#34465: Handle malformed CSRF cookie
--------------------------------------+---------------------------------
Reporter: tresko | Owner: nobody
Type: Bug | Status: new
Component: CSRF | Version: 4.1
Severity: Normal | Keywords: csrf, 500 error
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
--------------------------------------+---------------------------------
If the CSRF cookie contains invalid characters then **CsrfViewMiddleware**
middleware raises a 500 internal server error at each request.
https://github.com/django/django/blob/main/django/middleware/csrf.py#L65
can't handle invalid characters and raises **ValueError: substring not
found** exception.
Some clients like https://github.com/pjperez/httping send malformed CSRF
cookie value. See the example:
{{{
"\"HpgYRzmZcUTBq8HW5Ms1ZpCcoKX2SLRa Max-Age=43200 Path=/
SameSite=Lax\\054stmpdid=zdfUYW3e0iLhc4_VfBHhoOGTidnz6mkYVU4yuvIx8ID9biwIrPVyFUdfcsbhZpZw0BteEJ7rXXZVKcaoshDtLe4
Max-Age=220752000 Path=/ SameSite=Lax\" Max-Age=43200 Path=/
SameSite=Lax\054stmpdid=OedsyDX-
7s_guDKt1gZymYrTike8rzoZTmXpCeIMlGhPhR6LhfDh3Io3BlkdC3JoBuH4udHybYkC0LPy4_M9lpI
Max-Age=220752000 Path=/ SameSite=Lax" Max-Age=43200 Path=/
SameSite=Lax,stmpdid=nj7BSEFLimv_-
VSAxllXPYtBSiTNpeK3ht6lrc9hKS92EW0vE4zPuP5-R5NNbsDBkNB7seF6Q2i06rrU2mSVZIA
Max-Age=220752000 Path=/ SameSite=Lax
}}}
I recommend returning a 400 response code instead of raising a 500
internal server error.
--
Ticket URL: <https://code.djangoproject.com/ticket/34465>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018756b93efe-a3eca85e-3e7e-49c1-8a70-b0f04448817f-000000%40eu-central-1.amazonses.com.
