|
»
»
[Django] #12130: CSRF code requires non-POST-accepting views to be protected
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
[Django] #12130: CSRF code requires non-POST-accepting views to be protected
by noreply-71
::
Rate this Message:
Reply (Restricted by the Administrator) | Reply to Author | View Threaded | Show Only this Message #12130: CSRF code requires non-POST-accepting views to be protected
----------------------------+----------------------------------------------- Reporter: carljm | Owner: nobody Status: new | Milestone: Component: Core framework | Version: SVN Keywords: | Stage: Unreviewed Has_patch: 0 | ----------------------------+----------------------------------------------- There's a very confusing failure mode for the new CSRF protection when not using the view middleware (i.e. when upgrading a project that didn't use CSRF protection before), and using contrib.comments (or any other code where a form is posted from one view to a different one). The CSRF context processor sets the csrf_token to NOTPROVIDED if the _current_ view is not protected by either the view middleware or the decorator. But it's quite possible (even likely when using contrib.comments) that the form-rendering view is a GET-only view that doesn't need to be protected, but its form POSTs to a view that is protected (with the decorator). To reproduce: 1. Create a project using Django trunk. Leave CsrfViewMiddleware out of MIDDLEWARE_CLASSES. 2. Add a simple object_detail view that calls contrib.comments' {% render_comment_form %} tag. 3. Load up that view and submit a comment. You'll get the CSRF 403 Forbidden. Somehow a valid CSRF token needs to be made available to templates rendered by any view, regardless of whether that view is itself protected against CSRF. -- Ticket URL: <http://code.djangoproject.com/ticket/12130> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@... To unsubscribe from this group, send email to django-updates+unsubscribe@... For more options, visit this group at http://groups.google.com/group/django-updates?hl=en -~----------~----~----~----~------~----~------~--~--- |
|
|
Re: [Django] #12130: CSRF code requires non-POST-accepting views to be protected
by noreply-71
::
Rate this Message:
Reply (Restricted by the Administrator) | Reply to Author | View Threaded | Show Only this Message #12130: CSRF code requires non-POST-accepting views to be protected
-------------------------------------+-------------------------------------- Reporter: carljm | Owner: carljm Status: new | Milestone: Component: Core framework | Version: SVN Resolution: | Keywords: Stage: Unreviewed | Has_patch: 1 Needs_docs: 0 | Needs_tests: 0 Needs_better_patch: 0 | -------------------------------------+-------------------------------------- Changes (by carljm): * owner: nobody => carljm * needs_better_patch: => 0 * has_patch: 0 => 1 * needs_tests: => 0 * needs_docs: => 0 Comment: I think the answer here is that get_token needs to be more robust, and create a new token if it doesn't find one (rather than relying on the view middleware / decorator to create new tokens for it). If {% csrf_token %} is used in template, that means we really honestly do need a token. The whole 'NOTPROVIDED' special case simply needs to go away; there are no circumstances under which a call to {% csrf_token %} should not return a usable token. At least that's my take on it. Patch with tests attached. -- Ticket URL: <http://code.djangoproject.com/ticket/12130#comment:1> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@... To unsubscribe from this group, send email to django-updates+unsubscribe@... For more options, visit this group at http://groups.google.com/group/django-updates?hl=en -~----------~----~----~----~------~----~------~--~--- |
|
|
Re: [Django] #12130: CSRF code requires non-POST-accepting views to be protected
by noreply-71
::
Rate this Message:
Reply (Restricted by the Administrator) | Reply to Author | View Threaded | Show Only this Message #12130: CSRF code requires non-POST-accepting views to be protected
-------------------------------------+-------------------------------------- Reporter: carljm | Owner: lukeplant Status: new | Milestone: Component: Core framework | Version: SVN Resolution: | Keywords: Stage: Unreviewed | Has_patch: 1 Needs_docs: 0 | Needs_tests: 0 Needs_better_patch: 0 | -------------------------------------+-------------------------------------- Changes (by lukeplant): * owner: carljm => lukeplant Comment: Very good catch, thank you. This hole in the logic appeared when we switched the proposal from having !CsrfViewMiddleware as a requirement for contrib views to using a decorator for those views, and your analysis of the new situation is exactly right. Thanks for time spent debugging, I'll apply shortly. -- Ticket URL: <http://code.djangoproject.com/ticket/12130#comment:2> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@... To unsubscribe from this group, send email to django-updates+unsubscribe@... For more options, visit this group at http://groups.google.com/group/django-updates?hl=en -~----------~----~----~----~------~----~------~--~--- |
