Opened 18 years ago
Closed 18 years ago
#5292 closed (fixed)
CsrfMiddleware does not protect from forged POST request with no data
| Reported by: | Owned by: | Adrian Holovaty | |
|---|---|---|---|
| Component: | Contrib apps | Version: | dev |
| Severity: | Keywords: | ||
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
django.contrib.csrf.CrsfMiddleware permits any POST request with no data. This is entirely wrong.
Attachments (1)
Change History (5)
by , 18 years ago
| Attachment: | csrf-empty-post.diff added |
|---|
comment:1 by , 18 years ago
| Component: | Uncategorized → Contrib apps |
|---|---|
| Owner: | changed from to |
| Summary: | CrsfMiddleware does not protect from forged POST request with no data → CsrfMiddleware does not protect from forged POST request with no data |
| Triage Stage: | Unreviewed → Ready for checkin |
comment:2 by , 18 years ago
comment:3 by , 18 years ago
A POST request, even an empty one, could potentially be all a view was looking for to do a delete or something.
comment:4 by , 18 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Out of curiosity, what's the security impact of a CSRF that doesn't post any data?