Re: CSRF token not validated?

Am 12.09.2011 22:32, schrieb Carl Meyer: Sanity-checking the length sounds reasonable to me - do you mind opening a ticket for this and attaching your patch? Done ;) Ticked: https://code.djangoproject.com/ticket/16827 Patch: https://github.com/django/django/pull/45 -- Mfg.

Re: CSRF token not validated?

+1 On 9/12/11, Carl Meyer wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi Jens, > > On 09/12/2011 10:20 AM, Jens Diemer wrote: >> >> I wonder that the CSRF token send from the client didn't be validated. > > Well, it is sanitized to only alphanumeric characters,

Re: CSRF token not validated?

Oneliner: re.sub('[^a-zA-Z0-9]', '', str(token.decode('ascii', 'ignore'))) if (len(token) == 32) else '' Cheers, AT On Mon, Sep 12, 2011 at 5:32 PM, Carl Meyer wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi Jens, > > On 09/12/2011 10:20 AM, Jens Diemer

Re: CSRF token not validated?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Jens, On 09/12/2011 10:20 AM, Jens Diemer wrote: > > I wonder that the CSRF token send from the client didn't be validated. Well, it is sanitized to only alphanumeric characters, but you're right that the length is never checked. > Don't know

CSRF token not validated?

I wonder that the CSRF token send from the client didn't be validated. Don't know if a DOS attack is possible by sending many request with very long CSRF tokens? IMHO it's a good idea to check the length before do anything with it. e.g.: