Code

Opened 5 years ago

Closed 5 years ago

#9776 closed (duplicate)

No CSRF protection for auth system logout view

Reported by: Mez Owned by: nobody
Component: contrib.auth Version: 1.0
Severity: Keywords: csrf logout
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Having looked through the documentation, it seems that there is a sorely missed point.

The logout function doesn't seem to have any form of CSRF protection that I can notice. Meaning that someone could easily place an image with the URL of http://www.yoursite.com/logout/ (or whatever the URL is) and make it so that anyone who views the page with the image on is logged out.

This to me seems a massive oversight in the system, and I can foresee times where, due to a badly configured permission system, an admin cannot easily delete offending content which has an image or something similar to this in it.

Attachments (0)

Change History (1)

comment:1 Changed 5 years ago by Pyth

  • Keywords csrf logout added
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #7989.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.