subject:"\[Django\] #9356\: CSRFMiddleware should take session key from request.session"

Re: [Django] #9356: CSRFMiddleware should take session key from request.session

2009-10-26 Thread Django

#9356: CSRFMiddleware should take session key from request.session
---+
  Reporter:  bthomas   | Owner:  nobody
Status:  closed| Milestone:  1.2   
 Component:  Contrib apps  |   Version:  1.0   
Resolution:  invalid   |  Keywords:
 Stage:  Accepted  | Has_patch:  1 
Needs_docs:  0 |   Needs_tests:  1 
Needs_better_patch:  1 |  
---+
Changes (by lukeplant):

  * status:  new => closed
  * resolution:  => invalid

Comment:

 !CsrfMiddleware no longer depends on the session, so this isn't valid any
 more.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #9356: CSRFMiddleware should take session key from request.session

2009-05-07 Thread Django

#9356: CSRFMiddleware should take session key from request.session
---+
  Reporter:  bthomas   | Owner:  nobody
Status:  new   | Milestone:  1.2   
 Component:  Contrib apps  |   Version:  1.0   
Resolution:|  Keywords:
 Stage:  Accepted  | Has_patch:  1 
Needs_docs:  0 |   Needs_tests:  1 
Needs_better_patch:  1 |  
---+
Changes (by jacob):

  * milestone:  1.1 => 1.2

Comment:

 I pretty much agree with Luke's comment, and so I'm going to push this to
 1.2. There's a good chance that it'll then get closed as a dup of #9977,
 but that's a move for later.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #9356: CSRFMiddleware should take session key from request.session

2009-05-07 Thread Django

#9356: CSRFMiddleware should take session key from request.session
---+
  Reporter:  bthomas   | Owner:  nobody
Status:  new   | Milestone:  1.1   
 Component:  Contrib apps  |   Version:  1.0   
Resolution:|  Keywords:
 Stage:  Accepted  | Has_patch:  1 
Needs_docs:  0 |   Needs_tests:  1 
Needs_better_patch:  1 |  
---+
Comment (by lukeplant):

 I've coded up a patch for this, extracting a bit of an early patch from
 #9977, but I'm not sure why we really need this.  I'm particularly
 concerned because the patch would add a database hit (read) to every
 request (two for POST requests), which seems unavoidable unless we want to
 mess around with internals of the SessionStore object.

 The middleware currently uses values from cookies (incoming and outgoing),
 hence avoiding database hits.  If the incoming cookie is not a valid
 session, then:

  * Incoming checks: CsrfViewMiddleware will check the session cookie is
 accompanied by a CSRF token.  The only time this will fail is if the user
 has manually messed around with the session cookie.  Otherwise the
 middleware is harmlessly checking that an expired session is matched by an
 unneeded CSRF token.

  * Outgoing processing: as far as the session framework is concerned,
 there is no session.  Any access to the session during the view function
 will create an outgoing cookie, which the CSRF middleware will notice,
 which will then do the right thing.  If there is no session created, then
 CsrfResponseMiddleware will harmlessly insert a token that corresponds to
 the session cookie the user has (which is being ignored by Django).

 What real world problem is this bug about?  If there isn't one, I'm not
 inclined to add a database hit for every request to fix it.

 The only other thing this patch would fix is the potential abuse of
 middleware to generate hashes of (SECRET_KEY + user supplied arbitrary
 string), which is much more easily addressed by adding some salt in the
 form of a prefix to the SECRET_KEY.  A quick check of instances of
 SECRET_KEY suggests that this abuse is not currently exploitable in
 Django, so I don't think we need to address this right now (and when we
 do, this is not the only bit of code we should fix - we should add unique
 prefixes to every bit of code that uses SECRET_KEY).

