Opened 7 years ago
Last modified 7 years ago
#29252 closed Bug
Add CSRF protection to LogoutView — at Version 2
| Reported by: | Filip Dimitrovski | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | denial of service, csrf |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description (last modified by )
The current implementation in django.contrib.auth.views.LogoutView allows both GET and POST requests without any CSRF protection. A simple
<img src="http://djangoapp/logout" />
on an exploit page could log out the user. While this is a low security risk, it's still a DoS issue and could prevent the user from using the app.
Instead of fixing the view, it maybe makes sense to just change the docs to warn the programmer of such a problem and suggest overriding LogoutView and changing dispatch().
Change History (2)
comment:1 by , 7 years ago
| Easy pickings: | set |
|---|
comment:2 by , 7 years ago
| Description: | modified (diff) |
|---|
Note:
See TracTickets
for help on using tickets.