subject:"\[Django\] #28699\: REMOTE

Re: [Django] #28699: REMOTE_USER issues with CSRF

2020-02-26 Thread Django

#28699: REMOTE_USER issues with CSRF
-+-
 Reporter:  stephanm |Owner:  Colton
 |  Hicks
 Type:  Bug  |   Status:  closed
Component:  contrib.auth |  Version:  1.11
 Severity:  Normal   |   Resolution:  fixed
 Keywords:  remote user  | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  1|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Carlton Gibson ):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 In [changeset:"f283ffaa84ef0a558eb466b8fc3fae7e6fbb547c" f283ffa]:
 {{{
 #!CommitTicketReference repository=""
 revision="f283ffaa84ef0a558eb466b8fc3fae7e6fbb547c"
 Fixed #28699 -- Fixed CSRF validation with remote user middleware.

 Ensured process_view() always accesses the CSRF token from the session
 or cookie, rather than the request, as rotate_token() may have been called
 by an authentication middleware during the process_request() phase.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.879890148d6c1116d11a2da62d073833%40djangoproject.com.

Re: [Django] #28699: REMOTE_USER issues with CSRF

2020-02-26 Thread Django

#28699: REMOTE_USER issues with CSRF
-+-
 Reporter:  stephanm |Owner:  Colton
 |  Hicks
 Type:  Bug  |   Status:  assigned
Component:  contrib.auth |  Version:  1.11
 Severity:  Normal   |   Resolution:
 Keywords:  remote user  | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  1|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Carlton Gibson):

 * owner:  Rodrigo => Colton Hicks
 * stage:  Accepted => Ready for checkin


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.5fa03fdd07c80036bb9f1c275c15dbfe%40djangoproject.com.

Re: [Django] #28699: REMOTE_USER issues with CSRF

2020-02-19 Thread Django

#28699: REMOTE_USER issues with CSRF
--+
 Reporter:  stephanm  |Owner:  Rodrigo
 Type:  Bug   |   Status:  assigned
Component:  contrib.auth  |  Version:  1.11
 Severity:  Normal|   Resolution:
 Keywords:  remote user   | Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  1 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by Carlton Gibson):

 * needs_tests:  0 => 1


Comment:

 [https://github.com/django/django/pull/12402 New PR] that suggests using
 `CsrfViewMiddleware._get_token()` in `process_view()`. (This was how the
 token was fetched prior to c4c128d67c7dc2830631c6859a204c9d259f1fb1.) If
 there's no issue with that, then it looks feasible.

 Needs tests.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.a8fd4c6e0da0acca4e30756c77e5702a%40djangoproject.com.

Re: [Django] #28699: REMOTE_USER issues with CSRF (was: Document that REMOTE_USER must be logged in before making CSRF protected requests.)

2019-10-15 Thread Django

#28699: REMOTE_USER issues with CSRF
--+
 Reporter:  stephanm  |Owner:  Rodrigo
 Type:  Bug   |   Status:  assigned
Component:  contrib.auth  |  Version:  1.11
 Severity:  Normal|   Resolution:
 Keywords:  remote user   | Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by Rodrigo):

 * has_patch:  0 => 1
 * component:  Documentation => contrib.auth


Comment:

 I think I got it! :)

 First I implemented the deferred token rotation as Carlton suggested. I
 introduced a backend setting called "CSRF_DEFER_TOKEN_ROTATION" to the
 REMOTE_USER backend, then modified the login function to check if the
 backend has that option do not rotate the token and defer it, then catch
 it on CSRF's process_response, not REMOTE_USER's.

 It worked. But... I then realized that every backend should have that
 option because it's CSRF MW responsability to do that, not the login
 function, which lead me to realize that it's kind of a break of the
 separation of concerns, the login function as stands before is tied to the
 CSRF MW and if CSRF MW is not enabled, the django login would not work,
 making it not loosely coupled with the MW.

 Then, the solution is to delegate entirely the token rotation to the CSRF
 MW and do it at the end of the request-response cycle, so if there is a
 valid token, process the request and then rotate the token for the next
 request.

 After trying different options, like aCSRF_TOKEN_ROTATION_ON_LOGIN general
 setting, the best and minimal solution I found is just reuse the previous
 defined vars, add another flag for rotation - csrf_token_rotation - and
 just delegate it to the MW if the MW is enabled.

 By doing this, token rotation for the REMOTE_USER backend should be fixed
 without the need of reordering.

 I removed the CSRF_TOKEN_ROTATION_ON_LOGIN setting to disable the feature,
 but as the rotation works as expected, it has a very limited application
 (only troubleshooting comes to my mind) though I can re-submit it later if
 you consider it.

 [https://github.com/django/django/pull/11919 PR]

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.31912a7e331c3940708968d6a4f8c407%40djangoproject.com.

Re: [Django] #28699: REMOTE_USER issues with CSRF

Re: [Django] #28699: REMOTE_USER issues with CSRF

Re: [Django] #28699: REMOTE_USER issues with CSRF

Re: [Django] #28699: REMOTE_USER issues with CSRF (was: Document that REMOTE_USER must be logged in before making CSRF protected requests.)

4 matches

Site Navigation

Mail list logo

Footer information