Thread: [PATCH] Fix CSRF verification on /api/varnish/purge & misc
Hi list, Three more patches: 0001-Update-ssl_required-decorator-to-play-nice-with-othe.patch This is the important one to make /api/varnish/purge/ work again. The @ssl_required decorator now cooperates with other decorators and retains attributes, rather than overriding them all. The other 2 decorators in util/decorators.py probably also need this fix, but I decided not to do it now to reduce testing effort. 0002-Fix-small-bug-in-api_varnish_purge-error-path.patch Insignificant: return HttpResponse instead of raising it in error path. 0003-CSRF-verification-failure-now-returns-HTTP-403-Forbi.patch The CSRF failure view previously returned with HTTP status 200 OK. That's wrong -- apps and browsers should be signaled that the request failed. Now returns 403 Forbidden. Regards, Marti
On Wed, Nov 7, 2012 at 10:30 PM, Marti Raudsepp <marti@juffo.org> wrote: > Hi list, > > Three more patches: > > 0001-Update-ssl_required-decorator-to-play-nice-with-othe.patch > > This is the important one to make /api/varnish/purge/ work again. The > @ssl_required decorator now cooperates with other decorators and > retains attributes, rather than overriding them all. > > The other 2 decorators in util/decorators.py probably also need this > fix, but I decided not to do it now to reduce testing effort. > > 0002-Fix-small-bug-in-api_varnish_purge-error-path.patch > > Insignificant: return HttpResponse instead of raising it in error path. > > 0003-CSRF-verification-failure-now-returns-HTTP-403-Forbi.patch > > The CSRF failure view previously returned with HTTP status 200 OK. > That's wrong -- apps and browsers should be signaled that the request > failed. Now returns 403 Forbidden. Hi They look good based on description. However, I believe you forgot to attach the actual files. --Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/
On Sun, Nov 11, 2012 at 2:22 PM, Magnus Hagander <magnus@hagander.net> wrote: > However, I believe you forgot to > attach the actual files. Oops! Here you go. Regards, Marti
Attachment
On Sun, Nov 11, 2012 at 1:51 PM, Marti Raudsepp <marti@juffo.org> wrote: > On Sun, Nov 11, 2012 at 2:22 PM, Magnus Hagander <magnus@hagander.net> wrote: >> However, I believe you forgot to >> attach the actual files. > > Oops! Here you go. Thanks, all applied. Also, the csrf stuff broke the mailinglist subscription form. I've made it exempt as well. --Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/