Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #12130 - documented need for csrf_protect on views that don't a…

…ccept POST

Includes:
   
 * proper documentation for csrf_protect
 * notes in comments app.
 * specific upgrade notes for comments app

Thanks to carljm for report and debugging.




git-svn-id: http://code.djangoproject.com/svn/django/trunk@11711 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 53b2c3867b5720b2586f5b63978ca2835e7dfb5d 1 parent 585b7ac
Luke Plant authored November 03, 2009
5  django/views/csrf.py
@@ -39,6 +39,11 @@
39 39
     <li>In the template, there is a <code>{% templatetag openblock %} csrf_token
40 40
     {% templatetag closeblock %}</code> template tag inside each POST form that
41 41
     targets an internal URL.</li>
  42
+
  43
+    <li>If you are not using <code>CsrfViewMiddleware</code>, then you must use
  44
+    <code>csrf_protect</code> on any views that use the <code>csrf_token</code>
  45
+    template tag, as well as those that accept the POST data.</li>
  46
+
42 47
   </ul>
43 48
 
44 49
   <p>You're seeing the help section of this page because you have <code>DEBUG =
7  docs/ref/contrib/comments/index.txt
@@ -216,6 +216,13 @@ should know about:
216 216
       it with a warning field; if you use the comment form with a custom
217 217
       template you should be sure to do the same.
218 218
 
  219
+The comments app also depends on the more general :ref:`Cross Site Request
  220
+Forgery protection < ref-contrib-csrf>` that comes with Django.  As described in
  221
+the documentation, it is best to use ``CsrfViewMiddleware``.  However, if you
  222
+are not using that, you will need to use the ``csrf_protect`` decorator on any
  223
+views that include the comment form, in order for those views to be able to
  224
+output the CSRF token and cookie.
  225
+
219 226
 .. _honeypot: http://en.wikipedia.org/wiki/Honeypot_(computing)
220 227
 
221 228
 More information
34  docs/ref/contrib/csrf.txt
@@ -44,9 +44,7 @@ To enable CSRF protection for your views, follow these steps:
44 44
 
45 45
        Alternatively, you can use the decorator
46 46
        ``django.views.decorators.csrf.csrf_protect`` on particular views you
47  
-       want to protect.  This is **not recommended** by itself, since if you
48  
-       forget to use it, you will have a security hole.  The 'belt and braces'
49  
-       strategy of using both is fine, and will incur minimal overhead.
  47
+       want to protect (see below).
50 48
 
51 49
     2. In any template that uses a POST form, use the ``csrf_token`` tag inside
52 50
        the ``<form>`` element if the form is for an internal URL, e.g.::
@@ -85,6 +83,30 @@ The utility script ``extras/csrf_migration_helper.py`` can help to automate the
85 83
 finding of code and templates that may need to be upgraded.  It contains full
86 84
 help on how to use it.
87 85
 
  86
+The decorator method
  87
+--------------------
  88
+
  89
+Rather than adding ``CsrfViewMiddleware`` as a blanket protection, you can use
  90
+the ``csrf_protect`` decorator, which has exactly the same functionality, on
  91
+particular views that need the protection.  It must be used **both** on views
  92
+that insert the CSRF token in the output, and on those that accept the POST form
  93
+data. (These are often the same view function, but not always).  It is used like
  94
+this::
  95
+
  96
+    from django.views.decorators.csrf import csrf_protect
  97
+    from django.template import RequestContext
  98
+
  99
+    @csrf_protect
  100
+    def my_view(request):
  101
+        c = {}
  102
+        # ...
  103
+        return render_to_response("a_template.html", c,
  104
+                                   context_instance=RequestContext(request))
  105
+
  106
+Use of the decorator is **not recommended** by itself, since if you forget to
  107
+use it, you will have a security hole.  The 'belt and braces' strategy of using
  108
+both is fine, and will incur minimal overhead.
  109
+
88 110
 Legacy method
89 111
 -------------
90 112
 
@@ -182,6 +204,12 @@ above, or they will stop working.  (If you cannot update these templates for
182 204
 some reason, you will be forced to use ``CsrfResponseMiddleware`` for these
183 205
 views to continue working).
184 206
 
  207
+Note also, if you are using the comments app, and you are not going to add
  208
+``CsrfViewMiddleware`` to your settings (not recommended), you will need to add
  209
+the ``csrf_protect`` decorator to any views that include the comment forms and
  210
+target the comment views (usually using the :ttag:`comment_form_target` template
  211
+tag).
  212
+
185 213
 Assuming you have followed the above, all views in your Django site will now be
186 214
 protected by the ``CsrfViewMiddleware``.  Contrib apps meet the requirements
187 215
 imposed by the ``CsrfViewMiddleware`` using the template tag, and other

0 notes on commit 53b2c38

Please sign in to comment.
Something went wrong with that request. Please try again.