Re: [Django] #20869: Prevent repetitive output to counter BREACH-type attacks

[Django]

#20869: Prevent repetitive output to counter BREACH-type attacks
-------------------------------+----------------------------------------
     Reporter:  patrys         |                    Owner:  adambrenecki
         Type:  Uncategorized  |                   Status:  assigned
    Component:  contrib.csrf   |                  Version:  1.5
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+----------------------------------------
Changes (by adambrenecki):

 * owner:  nobody => adambrenecki
 * status:  new => assigned


Comment:

 I've tried to write a patch to fix this using the same method as is
 discussed above and in the Rails patch - by replacing all occurences of
 `csrf_token` in the body with `p + xor(csrf_token, p)`, where `p` is
 randomly generated anew each request.

 I've assumed all occurrences of `csrf_token` in the body come from
 `django.middleware.csrf.get_token()`. I've also assumed that
 '''accepting''' a non-XORed `csrf_token` can't hurt us (eg if someone
 loads a page before the server is upgraded and submits after), so long as
 we don't '''produce''' one.

 I've verified that I haven't broken CSRF by logging in to the admin of a
 new Django project; however I'm still in the process of running the test
 suite, and I'm yet to write new tests.

 (Also, this is my first Django patch, so I apologise if I've done
 something wrong :S)

 https://github.com/adambrenecki/django/tree/ticket_20869

-- 
Ticket URL: <https://code.djangoproject.com/ticket/20869#comment:16>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/064.fdf8e63cd4b075f947f52b1e53f4221c%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.