#12358 closed (fixed)
RequestContent with "poisoned" csrf_token for flatpages
Reported by: | phretor | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | dev |
Severity: | Keywords: | csrf flatpages | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
If a form that needs {% csrf_token %} is included in the template of a flatpage, the context['csrf_request']
ends up to be NOTPROVIDED. Very strange indeed. For example, this is a piece of the context:
[...] {'csrf_token': <django.utils.functional.__proxy__ object at 0x10250a190>}, {'csrf_token': <django.utils.functional.__proxy__ object at 0x102520450>}, {'flatpage': <FlatPage: /library/ -- Welcome to the eLibrary>} [...]
Other people have noticed the same problem while using a 3rd party app, but this just a coincidence. However, they also claim to have a patch but I haven't applied it as it is not official:
To reproduce the problem:
- include an instance of django.contrib.auth.forms.UserCreationForm (http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/forms.py#L10) into a 'flatpages/default.html'
- be sure of add {% csrf_token %} and the required middlewares and context processors
- add a raise Exception(str(c)) between L45 and L46 of http://code.djangoproject.com/browser/django/trunk/django/contrib/flatpages/views.py, so you can inspect the content of the response context
In my case, this is the context:
[{'login_form': <django.contrib.auth.forms.AuthenticationForm object at 0x102494a50>}, {'MEDIA_URL': '/media/'}, {'request': <WSGIRequest GET:<QueryDict: {}>, POST:<QueryDict: {}>, COOKIES:{'__utma': '158801083.1369707719.1258975226.1258975226.1258975226.1', '__utmz': '158801083.1258975226.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)', 'sessionid': 'db3a36a56037381e6fffb8ece7f3d9ca'}, META:{'DOCUMENT_ROOT': '/Users/phretor/public_html/vplab/public', 'GATEWAY_INTERFACE': 'CGI/1.1', 'HTTPS': 'off', 'HTTP_ACCEPT': 'application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5', 'HTTP_ACCEPT_ENCODING': 'gzip, deflate', 'HTTP_ACCEPT_LANGUAGE': 'en-us', 'HTTP_CACHE_CONTROL': 'max-age=0', 'HTTP_CONNECTION': 'keep-alive', 'HTTP_COOKIE': '__utma=158801083.1369707719.1258975226.1258975226.1258975226.1; __utmz=158801083.1258975226.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sessionid=db3a36a56037381e6fffb8ece7f3d9ca', 'HTTP_HOST': 'vplab', 'HTTP_USER_AGENT': 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9', 'PATH': '/bin:/usr/bin:/sbin:/usr/sbin', 'PATH_INFO': u'/library/', 'PATH_TRANSLATED': '/Users/phretor/public_html/vplab/public/library/', 'QUERY_STRING': '', 'REMOTE_ADDR': '127.0.0.1', 'REMOTE_PORT': '48885', 'REQUEST_METHOD': 'GET', 'REQUEST_URI': '/library/', 'SCRIPT_FILENAME': '', 'SCRIPT_NAME': u'', 'SCRIPT_URL': '/library/', 'SERVER_ADDR': '127.0.0.1', 'SERVER_NAME': 'vplab', 'SERVER_PORT': '80', 'SERVER_PROTOCOL': 'HTTP/1.1', 'SERVER_SIGNATURE': '<address>Cherokee web server</address>', 'SERVER_SOFTWARE': 'Cherokee/0.99.24 (UNIX)', 'wsgi.errors': <flup.server.fcgi_base.TeeOutputStream object at 0x10250a8d0>, 'wsgi.input': <flup.server.fcgi_base.InputStream object at 0x10244ff50>, 'wsgi.multiprocess': False, 'wsgi.multithread': True, 'wsgi.run_once': False, 'wsgi.url_scheme': 'http', 'wsgi.version': (1, 0)}>}, {'perms': <django.utils.functional.__proxy__ object at 0x102494e10>, 'messages': <django.utils.functional.__proxy__ object at 0x102494990>, 'user': <django.utils.functional.SimpleLazyObject object at 0x1024268d0>}, {'csrf_token': <django.utils.functional.__proxy__ object at 0x10250a190>}, {'csrf_token': <django.utils.functional.__proxy__ object at 0x102520450>}, {'flatpage': <FlatPage: /library/ -- Welcome to the eLibrary>}]
Change History (3)
comment:1 by , 15 years ago
comment:2 by , 15 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
The problem is caused by the fact that if a 404 is raised because nothing matched the URLconf, then the middleware
process_view
methods are skipped (there is no found view, so you can't call them). This includesCsrfViewMiddleware.process_view
, so necessary setup for the csrf_token is not done.The fix is to use @csrf_protect on the flatpages view.
The fix on that other site, BTW, is wrong, because it neuters a test which was there for a good reason.