On Sep 24, 11:17 am, Simon Willison <[EMAIL PROTECTED]> wrote: > It turns out it's not that straight-forward after all: > > http://icanhaz.com/csrfpdf(PDF link, "Robust Defenses for Cross-Site > Request Forgery") > > The above paper introduces the "login CSRF" attack, where CSRF is used > to force a victim to log in to a site using /the attacker's/ > credentials. The hope is that the user will then enter personally > sensitive information which the hacker can harvest later on.
This doesn't strike me as too big of a deal - you just need to make sure to equip your login form with the anti-CSRF token. The attacker could try to submit his/her token to the server along with his credentials, but could not tamper with the cookies due to the same- origin policy. The server will detect the mismatch. Regarding the interface for this, all of the suggested ones have their pros and cons. Template tags are nice since there's no change in the Python code - unless you're not passing the RequestContext that is - but you need to use the middleware or a decorator + change your TEMPLATE_CONTEXT_PROCESSORS. All the other ones require you to change your Form instantiation. I'd also be -1 on coupling the forms with HttpRequest by default (yeah I've seen Mark Ramm's talk on Youtube ;) But Luke has a point - if the "unsafe" is the default, there's a good chance that somewhere something will slip through and the current middleware IS very convenient in that regard. However, the issues that Simon raised are still there, and there is a slight performance penalty to be paid. Either way, there's something that definitely can be done soon - improve the docs! The current ones really don't do too much to raise the awareness of the CSRF threat. Do a search for "csrf" - IMHO it needs to be mentioned at least in the tutorial and in the forms docs. Actually, Django might well do with a separate "security" page describing Web app security issues and how they're dealt with in Django. One could then have the above pages link to the appropriate sections in this one. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
