Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

[1.1.X] Fixed #10996 - documented login CSRF vulnerabilities in the C…

…srfMiddleware

1.1.X branch only fix - trunk is completely different now.



git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@11662 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 97ee7a3baf89690ded3a13843d8f9c86fbb1e857 1 parent d2b6f6c
Luke Plant authored October 27, 2009

Showing 1 changed file with 8 additions and 2 deletions. Show diff stats Hide diff stats

  1. 10  docs/ref/contrib/csrf.txt
10  docs/ref/contrib/csrf.txt
@@ -91,8 +91,8 @@ effects (see `9.1.1 Safe Methods, HTTP 1.1, RFC 2616`_), and so a
91 91
 CSRF attack with a GET request ought to be harmless.
92 92
 
93 93
 POST requests that are not accompanied by a session cookie are not protected,
94  
-but they do not need to be protected, since the 'attacking' Web site
95  
-could make these kind of requests anyway.
  94
+but since these requests are not authenticated, they will usually be of limited
  95
+risk.
96 96
 
97 97
 The Content-Type is checked before modifying the response, and only
98 98
 pages that are served as 'text/html' or 'application/xml+xhtml'
@@ -116,6 +116,12 @@ CsrfMiddleware requires Django's session framework to work. If you have
116 116
 a custom authentication system that manually sets cookies and the like,
117 117
 it won't help you.
118 118
 
  119
+The middleware only partially protects against 'Login CSRF'.  If you have used
  120
+standard Django views for logging in, then you will be protected, due to the way
  121
+they work (the session must be established in the step before actually logging
  122
+in, so the login step itself is protected).  If you have used a different way to
  123
+log in, you may be vulnerable to Login CSRF.
  124
+
119 125
 If your app creates HTML pages and forms in some unusual way, (e.g.
120 126
 it sends fragments of HTML in JavaScript document.write statements)
121 127
 you might bypass the filter that adds the hidden field to the form,

0 notes on commit 97ee7a3

Please sign in to comment.
Something went wrong with that request. Please try again.