Opened 6 years ago
Last modified 6 years ago
#29252 closed Bug
Add CSRF protection to LogoutView — at Initial Version
| Reported by: | Filip Dimitrovski | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | denial of service, csrf |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
The current implementation in django.contrib.auth.views.LogoutView allows both GET and POST requests without any CSRF protection. A simple
<img src="http://djangoapp/logout" />
on an exploit page could log out the user. While this is a low security risk, it's still a DoS issue and could prevent the user from using the app.
Note:
See TracTickets
for help on using tickets.