Opened 17 years ago
Closed 17 years ago
#5292 closed (fixed)
CsrfMiddleware does not protect from forged POST request with no data
Reported by: | Owned by: | Adrian Holovaty | |
---|---|---|---|
Component: | Contrib apps | Version: | dev |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
django.contrib.csrf.CrsfMiddleware permits any POST request with no data. This is entirely wrong.
Attachments (1)
Change History (5)
by , 17 years ago
Attachment: | csrf-empty-post.diff added |
---|
comment:1 by , 17 years ago
Component: | Uncategorized → Contrib apps |
---|---|
Owner: | changed from | to
Summary: | CrsfMiddleware does not protect from forged POST request with no data → CsrfMiddleware does not protect from forged POST request with no data |
Triage Stage: | Unreviewed → Ready for checkin |
comment:2 by , 17 years ago
comment:3 by , 17 years ago
A POST request, even an empty one, could potentially be all a view was looking for to do a delete or something.
comment:4 by , 17 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Out of curiosity, what's the security impact of a CSRF that doesn't post any data?