[Django] #34465: Handle malformed CSRF cookie

7 views
Skip to first unread message

Django

unread,
Apr 6, 2023, 9:19:56 AM4/6/23
to django-...@googlegroups.com
#34465: Handle malformed CSRF cookie
--------------------------------------+---------------------------------
Reporter: tresko | Owner: nobody
Type: Bug | Status: new
Component: CSRF | Version: 4.1
Severity: Normal | Keywords: csrf, 500 error
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
--------------------------------------+---------------------------------
If the CSRF cookie contains invalid characters then **CsrfViewMiddleware**
middleware raises a 500 internal server error at each request.

https://github.com/django/django/blob/main/django/middleware/csrf.py#L65
can't handle invalid characters and raises **ValueError: substring not
found** exception.

Some clients like https://github.com/pjperez/httping send malformed CSRF
cookie value. See the example:
{{{
"\"HpgYRzmZcUTBq8HW5Ms1ZpCcoKX2SLRa Max-Age=43200 Path=/
SameSite=Lax\\054stmpdid=zdfUYW3e0iLhc4_VfBHhoOGTidnz6mkYVU4yuvIx8ID9biwIrPVyFUdfcsbhZpZw0BteEJ7rXXZVKcaoshDtLe4
Max-Age=220752000 Path=/ SameSite=Lax\" Max-Age=43200 Path=/
SameSite=Lax\054stmpdid=OedsyDX-
7s_guDKt1gZymYrTike8rzoZTmXpCeIMlGhPhR6LhfDh3Io3BlkdC3JoBuH4udHybYkC0LPy4_M9lpI
Max-Age=220752000 Path=/ SameSite=Lax" Max-Age=43200 Path=/
SameSite=Lax,stmpdid=nj7BSEFLimv_-
VSAxllXPYtBSiTNpeK3ht6lrc9hKS92EW0vE4zPuP5-R5NNbsDBkNB7seF6Q2i06rrU2mSVZIA
Max-Age=220752000 Path=/ SameSite=Lax
}}}

I recommend returning a 400 response code instead of raising a 500
internal server error.

--
Ticket URL: <https://code.djangoproject.com/ticket/34465>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Apr 7, 2023, 12:02:56 AM4/7/23
to django-...@googlegroups.com
#34465: Handle malformed CSRF cookie
---------------------------------+--------------------------------------
Reporter: Miha Sedej | Owner: nobody

Type: Bug | Status: new
Component: CSRF | Version: 4.1
Severity: Normal | Resolution:

Keywords: csrf, 500 error | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+--------------------------------------
Changes (by Ruchir Harbhajanka):

* cc: Ruchir Harbhajanka (added)


--
Ticket URL: <https://code.djangoproject.com/ticket/34465#comment:1>

Django

unread,
Apr 7, 2023, 4:03:02 AM4/7/23
to django-...@googlegroups.com
#34465: Handle malformed CSRF cookie
---------------------------------+--------------------------------------
Reporter: Miha Sedej | Owner: nobody
Type: Bug | Status: closed
Component: CSRF | Version: 4.1
Severity: Normal | Resolution: needsinfo

Keywords: csrf, 500 error | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+--------------------------------------
Changes (by Mariusz Felisiak):

* status: new => closed
* resolution: => needsinfo


Comment:

`CsrfViewMiddleware` already
[https://github.com/django/django/blob/73cbb372baa45d1fdafd571e2f430a980831f722/django/middleware/csrf.py#L129-L139
rejects] tokens with invalid length or characters. Can you provide a small
reproducible scenario?

--
Ticket URL: <https://code.djangoproject.com/ticket/34465#comment:2>

Reply all
Reply to author
Forward
0 new messages