On Wed, Apr 13, 2016 at 9:42 AM, Thomas De Schampheleire < patrickdeping...@gmail.com> wrote: > > > > > (Aside: I did not look at the tgext.routes code, but I assume the > override support is opt-in? Enabling it automatically for all applications > could cause security issues for applications that don't have CSRF > protection.) > > AFAIU there is no opt-in currently: the following lines were added > unconditionally: > > # routes middleware overrides methods using _method param. > if environ['REQUEST_METHOD'] == 'GET' and '_method' in state.request.GET: > environ['REQUEST_METHOD'] = state.request.GET['_method'].upper() > elif environ['REQUEST_METHOD'] == 'POST' and '_method' in > state.request.POST: > environ['REQUEST_METHOD'] = state.request.POST['_method'].upper()
Nope, there is no opt-in. There isn't in routes itself too: https://github.com/bbangert/routes/blob/master/routes/middleware.py#L61-L70 Also even though you would opt-out you can still perform CSRF in any case by using an XMLHTTPRequest or a form.
_______________________________________________ kallithea-general mailing list kallithea-general@sfconservancy.org http://lists.sfconservancy.org/mailman/listinfo/kallithea-general