Home > mailing lists

Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default - Mailing list pgsql-www

From	Magnus Hagander
Subject	Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default
Date	October 31, 2012 20:29:57
Msg-id	CABUevEzW_1PL_DTACTZUdwV_hkbPn56xsH_OjCUkLjhX6hS6aA@mail.gmail.com Whole thread Raw
In response to	[PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default (Marti Raudsepp <marti@juffo.org>)
Responses	Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default (Marti Raudsepp <marti@juffo.org>)
List	pgsql-www

Tree view

On Tue, Oct 30, 2012 at 9:54 PM, Marti Raudsepp <marti@juffo.org> wrote:

Hi list,

I noticed that most of the forms on the Postgres community site don't
use CSRF protection. That's bad -- CSRF should be on by default.

I went through all the views that handle POST data and didn't find any
that should handle input from cross-domain requests. But CSRF
exceptions, if any, should be decorated with @csrf_exempt (from
django.views.decorators.csrf).

Also available from my Github repo: https://github.com/intgr/pgweb

Hi!

The diff appears to be reversed. But that's easy enough to deal with during commit.

Have you verified that it works with django 1.2 as well? The production deployment is on that quite old version still...

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

pgsql-www by date:

From: Magnus Hagander
Date: 31 October 2012, 15:05:55
Subject: Re: Community profile ssh keys not making it to git

From: Marti Raudsepp
Date: 31 October 2012, 20:45:34
Subject: Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default

Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default - Mailing list pgsql-www

Previous

Next