recommend returning a 400 response code instead of raising a 500 internal server error.
Change History (2)
comment:1 by , 21 months ago
Cc: | added |
---|
comment:2 by , 21 months ago
Resolution: | → needsinfo |
---|---|
Status: | new → closed |
CsrfViewMiddleware
already rejects tokens with invalid length or characters. Can you provide a small reproducible scenario?