Fixed #35328 - Improved debug messaging behind proxies. #18014
+231
−31
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
0df060c to
95759af
Compare
ryanhiebert
commented
Mar 25, 2024
ryanhiebert
commented
Mar 25, 2024
ryanhiebert
commented
Mar 25, 2024
d857f02 to
d7f6022
Compare
sarahboyce
reviewed
Apr 25, 2024
adamchainz
reviewed
Apr 26, 2024
There was a problem hiding this comment.
Thank you for your work here @ryanhiebert ! I have some comments with small improvements.
|
Lint error: Set up pre-commit for yourself: https://docs.djangoproject.com/en/dev/internals/contributing/writing-code/coding-style/#pre-commit-checks |
adamchainz
suggested changes
May 20, 2024
c6805e2 to
6e3a65e
Compare
sarahboyce
reviewed
May 22, 2024
755cbb3 to
dc5ce91
Compare
sarahboyce
reviewed
May 24, 2024
django/views/templates/csrf_403.html
Outdated
Comment on lines
+48
to
+51
There was a problem hiding this comment.
Suggested change
| <p>The <code>Origin</code> header does not match | |
| the expected server origin, | |
| but common proxy headers are present in the request | |
| and may include parts of the <code>Origin</code> header.</p> | |
| <p>The <code>Origin</code> header does not match the expected server origin, | |
| but common proxy headers are present in the request and may include parts of | |
| the <code>Origin</code> header.</p> |
This file is roughly wrapped at 80 characters so let's apply similar wrapping here
django/views/templates/csrf_403.html
Outdated
Comment on lines
+58
to
+66
There was a problem hiding this comment.
Maybe?
Suggested change
| <p>If you’re sure that you are only running behind a secure proxy | |
| that always set these headers to avoid spoofing as described in | |
| <a href="https://docs.djangoproject.com/en/{{ docs_version }}/ref/settings/#secure-proxy-ssl-header">this warning in the docs</a>, | |
| you may wish to add one or more of the following | |
| settings to permit Django to trust these headers.</p> | |
| <p><pre> | |
| SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") | |
| USE_X_FORWARDED_HOST = True | |
| </pre></p> | |
| <p>If you are running behind a secure proxy that sets these headers, you may | |
| want to add one or more of the following settings to permit Django to trust | |
| these headers.</p> | |
| <p><pre> | |
| SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") | |
| USE_X_FORWARDED_HOST = True | |
| </pre> | |
| Modifying these setting can compromise your site’s security. Ensure you fully | |
| understand your setup before changing it. See <a href="https://docs.djangoproject.com/en/{{ docs_version }}/ref/settings/#secure-proxy-ssl-header"><code>SECURE_PROXY_SSL_HEADER</code></a> | |
| for more details.</p> |
django/views/templates/csrf_403.html
Outdated
Comment on lines
+68
to
+70
There was a problem hiding this comment.
Suggested change
| If the expected server origin looks correct, | |
| you may wish to add the origin to the <code>CSRF_TRUSTED_ORIGINS</code> | |
| setting. | |
| If the expected server origin looks correct, you may wish to add the origin | |
| to the <code>CSRF_TRUSTED_ORIGINS</code> setting. |
(wrapping nit)
django/views/csrf.py
Outdated
Comment on lines
+64
to
+73
There was a problem hiding this comment.
Suggested change
| "bad_origin": reason.startswith("Origin checking failed"), | |
| "forwarded_may_fix": ( | |
| request.headers.get("X-Forwarded-Proto", "") == "https" | |
| and not request.is_secure() | |
| or request.headers.get("Origin", "").endswith( | |
| f'://{request.headers.get("X-Forwarded-Host", "")}' | |
| ) | |
| ), | |
| "x_forwarded_proto": request.headers.get("X-Forwarded-Proto"), | |
| "x_forwarded_host": request.headers.get("X-Forwarded-Host"), | |
| "bad_origin": True, | |
| "forwarded_may_fix": ( | |
| request.headers.get("X-Forwarded-Proto", "") == "https" | |
| or request.headers.get("Origin", "").endswith( | |
| f'://{request.headers.get("X-Forwarded-Host", "")}' | |
| ) | |
| ), | |
| "x_forwarded_proto": None, | |
| "x_forwarded_host": None, |
Thank you for the updates @ryanhiebert ⭐
There are a couple of things I think we should still add tests/assert for. If I make the above changes, nothing fails. These changes are:
bad_originalwaysTrueand not request.is_secure()is removed from"forwarded_may_fix"- can we also assert the values of
x_forwarded_protoandx_forwarded_hostrendering in the template?
docs/releases/5.1.txt
Outdated
Comment on lines
+193
to
+235
There was a problem hiding this comment.
Suggested change
| * The error messaging is improved when ``Origin`` checking fails, | |
| including better hints when likely proxy headers are detected. | |
| * The ``'403_csrf.html'`` template now has improved messaging when ``Origin`` | |
| checking fails, including better hints when likely proxy headers are detected. |
Docs are wrapped at 80 characters and we will now need to rebase and move this to the 5.2 release notes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Trac ticket number
ticket-35328
Branch description
When in debug mode, we can make some better error messaging when the
Originheader checking fails. In common scenarios, we can notice that they are likely missing headers from proxies. In any case, we can remove the verbose messaging around CSRF Tokens, which are not the way they have failed and are unhelpful to solving the error they are viewing.Checklist
mainbranch.