[Django] #23800: Middleware CSRF validation is unclear for PUT and DELETE

8 views
Skip to first unread message

Django

unread,
Nov 11, 2014, 11:04:12 AM11/11/14
to django-...@googlegroups.com
#23800: Middleware CSRF validation is unclear for PUT and DELETE
------------------------------+--------------------
Reporter: MarkLC | Owner: nobody
Type: Bug | Status: new
Component: contrib.csrf | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------
This may be a duplication of https://code.djangoproject.com/ticket/23040
depending on whether its a bug or just that some of the comments in
middleware/csrf.py are a bit unclear.

To re-produce this bug, make a PUT or DELETE request to an endpoint that
you are using the csrf_exempt decorator (in my use-case its not from the
browser but from a component using its own Basic Auth with Django) and you
will get a 403.

This is due to code in the line 161 of the process_view function in
middleware/csrf.py which checks if the cookie is missing and if so it
rejects the request. The comments say that it is for POST
requests only, so I'm unsure whether the intention was for PUT and DELETE
to fall under that category in which case I can add a patch to make the
comments
explicitly mention PUT and DELETE. Otherwise I will add a patch so that
PUT and DELETE are allowed through to the view which is only a few lines.

Can anyone clarify for me whether it is by intention that PUT and DELETE
also fail here if they don't have a CSRF cookie set?

Thanks

--
Ticket URL: <https://code.djangoproject.com/ticket/23800>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Nov 18, 2014, 5:26:31 AM11/18/14
to django-...@googlegroups.com
#23800: Middleware CSRF validation is unclear for PUT and DELETE
------------------------------+--------------------------------------
Reporter: MarkLC | Owner: nobody
Type: Bug | Status: closed
Component: contrib.csrf | Version: master
Severity: Normal | Resolution: invalid
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------
Changes (by tricoder42):

* status: new => closed
* needs_better_patch: => 0
* resolution: => invalid
* needs_tests: => 0
* needs_docs: => 0


Comment:

During `POST` request, the `CSRF` token is taken from `request.POST`, all
other "unsafe" methods, `PUT`, `PATCH`, `DELETE`, should set the
`X-CSRFToken` as described in
[https://docs.djangoproject.com/en/1.7/ref/contrib/csrf/#ajax
documentation].

--
Ticket URL: <https://code.djangoproject.com/ticket/23800#comment:1>

Reply all
Reply to author
Forward
0 new messages