| From: | Marti Raudsepp <marti(at)juffo(dot)org> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net>, pgsql-www <pgsql-www(at)postgresql(dot)org> |
| Subject: | [PATCH] Fix CSRF verification on /api/varnish/purge & misc |
| Date: | 2012-11-07 21:30:22 |
| Message-ID: | CABRT9RD_Gpd8DMTXBbJx0-fsTU7XcN06hWQMMZgQ6-Ty2Y4Uig@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
Hi list,
Three more patches:
0001-Update-ssl_required-decorator-to-play-nice-with-othe.patch
This is the important one to make /api/varnish/purge/ work again. The
@ssl_required decorator now cooperates with other decorators and
retains attributes, rather than overriding them all.
The other 2 decorators in util/decorators.py probably also need this
fix, but I decided not to do it now to reduce testing effort.
0002-Fix-small-bug-in-api_varnish_purge-error-path.patch
Insignificant: return HttpResponse instead of raising it in error path.
0003-CSRF-verification-failure-now-returns-HTTP-403-Forbi.patch
The CSRF failure view previously returned with HTTP status 200 OK.
That's wrong -- apps and browsers should be signaled that the request
failed. Now returns 403 Forbidden.
Regards,
Marti
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jason Godden | 2012-11-11 07:24:19 | melbourne-au-pug |
| Previous Message | Marti Raudsepp | 2012-11-07 20:36:32 | Re: [PATCH] Fix CSRF verification in /admin/mergeorg/ and /admin/purge/ |