| 295 | ) |
| 296 | |
| 297 | def _check_referer(self, request): |
| 298 | referer = request.META.get("HTTP_REFERER") |
| 299 | if referer is None: |
| 300 | raise RejectRequest(REASON_NO_REFERER) |
| 301 | |
| 302 | try: |
| 303 | referer = urlsplit(referer) |
| 304 | except ValueError: |
| 305 | raise RejectRequest(REASON_MALFORMED_REFERER) |
| 306 | |
| 307 | # Make sure we have a valid URL for Referer. |
| 308 | if "" in (referer.scheme, referer.netloc): |
| 309 | raise RejectRequest(REASON_MALFORMED_REFERER) |
| 310 | |
| 311 | # Ensure that our Referer is also secure. |
| 312 | if referer.scheme != "https": |
| 313 | raise RejectRequest(REASON_INSECURE_REFERER) |
| 314 | |
| 315 | if any( |
| 316 | is_same_domain(referer.netloc, host) |
| 317 | for host in self.csrf_trusted_origins_hosts |
| 318 | ): |
| 319 | return |
| 320 | # Allow matching the configured cookie domain. |
| 321 | good_referer = ( |
| 322 | settings.SESSION_COOKIE_DOMAIN |
| 323 | if settings.CSRF_USE_SESSIONS |
| 324 | else settings.CSRF_COOKIE_DOMAIN |
| 325 | ) |
| 326 | if good_referer is None: |
| 327 | # If no cookie domain is configured, allow matching the current |
| 328 | # host:port exactly if it's permitted by ALLOWED_HOSTS. |
| 329 | try: |
| 330 | # request.get_host() includes the port. |
| 331 | good_referer = request.get_host() |
| 332 | except DisallowedHost: |
| 333 | raise RejectRequest(REASON_BAD_REFERER % referer.geturl()) |
| 334 | else: |
| 335 | server_port = request.get_port() |
| 336 | if server_port not in ("443", "80"): |
| 337 | good_referer = "%s:%s" % (good_referer, server_port) |
| 338 | |
| 339 | if not is_same_domain(referer.netloc, good_referer): |
| 340 | raise RejectRequest(REASON_BAD_REFERER % referer.geturl()) |
| 341 | |
| 342 | def _bad_token_message(self, reason, token_source): |
| 343 | if token_source != "POST": |