#9776: No CSRF protection for auth system logout view ----------------------------+----------------------------------------------- Reporter: Mez | Owner: nobody Status: new | Milestone: Component: Authentication | Version: 1.0 Keywords: | Stage: Unreviewed Has_patch: 0 | ----------------------------+----------------------------------------------- Having looked through the documentation, it seems that there is a sorely missed point.
The logout function doesn't seem to have any form of CSRF protection that I can notice. Meaning that someone could easily place an image with the URL of http://www.yoursite.com/logout/ (or whatever the URL is) and make it so that anyone who views the page with the image on is logged out. This to me seems a massive oversight in the system, and I can foresee times where, due to a badly configured permission system, an admin cannot easily delete offending content which has an image or something similar to this in it. -- Ticket URL: <http://code.djangoproject.com/ticket/9776> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-updates?hl=en -~----------~----~----~----~------~----~------~--~---
