Re: [Django] #16859: CSRF Improvements

[Django]

#16859: CSRF Improvements
-+-
 Reporter:  Paul McMillan|Owner:  Paul
 Type:   |  McMillan
  Cleanup/optimization   |   Status:  new
Component:  CSRF |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Ed Morley):

 Currently the CSRF middleware performs strict `Referer` header checking,
 to (a) mitigate MITM attacks that set a cookie via plain HTTP, and (b)
 prevent issues with malicious subdomains.

 If the new `CSRF_USE_SESSIONS` is set to `True`, does that mean both of
 those issues can no longer occur, and so the strict referrer checking is
 then not required? (Along the lines of:
 https://github.com/django/django/pull/5600#issuecomment-154797097)

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.a553b93ead7a44c0e743b63761cef9d0%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #16859: CSRF Improvements

[Django]

#16859: CSRF Improvements
-+-
 Reporter:  Paul McMillan|Owner:  Paul
 Type:   |  McMillan
  Cleanup/optimization   |   Status:  new
Component:  CSRF |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Tim Graham ):

 In [changeset:"6bb01b0b3cc6e5b2cf8d75ed2fd00a442d5caf52" 6bb01b0]:
 {{{
 #!CommitTicketReference repository=""
 revision="6bb01b0b3cc6e5b2cf8d75ed2fd00a442d5caf52"
 [1.11.x] Refs #16859 -- Updated CSRF FAQ to mention CSRF_USE_SESSIONS
 setting.

 Backport of 503e944ac792498e7b38c799d8e4b06f74e9d65a from master
 }}}

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.4c43cb3be122d69b39ecf0046b68cae3%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #16859: CSRF Improvements

[Django]

#16859: CSRF Improvements
-+-
 Reporter:  Paul McMillan|Owner:  Paul
 Type:   |  McMillan
  Cleanup/optimization   |   Status:  new
Component:  CSRF |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Tim Graham ):

 In [changeset:"503e944ac792498e7b38c799d8e4b06f74e9d65a" 503e944a]:
 {{{
 #!CommitTicketReference repository=""
 revision="503e944ac792498e7b38c799d8e4b06f74e9d65a"
 Refs #16859 -- Updated CSRF FAQ to mention CSRF_USE_SESSIONS setting.
 }}}

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.1f472d4719ee0bf85b48664101815a5e%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #16859: CSRF Improvements

[Django]

#16859: CSRF Improvements
-+-
 Reporter:  Paul McMillan|Owner:  Paul
 Type:   |  McMillan
  Cleanup/optimization   |   Status:  new
Component:  CSRF |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Tim Graham ):

 In [changeset:"33e86b3488dbf29f5aeb38cf0ee6597190d33c59" 33e86b34]:
 {{{
 #!CommitTicketReference repository=""
 revision="33e86b3488dbf29f5aeb38cf0ee6597190d33c59"
 Refs #16859 -- Disabled CSRF_COOKIE_* checks when using CSRF_USE_SESSIONS.
 }}}

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.6b2f14bed4860d3da39f937332269eec%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #16859: CSRF Improvements

[Django]

#16859: CSRF Improvements
-+-
 Reporter:  Paul McMillan|Owner:  Paul
 Type:   |  McMillan
  Cleanup/optimization   |   Status:  new
Component:  CSRF |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Tim Graham):

 * has_patch:  1 => 0


--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.4d775e244cd39d058627027d8af63e71%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #16859: CSRF Improvements

[Django]

#16859: CSRF Improvements
-+-
 Reporter:  Paul McMillan|Owner:  Paul
 Type:   |  McMillan
  Cleanup/optimization   |   Status:  new
Component:  CSRF |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Tim Graham ):

 In [changeset:"ddf169cdaca91e92dd5bfe6796bb6f38369ecb68" ddf169c]:
 {{{
 #!CommitTicketReference repository=""
 revision="ddf169cdaca91e92dd5bfe6796bb6f38369ecb68"
 Refs #16859 -- Allowed storing CSRF tokens in sessions.

 Major thanks to Shai for helping to refactor the tests, and to
 Shai, Tim, Florian, and others for extensive and helpful review.
 }}}

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.6ddb77f6d108d25914d04012ae91e079%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #16859: CSRF Improvements

[Django]

#16859: CSRF Improvements
-+-
 Reporter:  Paul McMillan|Owner:  Paul
 Type:   |  McMillan
  Cleanup/optimization   |   Status:  new
Component:  CSRF |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Tim Graham):

 * has_patch:  0 => 1


--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.6683549245ab679329aa8329d04ab749%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #16859: CSRF Improvements

[Django]

#16859: CSRF Improvements
--+
 Reporter:  PaulM |Owner:  PaulM
 Type:  Cleanup/optimization  |   Status:  new
Component:  CSRF  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by raphaelm):

 * cc: mail@… (added)


Comment:

 I submitted a first version of a patch for session storage of CSRF tokens:
 https://github.com/django/django/pull/5600

 I'd love to have some review on this, but I'm fine with postponing the
 merge after Shai landed his changes to CSRF handling, as those two will
 get merge conflicts and his one will be the bigger change.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.a3e5994c2f1d8b6de6d8027e51695ac4%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #16859: CSRF Improvements

[Django]

#16859: CSRF Improvements
--+
 Reporter:  PaulM |Owner:  PaulM
 Type:  Cleanup/optimization  |   Status:  new
Component:  CSRF  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+

Comment (by raphaelm):

 In case other people at the #duth sprint are looking into this: Shai
 berger is working on a new approach to generating the tokens and I'm
 working on the usage of sessions for token storage.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.b4414c155b287e52a13458937133d098%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #16859: CSRF Improvements

[Django]

#16859: CSRF Improvements
--+
 Reporter:  PaulM |Owner:  PaulM
 Type:  Cleanup/optimization  |   Status:  new
Component:  CSRF  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by auvipy):

 * version:  1.3 => master


--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.a17a0f44df4925cbfac99aaf4dd0ef8b%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #16859: CSRF Improvements

[Django]

#16859: CSRF Improvements
--+
 Reporter:  PaulM |Owner:  PaulM
 Type:  Cleanup/optimization  |   Status:  new
Component:  CSRF  |  Version:  1.3
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by collinanderson):

 * cc: cmawebsite@… (added)


--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.d00a46738ecea240761f89508cab3756%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #16859: CSRF Improvements

[Django]

#16859: CSRF Improvements
--+
 Reporter:  PaulM |Owner:  PaulM
 Type:  Cleanup/optimization  |   Status:  new
Component:  contrib.csrf  |  Version:  1.3
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+

Comment (by Japneet Singh):

 This ticket requires some cleanup and some makeover.Optional tie setup may
 work or may may not as it has some vulnerabilities.I would kike to add
 that we build a basic framework for these things to happen.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.7943c4408411ffe4c1d5362450cd8e9c%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.