CSRF token not validated?

54 views
Skip to first unread message

Jens Diemer

unread,
Sep 12, 2011, 12:20:35 PM9/12/11
to django-d...@googlegroups.com

I wonder that the CSRF token send from the client didn't be validated.

Don't know if a DOS attack is possible by sending many request with very long
CSRF tokens?

IMHO it's a good idea to check the length before do anything with it.

e.g.:
------------------------------------------------------------------------------
diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py
index b5a8579..8e03635 100644
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@@ -72,7 +72,10 @@ def get_token(request):
def _sanitize_token(token):
# Allow only alphanum, and ensure we return a 'str' for the sake of the post
# processing middleware.
- token = re.sub('[^a-zA-Z0-9]', '', str(token.decode('ascii', 'ignore')))
+ if len(token) != 32:
+ token = ""
+ else:
+ token = re.sub('[^a-zA-Z0-9]', '', str(token.decode('ascii', 'ignore')))
if token == "":
# In case the cookie has been truncated to nothing at some point.
return _get_new_csrf_key()
------------------------------------------------------------------------------


--

Mfg.

Jens Diemer


----
http://www.jensdiemer.de

Carl Meyer

unread,
Sep 12, 2011, 4:32:52 PM9/12/11
to django-d...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jens,

On 09/12/2011 10:20 AM, Jens Diemer wrote:
>
> I wonder that the CSRF token send from the client didn't be validated.

Well, it is sanitized to only alphanumeric characters, but you're right
that the length is never checked.

> Don't know if a DOS attack is possible by sending many request with very
> long CSRF tokens?
>
> IMHO it's a good idea to check the length before do anything with it.

Sanity-checking the length sounds reasonable to me - do you mind opening
a ticket for this and attaching your patch?

Thanks,

Carl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5ubHQACgkQ8W4rlRKtE2frrQCgr8HhCPKaPGKyTocUGnmiU9Ku
ekYAoNgZqJ/n4SJnd1tD2Zkpeb/+du47
=ZWv6
-----END PGP SIGNATURE-----

Andre Terra

unread,
Sep 12, 2011, 4:49:41 PM9/12/11
to django-d...@googlegroups.com
Oneliner:

re.sub('[^a-zA-Z0-9]', '', str(token.decode('ascii', 'ignore'))) if (len(token) == 32) else ''


Cheers,
AT


--
You received this message because you are subscribed to the Google Groups "Django developers" group.
To post to this group, send email to django-d...@googlegroups.com.
To unsubscribe from this group, send email to django-develop...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.


Babatunde Akinyanmi

unread,
Sep 12, 2011, 5:00:33 PM9/12/11
to django-d...@googlegroups.com
+1

> --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To post to this group, send email to django-d...@googlegroups.com.
> To unsubscribe from this group, send email to
> django-develop...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-developers?hl=en.
>
>

--
Sent from my mobile device

Jens Diemer

unread,
Sep 13, 2011, 3:09:22 AM9/13/11
to django-d...@googlegroups.com
Am 12.09.2011 22:32, schrieb Carl Meyer:
> Sanity-checking the length sounds reasonable to me - do you mind opening
> a ticket for this and attaching your patch?

Done ;)

Ticked:
https://code.djangoproject.com/ticket/16827

Patch:
https://github.com/django/django/pull/45

Reply all
Reply to author
Forward
0 new messages