id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
29252	Add CSRF protection to LogoutView	Filip Dimitrovski	nobody	"The current implementation in django.contrib.auth.views.LogoutView allows both GET and POST requests without any CSRF protection. A simple 
{{{
   <img src=""http://djangoapp/logout"" />
}}}
on an exploit page could log out the user. While this is a low security risk, it's still a DoS issue and could prevent the user from using the app. 

Instead of fixing the view, it maybe makes sense to just change the [https://docs.djangoproject.com/en/2.0/topics/auth/default/#django.contrib.auth.views.LogoutView docs] to warn the programmer of such a problem and suggest overriding LogoutView and changing dispatch()."	Bug	new	contrib.auth	dev	Normal		denial of service,csrf		Unreviewed	0	0	0	0	1	0