Fixed #28693 -- Fixed crash in CsrfViewMiddleware when an HTTPS request has an invalid host.

author: Tomer Chachamu <tomer.chachamu@google.com> 2017-10-22 00:56:01 +0100
committer: Tim Graham <timograham@gmail.com> 2018-02-14 20:24:01 -0500
commit: 7ec0fdf62afd565dd9a888300e7e33d0bf3e5fd5 (patch)
tree: b8db07bcb85975f9ff36c3098d02d2ff85bcb83a /tests/csrf_tests/tests.py
parent: ff5517988adec04d364521fdaf4a36a3f88942ef (diff)
download: django-7ec0fdf62afd565dd9a888300e7e33d0bf3e5fd5.tar.gz
1 files changed, 13 insertions, 0 deletions
diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py
index 7c1e62c504..8a9c509f4c 100644
--- a/tests/csrf_tests/tests.py
+++ b/tests/csrf_tests/tests.py
@@ -294,6 +294,19 @@ class CsrfViewMiddlewareTestMixin:
             status_code=403,
         )
 
+    def test_https_malformed_host(self):
+        """
+        CsrfViewMiddleware generates a 403 response if it receives an HTTPS
+        request with a bad host.
+        """
+        req = self._get_GET_no_csrf_cookie_request()
+        req._is_secure_override = True
+        req.META['HTTP_HOST'] = '@malformed'
+        req.META['HTTP_REFERER'] = 'https://www.evil.org/somepage'
+        req.META['SERVER_PORT'] = '443'
+        response = self.mw.process_view(req, token_view, (), {})
+        self.assertEqual(response.status_code, 403)
+
     @override_settings(DEBUG=True)
     def test_https_malformed_referer(self):
         """
author	Tomer Chachamu <tomer.chachamu@google.com>	2017-10-22 00:56:01 +0100
committer	Tim Graham <timograham@gmail.com>	2018-02-14 20:24:01 -0500
commit	7ec0fdf62afd565dd9a888300e7e33d0bf3e5fd5 (patch)
tree	b8db07bcb85975f9ff36c3098d02d2ff85bcb83a /tests/csrf_tests/tests.py
parent	ff5517988adec04d364521fdaf4a36a3f88942ef (diff)
download	django-7ec0fdf62afd565dd9a888300e7e33d0bf3e5fd5.tar.gz