Code

Opened 4 years ago

Closed 4 years ago

#13716 closed (fixed)

csrf_view_exempt stopped CSRF response post-processing working on 1.2

Reported by: edevil Owned by: lukeplant
Component: Uncategorized Version: 1.2
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

I tried to upgrade from 1.1 to 1.2 but "csrf_view_exempt" stopped working and no mention of this is made in the documentation.

I have "django.contrib.csrf.middleware.CsrfMiddleware" in my middleware and have a view with the "csrf_view_exempt" decorator. I don't want the request to be checked for the CSRF token but I want the response to be processed and the token added if a form is found.

It seems that the Response CSRF Middleware no longer works if the CSRF View middleware didn't run before, since it checks for the CSRF cookie and there isn't one yet...

Attachments (1)

13716.diff (3.3 KB) - added by lukeplant 4 years ago.
patch with tests

Download all attachments as: .zip

Change History (6)

comment:1 Changed 4 years ago by darkrho

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

comment:2 Changed 4 years ago by lukeplant

  • Owner changed from nobody to lukeplant
  • Status changed from new to assigned

It's a valid bug, unfortunately. I've attached a patch, will I'll apply when I'm less tired and more able to check that it is correct.

It doesn't cover the case where you might use CsrfResponseMiddleware and not use CsrfViewMiddleware at all. But that combination is pointless, because it gives you no security.

Changed 4 years ago by lukeplant

patch with tests

comment:3 Changed 4 years ago by lukeplant

  • Summary changed from csrf_view_exempt stopped working on 1.2 to csrf_view_exempt stopped CSRF response post-processing working on 1.2

This bug is triggered when you have a view for which you don't want the CSRF protection to be triggered (i.e. you want 3rd parties to be able to post to the view), and at the same time you have forms on that page that need the CSRF token in them. Those forms must be targeting other views, not the same view, otherwise they would be fine without the token.

I think these conditions mean that the overall impact of this bug is quite low. It's most likely to be triggered when you have (for example) a login box on every page, and some pages have the csrf_view_exempt decorator applied. The login box on those pages will be broken.

comment:4 Changed 4 years ago by edevil

My scenario is an OpenID/OAuth provider, which can receive POSTs from external server to its endpoint, and then must display a form to the user to request authorization. Of course, this form post will be to another view which checks for the CSRF token.

comment:5 Changed 4 years ago by lukeplant

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [13336]) Fixed #13716 - the CSRF get_token function stopped working for views with csrf_view_exempt

This was a regression caused by the the CSRF changes in 1.2.

Thanks to edevil for the report.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.