Re: [Django] #12358: RequestContent with "poisoned" csrf_token for flatpages

2010-02-04 Thread Django 
#12358: RequestContent with "poisoned" csrf_token for flatpages
-+--
  Reporter:  phretor | Owner:  nobody
Status:  new | Milestone:  1.2   
 Component:  Authentication  |   Version:  SVN   
Resolution:  |  Keywords:  csrf flatpages
 Stage:  Unreviewed  | Has_patch:  1 
Needs_docs:  0   |   Needs_tests:  0 
Needs_better_patch:  0   |  
-+--
Changes (by lukeplant):

  * needs_better_patch:  => 0
  * needs_tests:  => 0
  * needs_docs:  => 0

Comment:

 The problem is caused by the fact that if a 404 is raised because nothing
 matched the URLconf, then the middleware `process_view` methods are
 skipped (there is no found view, so you can't call them).  This includes
 `CsrfViewMiddleware.process_view`, so necessary setup for the csrf_token
 is not done.

 The fix is to use @csrf_protect on the flatpages view.

 The fix on that other site, BTW, is wrong, because it neuters a test which
 was there for a good reason.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

[Django] #12358: RequestContent with "poisoned" csrf_token for flatpages

2009-12-10 Thread Django 
#12358: RequestContent with "poisoned" csrf_token for flatpages
+---
 Reporter:  phretor |   Owner:  nobody
   Status:  new |   Milestone:  1.2   
Component:  Authentication  | Version:  SVN   
 Keywords:  csrf flatpages  |   Stage:  Unreviewed
Has_patch:  1   |  
+---
 If a form that needs {% csrf_token %} is included in the template of a
 flatpage, the {{{context['csrf_request']}}} ends up to be NOTPROVIDED.
 Very strange indeed. For example, this is a piece of the context:

 {{{
 [...]
 {'csrf_token': },
 {'csrf_token': },
 {'flatpage': }
 [...]
 }}}

 Other people have noticed the same problem while using a 3rd party app,
 but this just a coincidence. However, they also claim to have a patch but
 I haven't applied it as it is not official:

   * http://code.google.com/p/django-multilingual/issues/detail?id=106#c0

 To reproduce the problem:

  * include an instance of django.contrib.auth.forms.UserCreationForm
 
(http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/forms.py#L10)
 into a 'flatpages/default.html'
  * be sure of add {% csrf_token %} and the required middlewares and
 context processors
  * add a raise Exception(str(c)) between L45 and L46 of
 
http://code.djangoproject.com/browser/django/trunk/django/contrib/flatpages/views.py,
 so you can inspect the content of the response context

 In my case, this is the context:

 {{{
 [{'login_form': },
 {'MEDIA_URL': '/media/'},
 {'request': , POST:,

 COOKIES:{'__utma':
 '158801083.1369707719.1258975226.1258975226.1258975226.1',
 '__utmz':
 '158801083.1258975226.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)',
 'sessionid': 'db3a36a56037381e6fffb8ece7f3d9ca'},

 META:{'DOCUMENT_ROOT': '/Users/phretor/public_html/vplab/public',
 'GATEWAY_INTERFACE': 'CGI/1.1', 'HTTPS': 'off',
 'HTTP_ACCEPT':
 
'application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5',
 'HTTP_ACCEPT_ENCODING': 'gzip, deflate', 'HTTP_ACCEPT_LANGUAGE': 'en-us',
 'HTTP_CACHE_CONTROL': 'max-age=0',
 'HTTP_CONNECTION': 'keep-alive',
 'HTTP_COOKIE':
 '__utma=158801083.1369707719.1258975226.1258975226.1258975226.1;
 __utmz=158801083.1258975226.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
 sessionid=db3a36a56037381e6fffb8ece7f3d9ca', 'HTTP_HOST': 'vplab',
 'HTTP_USER_AGENT': 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-
 us) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9',
 'PATH': '/bin:/usr/bin:/sbin:/usr/sbin',
 'PATH_INFO': u'/library/',
 'PATH_TRANSLATED': '/Users/phretor/public_html/vplab/public/library/',
 'QUERY_STRING': '', 'REMOTE_ADDR': '127.0.0.1', 'REMOTE_PORT': '48885',
 'REQUEST_METHOD': 'GET', 'REQUEST_URI': '/library/', 'SCRIPT_FILENAME':
 '',
 'SCRIPT_NAME': u'', 'SCRIPT_URL': '/library/', 'SERVER_ADDR': '127.0.0.1',
 'SERVER_NAME': 'vplab', 'SERVER_PORT': '80', 'SERVER_PROTOCOL':
 'HTTP/1.1',
 'SERVER_SIGNATURE': 'Cherokee web server',
 'SERVER_SOFTWARE': 'Cherokee/0.99.24 (UNIX)',
 'wsgi.errors': ,
 'wsgi.input': ,
 'wsgi.multiprocess': False, 'wsgi.multithread': True, 'wsgi.run_once':
 False, 'wsgi.url_scheme': 'http', 'wsgi.version': (1, 0)}>},
 {'perms': ,
 'messages': ,
 'user': },
 {'csrf_token': },
 {'csrf_token': },
 {'flatpage': }]
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

--

You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.