Opened 7 years ago

Closed 7 years ago

#9776 closed (duplicate)

No CSRF protection for auth system logout view

Reported by: Mez Owned by: nobody
Component: contrib.auth Version: 1.0
Severity: Keywords: csrf logout
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


Having looked through the documentation, it seems that there is a sorely missed point.

The logout function doesn't seem to have any form of CSRF protection that I can notice. Meaning that someone could easily place an image with the URL of (or whatever the URL is) and make it so that anyone who views the page with the image on is logged out.

This to me seems a massive oversight in the system, and I can foresee times where, due to a badly configured permission system, an admin cannot easily delete offending content which has an image or something similar to this in it.

Change History (1)

comment:1 Changed 7 years ago by Pyth

  • Keywords csrf logout added
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #7989.

Note: See TracTickets for help on using tickets.
Back to Top