Thread: [PATCH] Fix CSRF verification in /admin/mergeorg/ and /admin/purge/
It's clear now why CSRF didn't work on these pages: the csrf_token templatetag requires rendering the template with a RequestContext. I went through all code using render_to_response() without RequestContext/NavContext and made sure that they don't process POST data. I skimmed through the grep last time, but apparently I wasn't very attentive. I also permitted POST requests to /search/ again. These aren't sent by the site itself, but it was allowed before, maybe for a reason. api_varnish_purge still needs the @ssl_required fix -- I will submit that later. Regards, Marti
Attachment
On Wed, Nov 7, 2012 at 10:28 PM, Marti Raudsepp <marti@juffo.org> wrote: > It's clear now why CSRF didn't work on these pages: the csrf_token > templatetag requires rendering the template with a RequestContext. And apologies for breaking the site, this is certainly an omission on my part in the original patch. Regards, Marti
On Wed, Nov 7, 2012 at 9:28 PM, Marti Raudsepp <marti@juffo.org> wrote: > It's clear now why CSRF didn't work on these pages: the csrf_token > templatetag requires rendering the template with a RequestContext. > > I went through all code using render_to_response() without > RequestContext/NavContext and made sure that they don't process POST > data. I skimmed through the grep last time, but apparently I wasn't > very attentive. > > I also permitted POST requests to /search/ again. These aren't sent by > the site itself, but it was allowed before, maybe for a reason. Looks reasonable - thanks, applied! --Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/