Am 12.09.2011 22:32, schrieb Carl Meyer:
Sanity-checking the length sounds reasonable to me - do you mind opening
a ticket for this and attaching your patch?
Done ;)
Ticked:
https://code.djangoproject.com/ticket/16827
Patch:
https://github.com/django/django/pull/45
--
Mfg.
+1
On 9/12/11, Carl Meyer wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi Jens,
>
> On 09/12/2011 10:20 AM, Jens Diemer wrote:
>>
>> I wonder that the CSRF token send from the client didn't be validated.
>
> Well, it is sanitized to only alphanumeric characters,
Oneliner:
re.sub('[^a-zA-Z0-9]', '', str(token.decode('ascii', 'ignore'))) if
(len(token) == 32) else ''
Cheers,
AT
On Mon, Sep 12, 2011 at 5:32 PM, Carl Meyer wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi Jens,
>
> On 09/12/2011 10:20 AM, Jens Diemer
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Jens,
On 09/12/2011 10:20 AM, Jens Diemer wrote:
>
> I wonder that the CSRF token send from the client didn't be validated.
Well, it is sanitized to only alphanumeric characters, but you're right
that the length is never checked.
> Don't know
I wonder that the CSRF token send from the client didn't be validated.
Don't know if a DOS attack is possible by sending many request with very long
CSRF tokens?
IMHO it's a good idea to check the length before do anything with it.
e.g.: