[Django] #33523: remove dangerous text from translated message about csrf error

6 views
Skip to first unread message

Django

unread,
Feb 18, 2022, 8:12:12 AM2/18/22
to django-...@googlegroups.com
#33523: remove dangerous text from translated message about csrf error
-------------------------------------+-------------------------------------
Reporter: Maxim | Owner: nobody
Danilov |
Type: Bug | Status: new
Component: CSRF | Version: 4.0
Severity: Normal | Keywords: csrf error message
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 1
UI/UX: 0 |
-------------------------------------+-------------------------------------
in django\views\csrf.py function csrf_failure defined error dictionary "c"
(error_name: error_description)

item with key 'no_referer3' has text:
'If you are using the <meta name="referrer" content=\"no-referrer\"> tag
or including the “Referrer-Policy: no-referrer” header, please remove
them. The CSRF protection requires the “Referer” header to do strict
referer checking. If you’re concerned about privacy, use alternatives like
<a rel=\"noreferrer\" …> for links to third-party sites.'

If i put this message simply in <html><head><title> {{ c.no_referer3 }}
</title>, it break browser work.
The browsers takes <meta name="referrer" content=\"no-referrer\"> as
normal meta. (chrome and Firefox)

This text "from box" has not escaped symbols and therefore it is
dangerous. Of course, I can change it with translations.

--
Ticket URL: <https://code.djangoproject.com/ticket/33523>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Feb 18, 2022, 2:26:40 PM2/18/22
to django-...@googlegroups.com
#33523: remove dangerous text from translated message about csrf error
------------------------------------+--------------------------------------
Reporter: Maxim Danilov | Owner: nobody
Type: Bug | Status: closed
Component: CSRF | Version: 4.0
Severity: Normal | Resolution: invalid
Keywords: csrf error message | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
------------------------------------+--------------------------------------
Changes (by Mariusz Felisiak):

* status: new => closed
* resolution: => invalid


Comment:

Thanks for this report, however I cannot imagine how that could be
dangerous 🤔. As far as I understand correctly, you have a custom template
for CSRF failure and you put `no_referer3` in the `<head>` HTML tag, even
so it's not marked as safe and will not be interpreted by a browser.

--
Ticket URL: <https://code.djangoproject.com/ticket/33523#comment:1>

Reply all
Reply to author
Forward
0 new messages