Re: Logging Out with POST by Default?

2012-09-21 Thread Paul McMillan 
That's the same ticket as this one, which is more recent and has been
open for longer...

https://code.djangoproject.com/ticket/15619

FWIW, I agree we need to fix this.

On Fri, Sep 21, 2012 at 6:56 AM, Aymeric Augustin
 wrote:
> Le 20 sept. 2012 à 20:03, Carl Meyer  a écrit :
>
>> FWIW I agree, and I think #7989 should be reopened. I do logout-via-POST
>> on all my projects nowadays to avoid logout CSRF, and it's really quite
>> simple. You can easily style a form button to look however you want
>> (including just like a link), so there's really no negative impact
>> besides slightly more markup in the template.
>
> I'm also in favor of reconsidering #7989, because Django has become a 
> widely-used, general-purpose framework, and it has a responsibility to 
> promote good practices.
>
> For instance, readthedocs.org simply uses django.contrib.auth by the book 
> [1], and thus is vulnerable to logout XSRF. (Disqus and Pinterest aren't 
> vulnerable and RTD.org is the next site that crossed my mind — I'm not 
> picking on RTD.org in any way.)
>
> Django should provide as much built-in security as possible, especially for 
> low-budget sites that can't afford security consultants.
>
>> The only irritating bit is that the Django admin implements its own
>> logout via GET, so you have to subclass AdminSite to fix that if you're
>> using the admin.
>
>
> Let's update the admin base template and logout view to use POST.
>
> --
> Aymeric.
>
>
> [1] https://docs.djangoproject.com/en/dev/topics/auth/ says:
>
>> For example, using the defaults, add the following line to your URLconf:
>> (r'^accounts/login/$', 'django.contrib.auth.views.login'),
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Django developers" group.
> To post to this group, send email to django-developers@googlegroups.com.
> To unsubscribe from this group, send email to 
> django-developers+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/django-developers?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: Logging Out with POST by Default?

2012-09-21 Thread Aymeric Augustin 
Le 20 sept. 2012 à 20:03, Carl Meyer  a écrit :

> FWIW I agree, and I think #7989 should be reopened. I do logout-via-POST
> on all my projects nowadays to avoid logout CSRF, and it's really quite
> simple. You can easily style a form button to look however you want
> (including just like a link), so there's really no negative impact
> besides slightly more markup in the template.

I'm also in favor of reconsidering #7989, because Django has become a 
widely-used, general-purpose framework, and it has a responsibility to promote 
good practices.

For instance, readthedocs.org simply uses django.contrib.auth by the book [1], 
and thus is vulnerable to logout XSRF. (Disqus and Pinterest aren't vulnerable 
and RTD.org is the next site that crossed my mind — I'm not picking on RTD.org 
in any way.)

Django should provide as much built-in security as possible, especially for 
low-budget sites that can't afford security consultants.

> The only irritating bit is that the Django admin implements its own
> logout via GET, so you have to subclass AdminSite to fix that if you're
> using the admin.


Let's update the admin base template and logout view to use POST.

-- 
Aymeric.


[1] https://docs.djangoproject.com/en/dev/topics/auth/ says:

> For example, using the defaults, add the following line to your URLconf:
> (r'^accounts/login/$', 'django.contrib.auth.views.login'),

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: Logging Out with POST by Default?

2012-09-20 Thread Carl Meyer 
On 09/20/2012 11:52 AM, Adam Taylor wrote:
> I recently read the Coding Horror article Cross-Site Request Forgeries
> and You
> ,
> which suggests requiring an HTTP POST form submission for logging out.
> This same suggestion is implied in the Django book (chapter 16's "A
> Simple CSRF Example" section
> ). Then I found
> Django ticket #7989 Logout view should require POST request
> . I think that the "secure
> by default" mentality should be applied here, just like how variables
> are escaped by default in templates (you have to explicitly say that you
> /don't/ want them escaped).

FWIW I agree, and I think #7989 should be reopened. I do logout-via-POST
on all my projects nowadays to avoid logout CSRF, and it's really quite
simple. You can easily style a form button to look however you want
(including just like a link), so there's really no negative impact
besides slightly more markup in the template.

The only irritating bit is that the Django admin implements its own
logout via GET, so you have to subclass AdminSite to fix that if you're
using the admin.

Carl

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Logging Out with POST by Default?

2012-09-20 Thread Adam Taylor 
I recently read the Coding Horror article Cross-Site Request Forgeries and 
You,
 
which suggests requiring an HTTP POST form submission for logging out. This 
same suggestion is implied in the Django book (chapter 16's "A Simple CSRF 
Example" section ). Then 
I found Django ticket #7989 Logout view should require POST 
request. 
I think that the "secure by default" mentality should be applied here, just 
like how variables are escaped by default in templates (you have to 
explicitly say that you *don't* want them escaped).

Thoughts?

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/django-developers/-/M63QAbc3dKYJ.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.