Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF validation is incomplete #970

Closed
vietj opened this issue Jul 12, 2018 · 3 comments
Closed

CSRF validation is incomplete #970

vietj opened this issue Jul 12, 2018 · 3 comments
Assignees
Labels
Milestone

Comments

@vietj
Copy link
Contributor

vietj commented Jul 12, 2018

CSRFHandler fails to verify that the valid token also matches the Cookie value.

@vietj vietj added this to the 3.5.3 milestone Jul 12, 2018
@vietj vietj added the bug label Jul 12, 2018
vietj pushed a commit that referenced this issue Jul 12, 2018
@vietj vietj closed this as completed Jul 12, 2018
pmlopes pushed a commit that referenced this issue Jul 12, 2018
#970

(cherry picked from commit 482bc72)

(cherry picked from commit f42b193)
@razzbee
Copy link

razzbee commented Jul 19, 2018

after upgrading from 3.5.2 to 3.5.3 , csrf is always failing ...

@pmlopes
Copy link
Member

pmlopes commented Jul 19, 2018

@razzbee please update your issue #979 with an reproducer, my guess is that you're not sending the cookie back to the server which is what this issue fixed. If you don't then you're open to replay attacks (which this fix fixes). But again, that is my guess, so without a real reproducer I can't really tell.

@razzbee
Copy link

razzbee commented Jul 19, 2018

Added Here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

3 participants