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #9356: CSRFMiddleware should take session key from request.session

2009-04-01 Thread Django

#9356: CSRFMiddleware should take session key from request.session
---+
  Reporter:  bthomas   | Owner:  nobody
Status:  new   | Milestone:  1.1   
 Component:  Contrib apps  |   Version:  1.0   
Resolution:|  Keywords:
 Stage:  Accepted  | Has_patch:  1 
Needs_docs:  0 |   Needs_tests:  1 
Needs_better_patch:  1 |  
---+
Comment (by jacob):

 Ah, OK, I'd remembered the discussion but not the conclusion. Thanks.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #9356: CSRFMiddleware should take session key from request.session

2009-04-01 Thread Django

#9356: CSRFMiddleware should take session key from request.session
---+
  Reporter:  bthomas   | Owner:  nobody
Status:  new   | Milestone:  1.1   
 Component:  Contrib apps  |   Version:  1.0   
Resolution:|  Keywords:
 Stage:  Accepted  | Has_patch:  1 
Needs_docs:  0 |   Needs_tests:  1 
Needs_better_patch:  1 |  
---+
Changes (by bthomas):

  * needs_better_patch:  0 => 1
  * needs_tests:  0 => 1
  * stage:  Design decision needed => Accepted

Comment:

 The reasoning behind this was discussed in more detail on #9977, and the
 patch on that ticket includes the fix for this. Since #9977 is not going
 to be included in 1.1 (and possibly not ever), either myself or Luke need
 to make a better patch for this bug based on his improved fix in the #9977
 patch.

 Also needs tests.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #9356: CSRFMiddleware should take session key from request.session

2009-04-01 Thread Django

#9356: CSRFMiddleware should take session key from request.session
-+--
  Reporter:  bthomas | Owner:  nobody
Status:  new | Milestone:  1.1   
 Component:  Contrib apps|   Version:  1.0   
Resolution:  |  Keywords:
 Stage:  Design decision needed  | Has_patch:  1 
Needs_docs:  0   |   Needs_tests:  0 
Needs_better_patch:  0   |  
-+--
Changes (by jacob):

  * stage:  Accepted => Design decision needed

Comment:

 I actually think there's a good reason for this, but I can't recall why
 right now. So bumping back to DDN in case someone else can confirm if I'm
 right or mistaken.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #9356: CSRFMiddleware should take session key from request.session

2009-02-26 Thread Django

#9356: CSRFMiddleware should take session key from request.session
---+
  Reporter:  bthomas   | Owner:  nobody
Status:  new   | Milestone:  1.1   
 Component:  Contrib apps  |   Version:  1.0   
Resolution:|  Keywords:
 Stage:  Accepted  | Has_patch:  1 
Needs_docs:  0 |   Needs_tests:  0 
Needs_better_patch:  0 |  
---+
Changes (by jacob):

  * needs_better_patch:  => 0
  * needs_docs:  => 0
  * stage:  Unreviewed => Accepted
  * needs_tests:  => 0
  * milestone:  => 1.1

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

[Django] #9356: CSRFMiddleware should take session key from request.session

2008-10-13 Thread Django

#9356: CSRFMiddleware should take session key from request.session
--+-
 Reporter:  bthomas   |   Owner:  nobody
   Status:  new   |   Milestone:
Component:  Contrib apps  | Version:  1.0   
 Keywords:|   Stage:  Unreviewed
Has_patch:  1 |  
--+-
 Since CSRFMiddleware depends on SessionMiddleware, it should use
 request.session to get the session key. That way, SessionMiddleware can
 ensure that there is a valid session ID present before the CSRF hash is
 generated.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #9356: CSRFMiddleware should take session key from request.session

Re: [Django] #9356: CSRFMiddleware should take session key from request.session

Re: [Django] #9356: CSRFMiddleware should take session key from request.session

Re: [Django] #9356: CSRFMiddleware should take session key from request.session

Re: [Django] #9356: CSRFMiddleware should take session key from request.session

Re: [Django] #9356: CSRFMiddleware should take session key from request.session

Re: [Django] #9356: CSRFMiddleware should take session key from request.session

[Django] #9356: CSRFMiddleware should take session key from request.session

8 matches

Site Navigation

Mail list logo

Footer information