| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Marti Raudsepp <marti(at)juffo(dot)org> |
| Cc: | pgsql-www <pgsql-www(at)postgresql(dot)org> |
| Subject: | Re: [PATCH] Fix CSRF verification in /admin/mergeorg/ and /admin/purge/ |
| Date: | 2012-11-11 12:20:52 |
| Message-ID: | CABUevEyGeMBzyoO0j9qtGMkEnc1MVKTXOP19s+8MGvL9AutvEQ@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
On Wed, Nov 7, 2012 at 9:28 PM, Marti Raudsepp <marti(at)juffo(dot)org> wrote:
> It's clear now why CSRF didn't work on these pages: the csrf_token
> templatetag requires rendering the template with a RequestContext.
>
> I went through all code using render_to_response() without
> RequestContext/NavContext and made sure that they don't process POST
> data. I skimmed through the grep last time, but apparently I wasn't
> very attentive.
>
> I also permitted POST requests to /search/ again. These aren't sent by
> the site itself, but it was allowed before, maybe for a reason.
Looks reasonable - thanks, applied!
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2012-11-11 12:22:20 | Re: [PATCH] Fix CSRF verification on /api/varnish/purge & misc |
| Previous Message | Jason Godden | 2012-11-11 07:24:19 | melbourne-au-pug |