Home > mailing lists

Re: [PATCH] Fix CSRF verification in /admin/mergeorg/ and /admin/purge/ - Mailing list pgsql-www

From	Magnus Hagander
Subject	Re: [PATCH] Fix CSRF verification in /admin/mergeorg/ and /admin/purge/
Date	November 11, 2012 15:20:55
Msg-id	CABUevEyGeMBzyoO0j9qtGMkEnc1MVKTXOP19s+8MGvL9AutvEQ@mail.gmail.com Whole thread Raw
In response to	[PATCH] Fix CSRF verification in /admin/mergeorg/ and /admin/purge/ (Marti Raudsepp <marti@juffo.org>)
List	pgsql-www

Tree view

On Wed, Nov 7, 2012 at 9:28 PM, Marti Raudsepp <marti@juffo.org> wrote:
> It's clear now why CSRF didn't work on these pages: the csrf_token
> templatetag requires rendering the template with a RequestContext.
>
> I went through all code using render_to_response() without
> RequestContext/NavContext and made sure that they don't process POST
> data. I skimmed through the grep last time, but apparently I wasn't
> very attentive.
>
> I also permitted POST requests to /search/ again. These aren't sent by
> the site itself, but it was allowed before, maybe for a reason.

Looks reasonable - thanks, applied!

--Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/

pgsql-www by date:

From: Marti Raudsepp
Date: 08 November 2012, 00:31:05
Subject: [PATCH] Fix CSRF verification on /api/varnish/purge & misc

From: Magnus Hagander
Date: 11 November 2012, 15:22:23
Subject: Re: [PATCH] Fix CSRF verification on /api/varnish/purge & misc

Re: [PATCH] Fix CSRF verification in /admin/mergeorg/ and /admin/purge/ - Mailing list pgsql-www

Previous

Next