subject:"\[Django\] #10996\: CSRF documentation doesn't note login CSRF vulnerability"

Re: [Django] #10996: CSRF documentation doesn't note login CSRF vulnerability

2009-08-06 Thread Django

#10996: CSRF documentation doesn't note login CSRF vulnerability
+---
  Reporter:  smehmood   | Owner:  lukeplant
Status:  new| Milestone:   
 Component:  Documentation  |   Version:  1.0  
Resolution: |  Keywords:  CSRF 
 Stage:  Accepted   | Has_patch:  0
Needs_docs:  0  |   Needs_tests:  0
Needs_better_patch:  0  |  
+---
Changes (by Alex):

  * stage:  Unreviewed => Accepted

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #10996: CSRF documentation doesn't note login CSRF vulnerability

2009-05-11 Thread Django

#10996: CSRF documentation doesn't note login CSRF vulnerability
+---
  Reporter:  smehmood   | Owner:  lukeplant
Status:  new| Milestone:   
 Component:  Documentation  |   Version:  1.0  
Resolution: |  Keywords:  CSRF 
 Stage:  Unreviewed | Has_patch:  0
Needs_docs:  0  |   Needs_tests:  0
Needs_better_patch:  0  |  
+---
Comment (by lukeplant):

 See CsrfProtection - out-of-the-box login views are not actually
 vulnerable to login CSRF with the CSRF middleware.  But probably the
 documentation does need fixing in the 1.0.X branch (and 1.1.X branch when
 it arrives).

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #10996: CSRF documentation doesn't note login CSRF vulnerability

2009-05-04 Thread Django

#10996: CSRF documentation doesn't note login CSRF vulnerability
+---
  Reporter:  smehmood   | Owner:  lukeplant
Status:  new| Milestone:   
 Component:  Documentation  |   Version:  1.0  
Resolution: |  Keywords:  CSRF 
 Stage:  Unreviewed | Has_patch:  0
Needs_docs:  0  |   Needs_tests:  0
Needs_better_patch:  0  |  
+---
Changes (by lukeplant):

  * owner:  nobody => lukeplant
  * needs_better_patch:  => 0
  * needs_tests:  => 0
  * needs_docs:  => 0

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

[Django] #10996: CSRF documentation doesn't note login CSRF vulnerability

2009-05-04 Thread Django

#10996: CSRF documentation doesn't note login CSRF vulnerability
---+
 Reporter:  smehmood   |   Owner:  nobody
   Status:  new|   Milestone:
Component:  Documentation  | Version:  1.0   
 Keywords:  CSRF   |   Stage:  Unreviewed
Has_patch:  0  |  
---+
 It is my understanding the the CsrfMiddleware module does not protect
 against the login CSRF attacks described in
 http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf.
 This post to the django-dev seems to confirm
 this:http://groups.google.com/group/django-
 
developers/browse_thread/thread/ae525f270ed46933/5a339c6d64d40868?lnk=gst=csrf#5a339c6d64d40868

 However, the documentation for the CsrfMiddleware class does not note
 this, despite having a specific 'Limitations' section.
 It also makes this false statement:
 "POST requests that are not accompanied by a session cookie are not
 protected, but they do not need to be protected, since the 'attacking' Web
 site could make these kind of requests anyway."

 Two things:

 1) The fact that an attacking website could make the requests anyway is
 not a reason to say they don't need to be protected. It might be more
 accurate to say that such requests are not authenticated, and thus, are
 unlikely to perform sensitive actions.
 2) This statement ignores the possibility of login CSRFs. These are
 requests that do not have a session cookie, but /do/ need to be protected.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #10996: CSRF documentation doesn't note login CSRF vulnerability

Re: [Django] #10996: CSRF documentation doesn't note login CSRF vulnerability

Re: [Django] #10996: CSRF documentation doesn't note login CSRF vulnerability

[Django] #10996: CSRF documentation doesn't note login CSRF vulnerability

4 matches

Site Navigation

Mail list logo

Footer information