|
|
Re: [Django] #12130: CSRF code requires non-POST-accepting views to be protected
by noreply-71
::
Rate this Message:
Reply (Restricted by the Administrator) | Reply to Author | View Threaded | Show Only this Message #12130: CSRF code requires non-POST-accepting views to be protected
-------------------------------------+-------------------------------------- Reporter: carljm | Owner: lukeplant Status: new | Milestone: Component: Core framework | Version: SVN Resolution: | Keywords: Stage: Unreviewed | Has_patch: 1 Needs_docs: 0 | Needs_tests: 0 Needs_better_patch: 0 | -------------------------------------+-------------------------------------- Comment (by lukeplant): Ah, there is a problem. If the user does not yet have a CSRF cookie, and visits a page that does not have `@csrf_protect` applied, then with your solution, they will get a token but not a cookie, since it is the middleware/decorator that actually sends a cookie when the token is used. We could add something like a `@uses_csrf_token` decorator, but it's actually much simpler to require use of the `@csrf_protect` decorator on views that need to use the token. That needs documenting, and adding to the contrib comment views. -- Ticket URL: <http://code.djangoproject.com/ticket/12130#comment:3> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@... To unsubscribe from this group, send email to django-updates+unsubscribe@... For more options, visit this group at http://groups.google.com/group/django-updates?hl=en -~----------~----~----~----~------~----~------~--~--- |
|
|
Re: [Django] #12130: CSRF code requires non-POST-accepting views to be protected
by noreply-71
::
Rate this Message:
Reply (Restricted by the Administrator) | Reply to Author | View Threaded | Show Only this Message #12130: CSRF code requires non-POST-accepting views to be protected
-------------------------------------+-------------------------------------- Reporter: carljm | Owner: lukeplant Status: new | Milestone: Component: Core framework | Version: SVN Resolution: | Keywords: Stage: Unreviewed | Has_patch: 1 Needs_docs: 0 | Needs_tests: 0 Needs_better_patch: 0 | -------------------------------------+-------------------------------------- Comment (by lukeplant): An alternative solution is to call the code that adds the cookie from core functionality, so we can guarantee it always happens. For now, I'm just going to fix this via careful documentation, though we may want to revisit. -- Ticket URL: <http://code.djangoproject.com/ticket/12130#comment:4> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@... To unsubscribe from this group, send email to django-updates+unsubscribe@... For more options, visit this group at http://groups.google.com/group/django-updates?hl=en -~----------~----~----~----~------~----~------~--~--- |
|
|
Re: [Django] #12130: CSRF code requires non-POST-accepting views to be protected
by noreply-71
::
Rate this Message:
Reply (Restricted by the Administrator) | Reply to Author | View Threaded | Show Only this Message #12130: CSRF code requires non-POST-accepting views to be protected
-------------------------------------+-------------------------------------- Reporter: carljm | Owner: lukeplant Status: closed | Milestone: Component: Core framework | Version: SVN Resolution: fixed | Keywords: Stage: Unreviewed | Has_patch: 1 Needs_docs: 0 | Needs_tests: 0 Needs_better_patch: 0 | -------------------------------------+-------------------------------------- Comment (by d0ugal): The documentation added here isn't displaying correctly. http://docs.djangoproject.com/en/dev/ref/templates/builtins/#csrf-token "System Message: WARNING/2 (/home/djangodocs/en/dev/ref/templates/builtins.txt) undefined label: releases-1.1.2" -- Ticket URL: <http://code.djangoproject.com/ticket/12130#comment:6> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@... To unsubscribe from this group, send email to django-updates+unsubscribe@... For more options, visit this group at http://groups.google.com/group/django-updates?hl=en -~----------~----~----~----~------~----~------~--~--- |
| Free embeddable forum powered by Nabble | Forum Help |
