Home > mailing lists

[PATCH] Fix CSRF verification in /admin/mergeorg/ and /admin/purge/ - Mailing list pgsql-www

From	Marti Raudsepp
Subject	[PATCH] Fix CSRF verification in /admin/mergeorg/ and /admin/purge/
Date	November 7, 2012 23:29:08
Msg-id	CABRT9RAzDp0Y1B7M7VLNLGnFzsdb=MbFOR_QqNbdFPgMpJTqGA@mail.gmail.com Whole thread Raw
Responses	Re: [PATCH] Fix CSRF verification in /admin/mergeorg/ and /admin/purge/ Re: [PATCH] Fix CSRF verification in /admin/mergeorg/ and /admin/purge/
List	pgsql-www

Tree view

It's clear now why CSRF didn't work on these pages: the csrf_token
templatetag requires rendering the template with a RequestContext.

I went through all code using render_to_response() without
RequestContext/NavContext and made sure that they don't process POST
data. I skimmed through the grep last time, but apparently I wasn't
very attentive.

I also permitted POST requests to /search/ again. These aren't sent by
the site itself, but it was allowed before, maybe for a reason.

api_varnish_purge still needs the @ssl_required fix -- I will submit that later.

Regards,
Marti

Attachment

0001-Fix-CSRF-verification-in-admin-mergeorg-and-admin-pu.patch

pgsql-www by date:

From: Magnus Hagander
Date: 07 November 2012, 22:58:09
Subject: Re: [GENERAL] Error registering at postgresql.org

From: Marti Raudsepp
Date: 07 November 2012, 23:37:17
Subject: Re: [PATCH] Fix CSRF verification in /admin/mergeorg/ and /admin/purge/

[PATCH] Fix CSRF verification in /admin/mergeorg/ and /admin/purge/ - Mailing list pgsql-www

Attachment

Previous

Next