Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default

Поиск
Список
Период
Сортировка
От Magnus Hagander
Тема Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default
Дата
Msg-id CABUevEzW_1PL_DTACTZUdwV_hkbPn56xsH_OjCUkLjhX6hS6aA@mail.gmail.com
обсуждение исходный текст
Ответ на [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default  (Marti Raudsepp <marti@juffo.org>)
Ответы Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default  (Marti Raudsepp <marti@juffo.org>)
Список pgsql-www
Дерево обсуждения
On Tue, Oct 30, 2012 at 9:54 PM, Marti Raudsepp <marti@juffo.org> wrote:
Hi list,

I noticed that most of the forms on the Postgres community site don't
use CSRF protection. That's bad -- CSRF should be on by default.

I went through all the views that handle POST data and didn't find any
that should handle input from cross-domain requests. But CSRF
exceptions, if any, should be decorated with @csrf_exempt (from
django.views.decorators.csrf). 

Also available from my Github repo: https://github.com/intgr/pgweb
 
Hi!

The diff appears to be reversed. But that's easy enough to deal with during commit.

Have you verified that it works with django 1.2 as well? The production deployment is on that quite old version still... 

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

В списке pgsql-www по дате отправления:

Предыдущее
От: Magnus Hagander
Дата:
Сообщение: Re: Community profile ssh keys not making it to git
Следующее
От: Marti Raudsepp
Дата:
Сообщение: Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default