#12358 closed (fixed)
RequestContent with "poisoned" csrf_token for flatpages
| Reported by: | phretor | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Keywords: | csrf flatpages | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
If a form that needs {% csrf_token %} is included in the template of a flatpage, the context['csrf_request'] ends up to be NOTPROVIDED. Very strange indeed. For example, this is a piece of the context:
[...]
{'csrf_token': <django.utils.functional.__proxy__ object at 0x10250a190>},
{'csrf_token': <django.utils.functional.__proxy__ object at 0x102520450>},
{'flatpage': <FlatPage: /library/ -- Welcome to the eLibrary>}
[...]
Other people have noticed the same problem while using a 3rd party app, but this just a coincidence. However, they also claim to have a patch but I haven't applied it as it is not official:
To reproduce the problem:
- include an instance of django.contrib.auth.forms.UserCreationForm (http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/forms.py#L10) into a 'flatpages/default.html'
- be sure of add {% csrf_token %} and the required middlewares and context processors
- add a raise Exception(str(c)) between L45 and L46 of http://code.djangoproject.com/browser/django/trunk/django/contrib/flatpages/views.py, so you can inspect the content of the response context
In my case, this is the context:
[{'login_form': <django.contrib.auth.forms.AuthenticationForm object at 0x102494a50>},
{'MEDIA_URL': '/media/'},
{'request': <WSGIRequest GET:<QueryDict: {}>, POST:<QueryDict: {}>,
COOKIES:{'__utma': '158801083.1369707719.1258975226.1258975226.1258975226.1',
'__utmz': '158801083.1258975226.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)',
'sessionid': 'db3a36a56037381e6fffb8ece7f3d9ca'},
META:{'DOCUMENT_ROOT': '/Users/phretor/public_html/vplab/public',
'GATEWAY_INTERFACE': 'CGI/1.1', 'HTTPS': 'off',
'HTTP_ACCEPT': 'application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5',
'HTTP_ACCEPT_ENCODING': 'gzip, deflate', 'HTTP_ACCEPT_LANGUAGE': 'en-us',
'HTTP_CACHE_CONTROL': 'max-age=0',
'HTTP_CONNECTION': 'keep-alive',
'HTTP_COOKIE': '__utma=158801083.1369707719.1258975226.1258975226.1258975226.1;
__utmz=158801083.1258975226.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
sessionid=db3a36a56037381e6fffb8ece7f3d9ca', 'HTTP_HOST': 'vplab',
'HTTP_USER_AGENT': 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9',
'PATH': '/bin:/usr/bin:/sbin:/usr/sbin',
'PATH_INFO': u'/library/',
'PATH_TRANSLATED': '/Users/phretor/public_html/vplab/public/library/',
'QUERY_STRING': '', 'REMOTE_ADDR': '127.0.0.1', 'REMOTE_PORT': '48885',
'REQUEST_METHOD': 'GET', 'REQUEST_URI': '/library/', 'SCRIPT_FILENAME': '',
'SCRIPT_NAME': u'', 'SCRIPT_URL': '/library/', 'SERVER_ADDR': '127.0.0.1',
'SERVER_NAME': 'vplab', 'SERVER_PORT': '80', 'SERVER_PROTOCOL': 'HTTP/1.1',
'SERVER_SIGNATURE': '<address>Cherokee web server</address>', 'SERVER_SOFTWARE': 'Cherokee/0.99.24 (UNIX)',
'wsgi.errors': <flup.server.fcgi_base.TeeOutputStream object at 0x10250a8d0>,
'wsgi.input': <flup.server.fcgi_base.InputStream object at 0x10244ff50>,
'wsgi.multiprocess': False, 'wsgi.multithread': True, 'wsgi.run_once': False, 'wsgi.url_scheme': 'http', 'wsgi.version': (1, 0)}>},
{'perms': <django.utils.functional.__proxy__ object at 0x102494e10>,
'messages': <django.utils.functional.__proxy__ object at 0x102494990>,
'user': <django.utils.functional.SimpleLazyObject object at 0x1024268d0>},
{'csrf_token': <django.utils.functional.__proxy__ object at 0x10250a190>},
{'csrf_token': <django.utils.functional.__proxy__ object at 0x102520450>},
{'flatpage': <FlatPage: /library/ -- Welcome to the eLibrary>}]
Change History (3)
comment:1 by , 16 years ago
comment:2 by , 16 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
The problem is caused by the fact that if a 404 is raised because nothing matched the URLconf, then the middleware
process_viewmethods are skipped (there is no found view, so you can't call them). This includesCsrfViewMiddleware.process_view, so necessary setup for the csrf_token is not done.The fix is to use @csrf_protect on the flatpages view.
The fix on that other site, BTW, is wrong, because it neuters a test which was there for a good reason.