Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.

Thanks Seth Gottlieb for help with the documentation and Carl Meyer and Joshua Kehn for reviews.
author: Matt Robenolt <matt@ydekproductions.com> 2015-03-17 02:52:55 -0700
committer: Tim Graham <timograham@gmail.com> 2015-09-16 12:21:50 -0400
commit: b0c56b895fd2694d7f5d4595bdbbc41916607f45 (patch)
tree: 4ac4ef6e9e3cc89263f99ef76321ca88b2968a1c /django/http/request.py
parent: 535809e12161d28dacaf5161436fc05a9bb064aa (diff)
download: django-b0c56b895fd2694d7f5d4595bdbbc41916607f45.tar.gz
1 files changed, 2 insertions, 9 deletions
diff --git a/django/http/request.py b/django/http/request.py
index 15f1c4614e..22405d8306 100644
--- a/django/http/request.py
+++ b/django/http/request.py
@@ -16,6 +16,7 @@ from django.utils.datastructures import ImmutableList, MultiValueDict
 from django.utils.encoding import (
     escape_uri_path, force_bytes, force_str, force_text, iri_to_uri,
 )
+from django.utils.http import is_same_domain
 from django.utils.six.moves.urllib.parse import (
     parse_qsl, quote, urlencode, urljoin, urlsplit,
 )
@@ -546,15 +547,7 @@ def validate_host(host, allowed_hosts):
     host = host[:-1] if host.endswith('.') else host
 
     for pattern in allowed_hosts:
-        pattern = pattern.lower()
-        match = (
-            pattern == '*' or
-            pattern.startswith('.') and (
-                host.endswith(pattern) or host == pattern[1:]
-            ) or
-            pattern == host
-        )
-        if match:
+        if pattern == '*' or is_same_domain(host, pattern):
             return True
 
     return False
author	Matt Robenolt <matt@ydekproductions.com>	2015-03-17 02:52:55 -0700
committer	Tim Graham <timograham@gmail.com>	2015-09-16 12:21:50 -0400
commit	b0c56b895fd2694d7f5d4595bdbbc41916607f45 (patch)
tree	4ac4ef6e9e3cc89263f99ef76321ca88b2968a1c /django/http/request.py
parent	535809e12161d28dacaf5161436fc05a9bb064aa (diff)
download	django-b0c56b895fd2694d7f5d4595bdbbc41916607f45.tar.gz