Re: [Django] #32800: CsrfViewMiddleware unnecessarily masks CSRF cookie

Tue, 01 Jun 2021 00:27:13 -0700 

#32800: CsrfViewMiddleware unnecessarily masks CSRF cookie
-------------------------------------+-------------------------------------
     Reporter:  Chris Jerdonek       |                    Owner:  nobody
         Type:                       |                   Status:  new
  Cleanup/optimization               |
    Component:  CSRF                 |                  Version:  dev
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Chris Jerdonek):

 Thanks for your comment! I'm pretty sure that scenario is already handled
 by the current code (I'm just not 100% sure if there are tests for it).
 For example, you can see
 
[https://github.com/django/django/blob/c609d5149c9295207cd7b2e8154e7b80a18d834a/django/middleware/csrf.py#L405-L409
 in the code] that `_sanitize_token()` is called on the (non-cookie) CSRF
 token, and `_sanitize_token()`
 
[https://github.com/django/django/blob/c609d5149c9295207cd7b2e8154e7b80a18d834a/django/middleware/csrf.py#L127-L134
 has special logic] to mask the cookie before returning it if it was passed
 the short version of length `CSRF_SECRET_LENGTH`. (However, my preference
 is to put that logic in `_compare_masked_tokens()` so that we're not
 relying on any assumptions on the arguments passed to
 `_compare_masked_tokens()` like we currently are.). Note also that the
 code currently has backwards-compat logic to accept ''cookies'' that
 aren't masked (via the same call to `_sanitize_token()`.)

 FWIW, I did prepare a patch privately and saw no problems, and on the
 whole it seems slightly simpler. I even have a comment addressing the
 point you make:

 {{{#!python
 # Fall back to X-CSRFToken, to make things easier for AJAX, and
 # possible for PUT/DELETE.
 try:
     # This can have length CSRF_SECRET_LENGTH or CSRF_TOKEN_LENGTH,
     # depending on whether the client obtained the token from
     # the DOM or the cookie (and whether the cookie was masked
     # or unmasked).
     request_csrf_token = request.META[settings.CSRF_HEADER_NAME]
 except KeyError:
     return self._reject(request, REASON_CSRF_TOKEN_MISSING)
 }}}

-- 
Ticket URL: <https://code.djangoproject.com/ticket/32800#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.cdd5c9cd23cda96242d783a9885e81a1%40djangoproject.com.

Reply via email to