subject:"Re\: \[Django\] #12738\: CSRF token name should be a configurable setting"

Re: [Django] #12738: CSRF token name should be a configurable setting

2018-08-18 Thread Django

#12738: CSRF token name should be a configurable setting
-+-
 Reporter:  German M. Bravo  |Owner:  nobody
 Type:   |   Status:  closed
  Cleanup/optimization   |
Component:  CSRF |  Version:
 Severity:  Normal   |   Resolution:  wontfix
 Keywords:   | Triage Stage:
 |  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Tim Graham):

 * type:  Uncategorized => Cleanup/optimization
 * component:  Uncategorized => CSRF


Comment:

 A [https://github.com/django/django/pull/10305 PR] implemented this with
 rationale
 
"[https://github.com/AliasIO/Wappalyzer/blob/f5a77f3453c796c66f3e597fb30edbc3e2a285c8/src/apps.json#L2471
 Wappalyzer] identifies Django application with "csrfmiddlewaretoken" input
 name."

 I wrote to [https://groups.google.com/d/topic/django-
 developers/V8-ifC7i_nU/discussion django-developers] to see if there's
 consensus to reopen this ticket.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/064.bf888cd6b8691a84aa6251545e555931%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #12738: CSRF token name should be a configurable setting

2011-12-13 Thread Django

#12738: CSRF token name should be a configurable setting
---+--
 Reporter:  Kronuz |Owner:  nobody
 Type:  Uncategorized  |   Status:  closed
Component:  Uncategorized  |  Version:
 Severity:  Normal |   Resolution:  wontfix
 Keywords: | Triage Stage:  Unreviewed
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+--
Changes (by Kronuz):

 * cc: Kronuz (added)
 * ui_ux:   => 0
 * type:   => Uncategorized
 * severity:   => Normal
 * easy:   => 0


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #12738: CSRF token name should be a configurable setting

2010-02-04 Thread Django

#12738: CSRF token name should be a configurable setting
+---
  Reporter:  Kronuz | Owner:  nobody
Status:  closed | Milestone:  1.2   
 Component:  Uncategorized  |   Version:
Resolution:  wontfix|  Keywords:
 Stage:  Unreviewed | Has_patch:  0 
Needs_docs:  0  |   Needs_tests:  0 
Needs_better_patch:  0  |  
+---
Changes (by lukeplant):

  * status:  new => closed
  * resolution:  => wontfix

Comment:

 No response, so I presume there is no use case, so closing.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #12738: CSRF token name should be a configurable setting

2010-01-30 Thread Django

#12738: CSRF token name should be a configurable setting
+---
  Reporter:  Kronuz | Owner:  nobody
Status:  new| Milestone:  1.2   
 Component:  Uncategorized  |   Version:
Resolution: |  Keywords:
 Stage:  Unreviewed | Has_patch:  0 
Needs_docs:  0  |   Needs_tests:  0 
Needs_better_patch:  0  |  
+---
Changes (by lukeplant):

  * needs_better_patch:  => 0
  * needs_tests:  => 0
  * needs_docs:  => 0

Comment:

 I don't understand why that would improve security.  The security lies in
 the value of the token, not the name.  Most CSRF attacks are going to be
 per-site, and a setting would be per-site.  Also, if an attacker was using
 a more generic attack against all Django-powered sites, it would be easy
 to find out what the name of the token is for a specific site - one
 request to a page that contains a POST form, and you are done, since a
 simple regex will in most cases find which field 'looks like' a Django
 CSRF token.

 Do you have an actual use case where you need this?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #12738: CSRF token name should be a configurable setting

Re: [Django] #12738: CSRF token name should be a configurable setting

Re: [Django] #12738: CSRF token name should be a configurable setting

Re: [Django] #12738: CSRF token name should be a configurable setting

4 matches

Site Navigation

Mail list logo

Footer information