#9559: CSRFMiddleware should strip POST dat instead of showing the user an error
message if a forgery is detected
---------------------------------------------+------------------------------
Reporter: zain | Owner: nobody
Status: new | Milestone:
Component: Contrib apps | Version: 1.0
Resolution: | Keywords: csrf,
csrfmiddleware
Stage: Design decision needed | Has_patch: 1
Needs_docs: 0 | Needs_tests: 0
Needs_better_patch: 1 |
---------------------------------------------+------------------------------
Changes (by Daniel Pope <[EMAIL PROTECTED]>):
* needs_better_patch: => 1
* stage: Unreviewed => Design decision needed
* needs_tests: => 0
* needs_docs: => 0
Comment:
Assigning an empty list to {{{request.POST}}} breaks API compatibility.
You should assign an empty {{{django.http.QueryDict}}}. If the view is to
be executed anyway it also might be useful to move the real POST data to
request.UNTRUSTED_POST so that it would be possible to process PayPal
data.
However, I think the error message would more useful to users than
silently suppressing POST data. A minor refactoring of
{{{CsrfMiddleware}}} would let users easily subclass it to provide
whatever behaviour they prefer when the POST data doesn't validate.
--
Ticket URL: <http://code.djangoproject.com/ticket/9559#comment:1>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
