Opened 15 years ago
Closed 15 years ago
#9776 closed (duplicate)
No CSRF protection for auth system logout view
| Reported by: | Mez | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.0 |
| Severity: | Keywords: | csrf logout | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Having looked through the documentation, it seems that there is a sorely missed point.
The logout function doesn't seem to have any form of CSRF protection that I can notice. Meaning that someone could easily place an image with the URL of http://www.yoursite.com/logout/ (or whatever the URL is) and make it so that anyone who views the page with the image on is logged out.
This to me seems a massive oversight in the system, and I can foresee times where, due to a badly configured permission system, an admin cannot easily delete offending content which has an image or something similar to this in it.
Change History (1)
comment:1 by , 15 years ago
| Keywords: | csrf logout added |
|---|---|
| Resolution: | → duplicate |
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Duplicate of #7989.