| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Marti Raudsepp <marti(at)juffo(dot)org> |
| Cc: | pgsql-www <pgsql-www(at)postgresql(dot)org> |
| Subject: | Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default |
| Date: | 2012-10-31 17:29:52 |
| Message-ID: | CABUevEzW_1PL_DTACTZUdwV_hkbPn56xsH_OjCUkLjhX6hS6aA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
On Tue, Oct 30, 2012 at 9:54 PM, Marti Raudsepp <marti(at)juffo(dot)org> wrote:
> Hi list,
>
> I noticed that most of the forms on the Postgres community site don't
> use CSRF protection. That's bad -- CSRF should be on by default.
>
> I went through all the views that handle POST data and didn't find any
> that should handle input from cross-domain requests. But CSRF
> exceptions, if any, should be decorated with @csrf_exempt (from
> django.views.decorators.csrf).
> Also available from my Github repo: https://github.com/intgr/pgweb
>
Hi!
The diff appears to be reversed. But that's easy enough to deal with during
commit.
Have you verified that it works with django 1.2 as well? The production
deployment is on that quite old version still...
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Marti Raudsepp | 2012-10-31 17:44:46 | Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default |
| Previous Message | Magnus Hagander | 2012-10-31 12:05:49 | Re: Community profile ssh keys not making it to git |