id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
15845	CSRF validation leak	Jay <jay.shure@…>	nobody	"The CSRF validation compares request.COOKIES[settings.CSRF_COOKIE_NAME] and request.POST.get('csrfmiddlewaretoken', '') to see if a request is legal. But unfortunately both two values are provided by the client side, and they are the same. So it is easy for attackers to fake a request that no 403 will be thrown.

The attached project provides one url entry that returns ""ok"", unless CSRF fails. Following cmds show how to cheat.

{{{
# 200
curl http://127.0.0.1:8000

# 200
curl -G -d test=test http://127.0.0.1:8000

# 403
curl -d test=test http://127.0.0.1:8000

# 200
curl -d ""test=test;csrfmiddlewaretoken=1"" -b csrftoken=1  http://127.0.0.1:8000
}}}


"	Bug	closed	CSRF	1.3	Normal	invalid			Unreviewed	0	0	0	0	0	0