| From: | Marti Raudsepp <marti(at)juffo(dot)org> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net>, pgsql-www <pgsql-www(at)postgresql(dot)org> |
| Subject: | [PATCH] Fix CSRF verification in /admin/mergeorg/ and /admin/purge/ |
| Date: | 2012-11-07 20:28:23 |
| Message-ID: | CABRT9RAzDp0Y1B7M7VLNLGnFzsdb=MbFOR_QqNbdFPgMpJTqGA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
It's clear now why CSRF didn't work on these pages: the csrf_token
templatetag requires rendering the template with a RequestContext.
I went through all code using render_to_response() without
RequestContext/NavContext and made sure that they don't process POST
data. I skimmed through the grep last time, but apparently I wasn't
very attentive.
I also permitted POST requests to /search/ again. These aren't sent by
the site itself, but it was allowed before, maybe for a reason.
api_varnish_purge still needs the @ssl_required fix -- I will submit that later.
Regards,
Marti
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Fix-CSRF-verification-in-admin-mergeorg-and-admin-pu.patch | application/octet-stream | 3.5 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Marti Raudsepp | 2012-11-07 20:36:32 | Re: [PATCH] Fix CSRF verification in /admin/mergeorg/ and /admin/purge/ |
| Previous Message | Magnus Hagander | 2012-11-07 19:58:06 | Re: [GENERAL] Error registering at postgresql.org |