Opened 6 years ago

Last modified 3 weeks ago

#16859 new Cleanup/optimization

CSRF Improvements

Reported by: Paul McMillan Owned by: Paul McMillan
Component: CSRF Version: master
Severity: Normal Keywords:
Cc: cmawebsite@…, mail@… Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

This is a ticket to keep track of general CSRF improvements we want to add to Django.

This includes:

  • #16010 - add Origin checking
  • Optionally tie CSRF to sessions
  • Use signing to improve CSRF (maybe with sessions)
  • Improve domain/host checking - deal with the subdomain to subdomain problem

Change History (12)

comment:1 Changed 3 years ago by Japneet Singh

This ticket requires some cleanup and some makeover.Optional tie setup may work or may may not as it has some vulnerabilities.I would kike to add that we build a basic framework for these things to happen.

comment:2 Changed 2 years ago by Collin Anderson

Cc: cmawebsite@… added

comment:3 Changed 2 years ago by Asif Saifuddin Auvi

Version: 1.3master

comment:4 Changed 17 months ago by Raphael Michel

In case other people at the #duth sprint are looking into this: Shai Berger is working on a new approach to generating the tokens and I'm working on the usage of sessions for token storage.

Last edited 17 months ago by Raphael Michel (previous) (diff)

comment:5 Changed 17 months ago by Raphael Michel

Cc: mail@… added

I submitted a first version of a patch for session storage of CSRF tokens: https://github.com/django/django/pull/5600

I'd love to have some review on this, but I'm fine with postponing the merge after Shai landed his changes to CSRF handling, as those two will get merge conflicts and his one will be the bigger change.

comment:6 Changed 4 months ago by Tim Graham

Has patch: set

comment:7 Changed 4 months ago by Tim Graham <timograham@…>

In ddf169c:

Refs #16859 -- Allowed storing CSRF tokens in sessions.

Major thanks to Shai for helping to refactor the tests, and to
Shai, Tim, Florian, and others for extensive and helpful review.

comment:8 Changed 4 months ago by Tim Graham

Has patch: unset

comment:9 Changed 3 months ago by Tim Graham <timograham@…>

In 33e86b34:

Refs #16859 -- Disabled CSRF_COOKIE_* checks when using CSRF_USE_SESSIONS.

comment:10 Changed 2 months ago by Tim Graham <timograham@…>

In 503e944a:

Refs #16859 -- Updated CSRF FAQ to mention CSRF_USE_SESSIONS setting.

comment:11 Changed 2 months ago by Tim Graham <timograham@…>

In 6bb01b0:

[1.11.x] Refs #16859 -- Updated CSRF FAQ to mention CSRF_USE_SESSIONS setting.

Backport of 503e944ac792498e7b38c799d8e4b06f74e9d65a from master

comment:12 Changed 3 weeks ago by Ed Morley

Currently the CSRF middleware performs strict Referer header checking, to (a) mitigate MITM attacks that set a cookie via plain HTTP, and (b) prevent issues with malicious subdomains.

If the new CSRF_USE_SESSIONS is set to True, does that mean both of those issues can no longer occur, and so the strict referrer checking is then not required? (Along the lines of: https://github.com/django/django/pull/5600#issuecomment-154797097)

Note: See TracTickets for help on using tickets.
Back to Top