innov
/
django1
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Fixed #12130 - documented need for csrf_protect on views that don't accept POST 

Includes:
   
 * proper documentation for csrf_protect
 * notes in comments app.
 * specific upgrade notes for comments app

Thanks to carljm for report and debugging.




git-svn-id: http://code.djangoproject.com/svn/django/trunk@11711 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Luke Plant 2009-11-03 14:40:37 +00:00
parent 585b7acaa3
commit 53b2c3867b
3 changed files with 43 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
django/views/csrf.py
View File

@ -39,6 +39,11 @@ CSRF_FAILRE_TEMPLATE = """
<li>In the template, there is a <code>{% templatetag openblock %} csrf_token <li>In the template, there is a <code>{% templatetag openblock %} csrf_token
{% templatetag closeblock %}</code> template tag inside each POST form that {% templatetag closeblock %}</code> template tag inside each POST form that
targets an internal URL.</li> targets an internal URL.</li>
<li>If you are not using <code>CsrfViewMiddleware</code>, then you must use
<code>csrf_protect</code> on any views that use the <code>csrf_token</code>
template tag, as well as those that accept the POST data.</li>
</ul> </ul>
<p>You're seeing the help section of this page because you have <code>DEBUG = <p>You're seeing the help section of this page because you have <code>DEBUG =

7
docs/ref/contrib/comments/index.txt
View File

@ -216,6 +216,13 @@ should know about:
it with a warning field; if you use the comment form with a custom it with a warning field; if you use the comment form with a custom
template you should be sure to do the same. template you should be sure to do the same.
The comments app also depends on the more general :ref:`Cross Site Request
Forgery protection < ref-contrib-csrf>` that comes with Django. As described in
the documentation, it is best to use ``CsrfViewMiddleware``. However, if you
are not using that, you will need to use the ``csrf_protect`` decorator on any
views that include the comment form, in order for those views to be able to
output the CSRF token and cookie.
.. _honeypot: http://en.wikipedia.org/wiki/Honeypot_(computing) .. _honeypot: http://en.wikipedia.org/wiki/Honeypot_(computing)
More information More information

34
docs/ref/contrib/csrf.txt
View File

@ -44,9 +44,7 @@ To enable CSRF protection for your views, follow these steps:
Alternatively, you can use the decorator Alternatively, you can use the decorator
``django.views.decorators.csrf.csrf_protect`` on particular views you ``django.views.decorators.csrf.csrf_protect`` on particular views you
want to protect. This is **not recommended** by itself, since if you want to protect (see below).
forget to use it, you will have a security hole. The 'belt and braces'
strategy of using both is fine, and will incur minimal overhead.
2. In any template that uses a POST form, use the ``csrf_token`` tag inside 2. In any template that uses a POST form, use the ``csrf_token`` tag inside
the ``<form>`` element if the form is for an internal URL, e.g.:: the ``<form>`` element if the form is for an internal URL, e.g.::
@ -85,6 +83,30 @@ The utility script ``extras/csrf_migration_helper.py`` can help to automate the
finding of code and templates that may need to be upgraded. It contains full finding of code and templates that may need to be upgraded. It contains full
help on how to use it. help on how to use it.
The decorator method
--------------------
Rather than adding ``CsrfViewMiddleware`` as a blanket protection, you can use
the ``csrf_protect`` decorator, which has exactly the same functionality, on
particular views that need the protection. It must be used **both** on views
that insert the CSRF token in the output, and on those that accept the POST form
data. (These are often the same view function, but not always). It is used like
this::
from django.views.decorators.csrf import csrf_protect
from django.template import RequestContext
@csrf_protect
def my_view(request):
c = {}
# ...
return render_to_response("a_template.html", c,
context_instance=RequestContext(request))
Use of the decorator is **not recommended** by itself, since if you forget to
use it, you will have a security hole. The 'belt and braces' strategy of using
both is fine, and will incur minimal overhead.
Legacy method Legacy method
------------- -------------
@ -182,6 +204,12 @@ above, or they will stop working. (If you cannot update these templates for
some reason, you will be forced to use ``CsrfResponseMiddleware`` for these some reason, you will be forced to use ``CsrfResponseMiddleware`` for these
views to continue working). views to continue working).
Note also, if you are using the comments app, and you are not going to add
``CsrfViewMiddleware`` to your settings (not recommended), you will need to add
the ``csrf_protect`` decorator to any views that include the comment forms and
target the comment views (usually using the :ttag:`comment_form_target` template
tag).
Assuming you have followed the above, all views in your Django site will now be Assuming you have followed the above, all views in your Django site will now be
protected by the ``CsrfViewMiddleware``. Contrib apps meet the requirements protected by the ``CsrfViewMiddleware``. Contrib apps meet the requirements
imposed by the ``CsrfViewMiddleware`` using the template tag, and other imposed by the ``CsrfViewMiddleware`` using the template tag, and other