-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jens,
On 09/12/2011 10:20 AM, Jens Diemer wrote: > > I wonder that the CSRF token send from the client didn't be validated. Well, it is sanitized to only alphanumeric characters, but you're right that the length is never checked. > Don't know if a DOS attack is possible by sending many request with very > long CSRF tokens? > > IMHO it's a good idea to check the length before do anything with it. Sanity-checking the length sounds reasonable to me - do you mind opening a ticket for this and attaching your patch? Thanks, Carl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5ubHQACgkQ8W4rlRKtE2frrQCgr8HhCPKaPGKyTocUGnmiU9Ku ekYAoNgZqJ/n4SJnd1tD2Zkpeb/+du47 =ZWv6 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.