Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default - Mailing list pgsql-www

From Magnus Hagander
Subject Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default
Date
Msg-id CABUevEyDpA4c2eEOc0i+m6cYHwGGn=xsaGkiZAWAJk3c80Brtg@mail.gmail.com
Whole thread Raw
In response to Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default  (Marti Raudsepp <marti@juffo.org>)
Responses Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default
List pgsql-www
On Wed, Nov 7, 2012 at 7:59 PM, Marti Raudsepp <marti@juffo.org> wrote:
> On Wed, Nov 7, 2012 at 7:49 PM, Magnus Hagander <magnus@hagander.net> wrote:
>> This broke the admin interface form to access varnish. I've mad eit
>> exempt. Is there any actual reason why we need it in the admin
>> interface, since you need to have a session logged in as an
>> administrator already to access it?
>
> Yes, you *especially* need CSRF protection in the admin interface.
> Anything that performs privileged actions and is authenticated via
> cookies without CSRF protection is vulnerable.

Fair enough. In that case, it really needs to get fixed...

>> It also broke the purging API. Also made exempt, but that appears to
>> not solve the problem. Do I need to do something more than add
>> @csrf_exempt to a view functoin to make it not broken? The error
>> message talks about the referrer header - but surely that shouldn't be
>> a requirement when oyu've set @csrf_exempt?
>
> It seems that the problem is the @ssl_required decorator -- it returns
> a new wrapped view without copying over attributes of the original
> view, such as "csrf_exempt". Changing the decorator order won't work
> either because that will confuse PgMiddleware.
>
> I'll send a patch to fix @ssl_required some time soon.

Thanks.


>> We may well have missed more parts :( Clearly neither one of us tested
>> this patch very well.
>
> "It all worked on my computer" ;)

Really? Because the purging form doesn't work on my local machine...
Which does not go through varnish at any point, for example.

Same goes for the purging API endpoint - doesn't work locally either.

So if those work for you locally, then there is definitely something
else afoot..

(The bug form worked fine on my computer, so that one was pretty hard
to catch in testing - but a good way to test it is to just turn off
cookies and see if things that should work when not logged in still
work)


--Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/



pgsql-www by date:

Previous
From: Marti Raudsepp
Date:
Subject: Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default
Next
From: Magnus Hagander
Date:
Subject: Re: Search points to ancient manuals