Mercurial Mercurial > py_tasks_melange / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
thirdparty/google_appengine/lib/django/docs/csrf.txt
author Mario Ferraro <fadinlight@gmail.com>
Sun, 15 Nov 2009 22:12:20 +0100
changeset 3093 d1be59b6b627
parent 109 620f9b141567
permissions -rw-r--r--
GMaps related JS changed to use new google namespace. Google is going to change permanently in the future the way to load its services, so better stay safe. Also this commit shows uses of the new melange.js module. Fixes Issue 634.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
109
620f9b141567 Load ../../google_appengine into trunk/thirdparty/google_appengine.
Todd Larsen <tlarsen@google.com>
parents:
diff changeset 
     1
 
=====================================
620f9b141567 Load ../../google_appengine into trunk/thirdparty/google_appengine.
Todd Larsen <tlarsen@google.com>
parents:
diff changeset 
     2
 
Cross Site Request Forgery protection
620f9b141567 Load ../../google_appengine into trunk/thirdparty/google_appengine.
Todd Larsen <tlarsen@google.com>
parents:
diff changeset 
     3
 
=====================================
620f9b141567 Load ../../google_appengine into trunk/thirdparty/google_appengine.
Todd Larsen <tlarsen@google.com>
parents:
diff changeset 
     4
 












620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




     5


The CsrfMiddleware class provides easy-to-use protection against













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




     6


`Cross Site Request Forgeries`_.  This type of attack occurs when a malicious













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




     7


web site creates a link or form button that is intended to perform some action













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




     8


on your web site, using the credentials of a logged-in user who is tricked













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




     9


into clicking on the link in their browser.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    10














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    11


The first defense against CSRF attacks is to ensure that GET requests













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    12


are side-effect free.  POST requests can then be protected by adding this













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    13


middleware into your list of installed middleware.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    14














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    15


.. _Cross Site Request Forgeries:  http://www.squarefree.com/securitytips/web-developers.html#CSRF













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    16














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    17


How to use it













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    18


=============













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    19














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    20


Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    21


your list of middleware classes, ``MIDDLEWARE_CLASSES``. It needs to process













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    22


the response after the SessionMiddleware, so must come before it in the













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    23


list. It also must process the response before things like compression













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    24


happen to the response, so it must come after GZipMiddleware in the list.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    25














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    26


How it works













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    27


============













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    28














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    29


CsrfMiddleware does two things:













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    30














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    31


1. It modifies outgoing requests by adding a hidden form field to all













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    32


   'POST' forms, with the name 'csrfmiddlewaretoken' and a value which is













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    33


   a hash of the session ID plus a secret. If there is no session ID set,













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    34


   this modification of the response isn't done, so there is very little













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    35


   performance penalty for those requests that don't have a session.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    36














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    37


2. On all incoming POST requests that have the session cookie set, it













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    38


   checks that the 'csrfmiddlewaretoken' is present and correct. If it













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    39


   isn't, the user will get a 403 error.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    40














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    41


This ensures that only forms that have originated from your web site













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    42


can be used to POST data back.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    43














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    44


It deliberately only targets HTTP POST requests (and the corresponding













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    45


POST forms). GET requests ought never to have side effects (if you are













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    46


using HTTP GET and POST correctly), and so a CSRF attack with a GET













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    47


request will always be harmless.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    48














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    49


POST requests that are not accompanied by a session cookie are not protected,













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    50


but they do not need to be protected, since the 'attacking' web site













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    51


could make these kind of requests anyway.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    52














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    53


The Content-Type is checked before modifying the response, and only













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    54


pages that are served as 'text/html' or 'application/xml+xhtml'













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    55


are modified.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    56














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    57


Limitations













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    58


===========













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    59














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    60


CsrfMiddleware requires Django's session framework to work. If you have













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    61


a custom authentication system that manually sets cookies and the like,













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    62


it won't help you.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    63














620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    64


If your app creates HTML pages and forms in some unusual way, (e.g.













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    65


it sends fragments of HTML in javascript document.write statements)













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    66


you might bypass the filter that adds the hidden field to the form,













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    67


in which case form submission will always fail.  It may still be possible













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    68


to use the middleware, provided you can find some way to get the













620f9b141567
Load ../../google_appengine into trunk/thirdparty/google_appengine.



Todd Larsen <tlarsen@google.com>


parents: 

diff
changeset




    69


CSRF token and ensure that is included when your form is submitted.














py_tasks_melange