Django

Code

Ticket #5292 (closed: fixed)

Opened 1 year ago

Last modified 1 year ago

CsrfMiddleware does not protect from forged POST request with no data

Reported by: Jakub Wilk <django@icomputing.pl> Assigned to: adrian
Milestone: Component: Contrib apps
Version: SVN Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: 1 Needs documentation: 0
Needs tests: 0 Patch needs improvement: 0

Description

django.contrib.csrf.CrsfMiddleware permits any POST request with no data. This is entirely wrong.

Attachments

csrf-empty-post.diff (418 bytes) - added by Jakub Wilk <django@icomputing.pl> on 08/29/07 08:29:06.

Change History

08/29/07 08:29:06 changed by Jakub Wilk <django@icomputing.pl>

  • attachment csrf-empty-post.diff added.

09/02/07 04:24:01 changed by Simon G. <dev@simon.net.nz>

  • needs_better_patch changed.
  • component changed from Uncategorized to Contrib apps.
  • needs_tests changed.
  • summary changed from CrsfMiddleware does not protect from forged POST request with no data to CsrfMiddleware does not protect from forged POST request with no data.
  • owner changed from jacob to adrian.
  • needs_docs changed.
  • stage changed from Unreviewed to Ready for checkin.

09/02/07 04:34:28 changed by ubernostrum

Out of curiosity, what's the security impact of a CSRF that doesn't post any data?

09/02/07 06:00:28 changed by SmileyChris

A POST request, even an empty one, could potentially be all a view was looking for to do a delete or something.

09/03/07 01:18:48 changed by adrian

  • status changed from new to closed.
  • resolution set to fixed.

(In [6038]) Fixed #5292 -- Changed CSRF middleware to check for request.method == 'POST' instead of request.POST dictionary not being empty. Thanks, Jakub Wilk

Add/Change #5292 (CsrfMiddleware does not protect from forged POST request with no data)




Change Properties
Action