Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default
| От | Marti Raudsepp |
|---|---|
| Тема | Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default |
| Дата | |
| Msg-id | CABRT9RBq6v2k1ui5j3meW5zR-98NGAMuBQb0Jbk2g6fnkUb3Mw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default (Magnus Hagander <magnus@hagander.net>) |
| Ответы |
Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF
protection required by default
|
| Список | pgsql-www |
On Wed, Nov 7, 2012 at 7:49 PM, Magnus Hagander <magnus@hagander.net> wrote: > This broke the admin interface form to access varnish. I've mad eit > exempt. Is there any actual reason why we need it in the admin > interface, since you need to have a session logged in as an > administrator already to access it? Yes, you *especially* need CSRF protection in the admin interface. Anything that performs privileged actions and is authenticated via cookies without CSRF protection is vulnerable. Say for example I send you a bug report with a link to http://my-evil-server/page.html . Not suspecting anything, you follow the link. This page contains a hidden <form method=POST action="https://www.postgresql.org/admin/...">, with custom fields based on the actions I want to perform. This form is submitted on page load via JavaScript into a hidden iframe -- all without you realizing it. If you have an authenticated session on postgresql.org, then your browser will happily pass your personal cookie on to postgresql.org, along with any form fields dictated by the attacker -- thus the attacker can use your session to perform any actions you are authenticated to perform. Such as changing your account password. This is a major vulnerability, not just security masturbation. > It also broke the purging API. Also made exempt, but that appears to > not solve the problem. Do I need to do something more than add > @csrf_exempt to a view functoin to make it not broken? The error > message talks about the referrer header - but surely that shouldn't be > a requirement when oyu've set @csrf_exempt? It seems that the problem is the @ssl_required decorator -- it returns a new wrapped view without copying over attributes of the original view, such as "csrf_exempt". Changing the decorator order won't work either because that will confuse PgMiddleware. I'll send a patch to fix @ssl_required some time soon. > We may well have missed more parts :( Clearly neither one of us tested > this patch very well. "It all worked on my computer" ;) But my setup is plain Django. I admit, I should have put more thought into it, once you told me about the cookie magic that happens in Varnish. Regards, Marti
В списке pgsql-www по дате отправления: