Mercurial Mercurial > py_tasks_melange / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
thirdparty/google_appengine/lib/django/docs/csrf.txt
author Lennard de Rijk <ljvderijk@gmail.com>
Sat, 05 Sep 2009 14:04:24 +0200
changeset 2862 27971a13089f
parent 109 620f9b141567
permissions -rw-r--r--
Fixed Ivory Coast rename that was introduced in r74f0972f52.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
109
620f9b141567 Load ../../google_appengine into trunk/thirdparty/google_appengine.
Todd Larsen <tlarsen@google.com>
parents:
diff changeset 
     1
 
=====================================
620f9b141567 Load ../../google_appengine into trunk/thirdparty/google_appengine.
Todd Larsen <tlarsen@google.com>
parents:
diff changeset 
     2
 
Cross Site Request Forgery protection
620f9b141567 Load ../../google_appengine into trunk/thirdparty/google_appengine.
Todd Larsen <tlarsen@google.com>
parents:
diff changeset 
     3
 
=====================================
620f9b141567 Load ../../google_appengine into trunk/thirdparty/google_appengine.
Todd Larsen <tlarsen@google.com>
parents:
diff changeset 
     4
 












620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




     5


The CsrfMiddleware class provides easy-to-use protection against













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




     6


`Cross Site Request Forgeries`_.  This type of attack occurs when a malicious













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




     7


web site creates a link or form button that is intended to perform some action













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




     8


on your web site, using the credentials of a logged-in user who is tricked













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




     9


into clicking on the link in their browser.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    10














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    11


The first defense against CSRF attacks is to ensure that GET requests













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    12


are side-effect free.  POST requests can then be protected by adding this













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    13


middleware into your list of installed middleware.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    14














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    15


.. _Cross Site Request Forgeries:  http://www.squarefree.com/securitytips/web-developers.html#CSRF













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    16














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    17


How to use it













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    18


=============













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    19














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    20


Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    21


your list of middleware classes, ``MIDDLEWARE_CLASSES``. It needs to process













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    22


the response after the SessionMiddleware, so must come before it in the













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    23


list. It also must process the response before things like compression













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    24


happen to the response, so it must come after GZipMiddleware in the list.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    25














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    26


How it works













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    27


============













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    28














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    29


CsrfMiddleware does two things:













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    30














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    31


1. It modifies outgoing requests by adding a hidden form field to all













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    32


   'POST' forms, with the name 'csrfmiddlewaretoken' and a value which is













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    33


   a hash of the session ID plus a secret. If there is no session ID set,













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    34


   this modification of the response isn't done, so there is very little













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    35


   performance penalty for those requests that don't have a session.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    36














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    37


2. On all incoming POST requests that have the session cookie set, it













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    38


   checks that the 'csrfmiddlewaretoken' is present and correct. If it













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    39


   isn't, the user will get a 403 error.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    40














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    41


This ensures that only forms that have originated from your web site













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    42


can be used to POST data back.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    43














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    44


It deliberately only targets HTTP POST requests (and the corresponding













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    45


POST forms). GET requests ought never to have side effects (if you are













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    46


using HTTP GET and POST correctly), and so a CSRF attack with a GET













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    47


request will always be harmless.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    48














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    49


POST requests that are not accompanied by a session cookie are not protected,













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    50


but they do not need to be protected, since the 'attacking' web site













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    51


could make these kind of requests anyway.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    52














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    53


The Content-Type is checked before modifying the response, and only













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    54


pages that are served as 'text/html' or 'application/xml+xhtml'













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    55


are modified.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    56














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    57


Limitations













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    58


===========













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    59














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    60


CsrfMiddleware requires Django's session framework to work. If you have













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    61


a custom authentication system that manually sets cookies and the like,













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    62


it won't help you.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    63














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    64


If your app creates HTML pages and forms in some unusual way, (e.g.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    65


it sends fragments of HTML in javascript document.write statements)













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    66


you might bypass the filter that adds the hidden field to the form,













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    67


in which case form submission will always fail.  It may still be possible













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    68


to use the middleware, provided you can find some way to get the













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    69


CSRF token and ensure that is included when your form is submitted.














py_tasks_melange