id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 12358,"RequestContent with ""poisoned"" csrf_token for flatpages",phretor,nobody,"If a form that needs {% csrf_token %} is included in the template of a flatpage, the {{{context['csrf_request']}}} ends up to be NOTPROVIDED. Very strange indeed. For example, this is a piece of the context: {{{ [...] {'csrf_token': }, {'csrf_token': }, {'flatpage': } [...] }}} Other people have noticed the same problem while using a 3rd party app, but this just a coincidence. However, they also claim to have a patch but I haven't applied it as it is not official: * http://code.google.com/p/django-multilingual/issues/detail?id=106#c0 To reproduce the problem: * include an instance of django.contrib.auth.forms.UserCreationForm (http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/forms.py#L10) into a 'flatpages/default.html' * be sure of add {% csrf_token %} and the required middlewares and context processors * add a raise Exception(str(c)) between L45 and L46 of http://code.djangoproject.com/browser/django/trunk/django/contrib/flatpages/views.py, so you can inspect the content of the response context In my case, this is the context: {{{ [{'login_form': }, {'MEDIA_URL': '/media/'}, {'request': , POST:, COOKIES:{'__utma': '158801083.1369707719.1258975226.1258975226.1258975226.1', '__utmz': '158801083.1258975226.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)', 'sessionid': 'db3a36a56037381e6fffb8ece7f3d9ca'}, META:{'DOCUMENT_ROOT': '/Users/phretor/public_html/vplab/public', 'GATEWAY_INTERFACE': 'CGI/1.1', 'HTTPS': 'off', 'HTTP_ACCEPT': 'application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5', 'HTTP_ACCEPT_ENCODING': 'gzip, deflate', 'HTTP_ACCEPT_LANGUAGE': 'en-us', 'HTTP_CACHE_CONTROL': 'max-age=0', 'HTTP_CONNECTION': 'keep-alive', 'HTTP_COOKIE': '__utma=158801083.1369707719.1258975226.1258975226.1258975226.1; __utmz=158801083.1258975226.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sessionid=db3a36a56037381e6fffb8ece7f3d9ca', 'HTTP_HOST': 'vplab', 'HTTP_USER_AGENT': 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9', 'PATH': '/bin:/usr/bin:/sbin:/usr/sbin', 'PATH_INFO': u'/library/', 'PATH_TRANSLATED': '/Users/phretor/public_html/vplab/public/library/', 'QUERY_STRING': '', 'REMOTE_ADDR': '127.0.0.1', 'REMOTE_PORT': '48885', 'REQUEST_METHOD': 'GET', 'REQUEST_URI': '/library/', 'SCRIPT_FILENAME': '', 'SCRIPT_NAME': u'', 'SCRIPT_URL': '/library/', 'SERVER_ADDR': '127.0.0.1', 'SERVER_NAME': 'vplab', 'SERVER_PORT': '80', 'SERVER_PROTOCOL': 'HTTP/1.1', 'SERVER_SIGNATURE': '
Cherokee web server
', 'SERVER_SOFTWARE': 'Cherokee/0.99.24 (UNIX)', 'wsgi.errors': , 'wsgi.input': , 'wsgi.multiprocess': False, 'wsgi.multithread': True, 'wsgi.run_once': False, 'wsgi.url_scheme': 'http', 'wsgi.version': (1, 0)}>}, {'perms': , 'messages': , 'user': }, {'csrf_token': }, {'csrf_token': }, {'flatpage': }] }}}",,closed,contrib.auth,dev,,fixed,csrf flatpages,,Unreviewed,1,0,0,0,0,0