[Django] #26094: CSRF fails behind proxy
Django
----------------------------+--------------------
Reporter: chemary | Owner: nobody
Type: Bug | Status: new
Component: CSRF | Version: 1.9
Severity: Normal | Keywords: csrf
Triage Stage: Unreviewed | Has patch: 1
Easy pickings: 1 | UI/UX: 0
----------------------------+--------------------
I use gunicorn behind nginx and a load balancer, CSRF fails since 1.9 (the
code was introduced here
https://github.com/django/django/commit/b0c56b895fd2694d7f5d4595bdbbc41916607f45)
The problem is that if settings.CSRF_COOKIE_DOMAIN is defined it uses
request.META['SERVER_PORT'] to check that the port is the same and fails
behind a proxy.
Using request method get_port() takes is into account and I find that is
more correct that useing the header directly.
Patch is on:
https://github.com/chemary/django/commit/081685242dac206783024e1834d1f178b5b8b9b9
--
Ticket URL: <https://code.djangoproject.com/ticket/26094>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
---------------------------------+------------------------------------
Reporter: chemary | Owner: nobody
Type: Bug | Status: new
Component: CSRF | Version: 1.9
Keywords: csrf | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
---------------------------------+------------------------------------
Changes (by timgraham):
* severity: Normal => Release blocker
* needs_better_patch: => 1
* needs_tests: => 0
* easy: 1 => 0
* needs_docs: => 0
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/26094#comment:1>
Django
---------------------------------+------------------------------------
Reporter: chemary | Owner: nobody
Type: Bug | Status: new
Component: CSRF | Version: 1.9
Keywords: csrf | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+------------------------------------
Changes (by timgraham):
* needs_better_patch: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/26094#comment:2>
Django
---------------------------------+------------------------------------
Reporter: chemary | Owner: nobody
Type: Bug | Status: closed
Component: CSRF | Version: 1.9
Severity: Release blocker | Resolution: fixed
Keywords: csrf | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+------------------------------------
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"2d28144c9519f4e4397c70f045c2b1d31437bf69" 2d28144c]:
{{{
#!CommitTicketReference repository=""
revision="2d28144c9519f4e4397c70f045c2b1d31437bf69"
Fixed #26094 -- Fixed CSRF behind a proxy
(settings.USE_X_FORWARDED_PORT=True).
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26094#comment:3>
Django
---------------------------------+------------------------------------
Reporter: chemary | Owner: nobody
Type: Bug | Status: closed
Component: CSRF | Version: 1.9
Severity: Release blocker | Resolution: fixed
Keywords: csrf | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+------------------------------------
Comment (by Tim Graham <timograham@…>):
In [changeset:"076d4591108764695582ab272fdb7f348b4c161c" 076d459]:
{{{
#!CommitTicketReference repository=""
revision="076d4591108764695582ab272fdb7f348b4c161c"
[1.9.x] Fixed #26094 -- Fixed CSRF behind a proxy
(settings.USE_X_FORWARDED_PORT=True).
Backport of 2d28144c9519f4e4397c70f045c2b1d31437bf69 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26094#comment:4>