MCPcopy
hub / github.com/django/django / _check_referer

Method _check_referer

django/middleware/csrf.py:297–340  ·  view source on GitHub ↗
(self, request)

Source from the content-addressed store, hash-verified

295 )
296
297 def _check_referer(self, request):
298 referer = request.META.get("HTTP_REFERER")
299 if referer is None:
300 raise RejectRequest(REASON_NO_REFERER)
301
302 try:
303 referer = urlsplit(referer)
304 except ValueError:
305 raise RejectRequest(REASON_MALFORMED_REFERER)
306
307 # Make sure we have a valid URL for Referer.
308 if "" in (referer.scheme, referer.netloc):
309 raise RejectRequest(REASON_MALFORMED_REFERER)
310
311 # Ensure that our Referer is also secure.
312 if referer.scheme != "https":
313 raise RejectRequest(REASON_INSECURE_REFERER)
314
315 if any(
316 is_same_domain(referer.netloc, host)
317 for host in self.csrf_trusted_origins_hosts
318 ):
319 return
320 # Allow matching the configured cookie domain.
321 good_referer = (
322 settings.SESSION_COOKIE_DOMAIN
323 if settings.CSRF_USE_SESSIONS
324 else settings.CSRF_COOKIE_DOMAIN
325 )
326 if good_referer is None:
327 # If no cookie domain is configured, allow matching the current
328 # host:port exactly if it's permitted by ALLOWED_HOSTS.
329 try:
330 # request.get_host() includes the port.
331 good_referer = request.get_host()
332 except DisallowedHost:
333 raise RejectRequest(REASON_BAD_REFERER % referer.geturl())
334 else:
335 server_port = request.get_port()
336 if server_port not in ("443", "80"):
337 good_referer = "%s:%s" % (good_referer, server_port)
338
339 if not is_same_domain(referer.netloc, good_referer):
340 raise RejectRequest(REASON_BAD_REFERER % referer.geturl())
341
342 def _bad_token_message(self, reason, token_source):
343 if token_source != "POST":

Callers 3

process_viewMethod · 0.95

Calls 5

is_same_domainFunction · 0.90
RejectRequestClass · 0.85
get_hostMethod · 0.80
get_portMethod · 0.80
getMethod · 0.45

Tested by 2