Code

Opened 4 years ago

Closed 4 years ago

Last modified 3 years ago

#12358 closed (fixed)

RequestContent with "poisoned" csrf_token for flatpages

Reported by: phretor Owned by: nobody
Component: contrib.auth Version: master
Severity: Keywords: csrf flatpages
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

If a form that needs {% csrf_token %} is included in the template of a flatpage, the context['csrf_request'] ends up to be NOTPROVIDED. Very strange indeed. For example, this is a piece of the context:

[...]
{'csrf_token': <django.utils.functional.__proxy__ object at 0x10250a190>},
{'csrf_token': <django.utils.functional.__proxy__ object at 0x102520450>},
{'flatpage': <FlatPage: /library/ -- Welcome to the eLibrary>}
[...]

Other people have noticed the same problem while using a 3rd party app, but this just a coincidence. However, they also claim to have a patch but I haven't applied it as it is not official:

To reproduce the problem:

In my case, this is the context:

[{'login_form': <django.contrib.auth.forms.AuthenticationForm object at 0x102494a50>},
{'MEDIA_URL': '/media/'},
{'request': <WSGIRequest GET:<QueryDict: {}>, POST:<QueryDict: {}>,

COOKIES:{'__utma': '158801083.1369707719.1258975226.1258975226.1258975226.1',
'__utmz': '158801083.1258975226.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)',
'sessionid': 'db3a36a56037381e6fffb8ece7f3d9ca'},

META:{'DOCUMENT_ROOT': '/Users/phretor/public_html/vplab/public',
'GATEWAY_INTERFACE': 'CGI/1.1', 'HTTPS': 'off',
'HTTP_ACCEPT': 'application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5',
'HTTP_ACCEPT_ENCODING': 'gzip, deflate', 'HTTP_ACCEPT_LANGUAGE': 'en-us',
'HTTP_CACHE_CONTROL': 'max-age=0',
'HTTP_CONNECTION': 'keep-alive',
'HTTP_COOKIE': '__utma=158801083.1369707719.1258975226.1258975226.1258975226.1;
__utmz=158801083.1258975226.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
sessionid=db3a36a56037381e6fffb8ece7f3d9ca', 'HTTP_HOST': 'vplab',
'HTTP_USER_AGENT': 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9',
'PATH': '/bin:/usr/bin:/sbin:/usr/sbin',
'PATH_INFO': u'/library/',
'PATH_TRANSLATED': '/Users/phretor/public_html/vplab/public/library/',
'QUERY_STRING': '', 'REMOTE_ADDR': '127.0.0.1', 'REMOTE_PORT': '48885',
'REQUEST_METHOD': 'GET', 'REQUEST_URI': '/library/', 'SCRIPT_FILENAME': '',
'SCRIPT_NAME': u'', 'SCRIPT_URL': '/library/', 'SERVER_ADDR': '127.0.0.1',
'SERVER_NAME': 'vplab', 'SERVER_PORT': '80', 'SERVER_PROTOCOL': 'HTTP/1.1',
'SERVER_SIGNATURE': '<address>Cherokee web server</address>', 'SERVER_SOFTWARE': 'Cherokee/0.99.24 (UNIX)',
'wsgi.errors': <flup.server.fcgi_base.TeeOutputStream object at 0x10250a8d0>,
'wsgi.input': <flup.server.fcgi_base.InputStream object at 0x10244ff50>,
'wsgi.multiprocess': False, 'wsgi.multithread': True, 'wsgi.run_once': False, 'wsgi.url_scheme': 'http', 'wsgi.version': (1, 0)}>},
{'perms': <django.utils.functional.__proxy__ object at 0x102494e10>,
'messages': <django.utils.functional.__proxy__ object at 0x102494990>,
'user': <django.utils.functional.SimpleLazyObject object at 0x1024268d0>},
{'csrf_token': <django.utils.functional.__proxy__ object at 0x10250a190>},
{'csrf_token': <django.utils.functional.__proxy__ object at 0x102520450>},
{'flatpage': <FlatPage: /library/ -- Welcome to the eLibrary>}]

Attachments (0)

Change History (3)

comment:1 Changed 4 years ago by lukeplant

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

The problem is caused by the fact that if a 404 is raised because nothing matched the URLconf, then the middleware process_view methods are skipped (there is no found view, so you can't call them). This includes CsrfViewMiddleware.process_view, so necessary setup for the csrf_token is not done.

The fix is to use @csrf_protect on the flatpages view.

The fix on that other site, BTW, is wrong, because it neuters a test which was there for a good reason.

comment:2 Changed 4 years ago by lukeplant

  • Resolution set to fixed
  • Status changed from new to closed

(In [12381]) Fixed #12358 - csrf_token template tag does not work with flatpages.

Thanks to phretor for the report.

comment:3 Changed 3 years ago by jacob

  • milestone 1.2 deleted

Milestone 1.2 deleted

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.