Opened 8 years ago

Closed 8 years ago

#5292 closed (fixed)

CsrfMiddleware does not protect from forged POST request with no data

Reported by: Jakub Wilk <django@…> Owned by: adrian
Component: Contrib apps Version: master
Severity: Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

django.contrib.csrf.CrsfMiddleware permits any POST request with no data. This is entirely wrong.

Attachments (1)

csrf-empty-post.diff (418 bytes) - added by Jakub Wilk <django@…> 8 years ago.

Download all attachments as: .zip

Change History (5)

Changed 8 years ago by Jakub Wilk <django@…>

comment:1 Changed 8 years ago by Simon G. <dev@…>

  • Component changed from Uncategorized to Contrib apps
  • Needs documentation unset
  • Needs tests unset
  • Owner changed from jacob to adrian
  • Patch needs improvement unset
  • Summary changed from CrsfMiddleware does not protect from forged POST request with no data to CsrfMiddleware does not protect from forged POST request with no data
  • Triage Stage changed from Unreviewed to Ready for checkin

comment:2 Changed 8 years ago by ubernostrum

Out of curiosity, what's the security impact of a CSRF that doesn't post any data?

comment:3 Changed 8 years ago by SmileyChris

A POST request, even an empty one, could potentially be all a view was looking for to do a delete or something.

comment:4 Changed 8 years ago by adrian

  • Resolution set to fixed
  • Status changed from new to closed

(In [6038]) Fixed #5292 -- Changed CSRF middleware to check for request.method == 'POST' instead of request.POST dictionary not being empty. Thanks, Jakub Wilk

Note: See TracTickets for help on using tickets.
Back to Top