Opened 14 years ago
Closed 14 years ago
#13716 closed (fixed)
csrf_view_exempt stopped CSRF response post-processing working on 1.2
Reported by: | André Cruz | Owned by: | Luke Plant |
---|---|---|---|
Component: | Uncategorized | Version: | 1.2 |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
I tried to upgrade from 1.1 to 1.2 but "csrf_view_exempt" stopped working and no mention of this is made in the documentation.
I have "django.contrib.csrf.middleware.CsrfMiddleware" in my middleware and have a view with the "csrf_view_exempt" decorator. I don't want the request to be checked for the CSRF token but I want the response to be processed and the token added if a form is found.
It seems that the Response CSRF Middleware no longer works if the CSRF View middleware didn't run before, since it checks for the CSRF cookie and there isn't one yet...
Attachments (1)
Change History (6)
comment:1 by , 14 years ago
comment:2 by , 14 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
It's a valid bug, unfortunately. I've attached a patch, will I'll apply when I'm less tired and more able to check that it is correct.
It doesn't cover the case where you might use CsrfResponseMiddleware and not use CsrfViewMiddleware at all. But that combination is pointless, because it gives you no security.
comment:3 by , 14 years ago
Summary: | csrf_view_exempt stopped working on 1.2 → csrf_view_exempt stopped CSRF response post-processing working on 1.2 |
---|
This bug is triggered when you have a view for which you don't want the CSRF protection to be triggered (i.e. you want 3rd parties to be able to post to the view), and at the same time you have forms on that page that need the CSRF token in them. Those forms must be targeting other views, not the same view, otherwise they would be fine without the token.
I think these conditions mean that the overall impact of this bug is quite low. It's most likely to be triggered when you have (for example) a login box on every page, and some pages have the csrf_view_exempt
decorator applied. The login box on those pages will be broken.
comment:4 by , 14 years ago
My scenario is an OpenID/OAuth provider, which can receive POSTs from external server to its endpoint, and then must display a form to the user to request authorization. Of course, this form post will be to another view which checks for the CSRF token.
comment:5 by , 14 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Did you tried http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#upgrading-notes ?