On Wed, Nov 7, 2012 at 7:49 PM, Magnus Hagander <magnus@hagander.net> wrote:
> This broke the admin interface form to access varnish. I've mad eit
> exempt. Is there any actual reason why we need it in the admin
> interface, since you need to have a session logged in as an
> administrator already to access it?
Yes, you *especially* need CSRF protection in the admin interface.
Anything that performs privileged actions and is authenticated via
cookies without CSRF protection is vulnerable.
Say for example I send you a bug report with a link to
http://my-evil-server/page.html . Not suspecting anything, you follow
the link.
This page contains a hidden <form method=POST
action="https://www.postgresql.org/admin/...">, with custom fields
based on the actions I want to perform. This form is submitted on page
load via JavaScript into a hidden iframe -- all without you realizing
it.
If you have an authenticated session on postgresql.org, then your
browser will happily pass your personal cookie on to postgresql.org,
along with any form fields dictated by the attacker -- thus the
attacker can use your session to perform any actions you are
authenticated to perform. Such as changing your account password.
This is a major vulnerability, not just security masturbation.
> It also broke the purging API. Also made exempt, but that appears to
> not solve the problem. Do I need to do something more than add
> @csrf_exempt to a view functoin to make it not broken? The error
> message talks about the referrer header - but surely that shouldn't be
> a requirement when oyu've set @csrf_exempt?
It seems that the problem is the @ssl_required decorator -- it returns
a new wrapped view without copying over attributes of the original
view, such as "csrf_exempt". Changing the decorator order won't work
either because that will confuse PgMiddleware.
I'll send a patch to fix @ssl_required some time soon.
> We may well have missed more parts :( Clearly neither one of us tested
> this patch very well.
"It all worked on my computer" ;)
But my setup is plain Django. I admit, I should have put more thought
into it, once you told me about the cookie magic that happens in
Varnish.
Regards,
Marti