| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Marti Raudsepp <marti(at)juffo(dot)org> |
| Cc: | pgsql-www <pgsql-www(at)postgresql(dot)org> |
| Subject: | Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default |
| Date: | 2012-11-07 19:11:42 |
| Message-ID: | CABUevEyDpA4c2eEOc0i+m6cYHwGGn=xsaGkiZAWAJk3c80Brtg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
On Wed, Nov 7, 2012 at 7:59 PM, Marti Raudsepp <marti(at)juffo(dot)org> wrote:
> On Wed, Nov 7, 2012 at 7:49 PM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
>> This broke the admin interface form to access varnish. I've mad eit
>> exempt. Is there any actual reason why we need it in the admin
>> interface, since you need to have a session logged in as an
>> administrator already to access it?
>
> Yes, you *especially* need CSRF protection in the admin interface.
> Anything that performs privileged actions and is authenticated via
> cookies without CSRF protection is vulnerable.
Fair enough. In that case, it really needs to get fixed...
>> It also broke the purging API. Also made exempt, but that appears to
>> not solve the problem. Do I need to do something more than add
>> @csrf_exempt to a view functoin to make it not broken? The error
>> message talks about the referrer header - but surely that shouldn't be
>> a requirement when oyu've set @csrf_exempt?
>
> It seems that the problem is the @ssl_required decorator -- it returns
> a new wrapped view without copying over attributes of the original
> view, such as "csrf_exempt". Changing the decorator order won't work
> either because that will confuse PgMiddleware.
>
> I'll send a patch to fix @ssl_required some time soon.
Thanks.
>> We may well have missed more parts :( Clearly neither one of us tested
>> this patch very well.
>
> "It all worked on my computer" ;)
Really? Because the purging form doesn't work on my local machine...
Which does not go through varnish at any point, for example.
Same goes for the purging API endpoint - doesn't work locally either.
So if those work for you locally, then there is definitely something
else afoot..
(The bug form worked fine on my computer, so that one was pretty hard
to catch in testing - but a good way to test it is to just turn off
cookies and see if things that should work when not logged in still
work)
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2012-11-07 19:31:56 | Re: Search points to ancient manuals |
| Previous Message | Marti Raudsepp | 2012-11-07 18:59:10 | Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default |