Feedback #24496 - Check CSRF Referer against CSRF_COOKIE_DOMAIN
Ticket and patch have been submitted regarding this: https://code.djangoproject.com/ticket/24496 https://github.com/django/django/pull/4337 Since this is related to CSRF and technically weakening the strictness of the Referer check, Tim Graham suggested soliciting feedback here to get more eyeballs and feedback. Please let me know if there's more context needed that can be added to the ticket. My tl;dr is that Django should allow a Referer match across a subdomain, and not exactly matching `request.get_host()` since cookies are allowed to be set on subdomains as well. This is similar in vain to ALLOWED_HOSTS, except Django would purely validate against the CSRF_COOKIE_DOMAIN. Thanks. <3 -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/461ac976-18f5-4c40-9e10-0f15cd0eb3f5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: secret key from file...
What we use is a settings.cfg, which is an ini file for global
configurations. Database settings, etc. We need to share these settings
across different languages and parts of our application.
You can set up your ini file as such:
[secret]
key=abcdefghijklmnopqrstuvwxyz0123456789
ini files are easy to parse with the ConfigParser in Python. You can simply
parse it in your settings.py:
import ConfigParser
config = ConfigParser.ConfigParser()
config.readfp(open('../settings.cfg'))
SECRET_KEY = config.get('secret', 'key')
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
Re: secret key from file...
Why not just do an import for your custom settings?
try:
from site_settings import *
except ImportError:
pass
On Mar 22, 2011, at 5:51 PM, Ian Kelly wrote:
> On Tue, Mar 22, 2011 at 6:44 AM, Kristaps KÅ«lis
> wrote:
>> I personally would greatly appreciate update in docs to show "best
>> way" to handle per enviroment settings / sensitive settings, as now
>> there is many ways :)
>> Consider when one has his local development enviroment with locmem
>> cache and sqlite3 db, and staging server with MySQL / memcache and
>> production cluster with MySQL (different credentials) and memcache
>> cluster. In settings.py most deployment specific stuff is left blank
>> and on deployment {staging/production}_settings.py is created with
>> from settings import * and then overriding per env settings :).
>> Actually it took me far too much googling to find "how" and "what" to
>> do, at least I believe that such stuff should be put in docs to make
>> django more sysadmin friendly.
>
> I don't know what the best way is, but I will share what we do. In
> addition to the regular settings.py we have site_settings.py (which is
> not under version control) in the same directory. Then at the end of
> settings.py we add this simple code:
>
> # Run a separate python file not in version control for database
> # settings and other sensitive information.
> from os.path import dirname, join
> execfile(join(dirname(__file__), 'site_settings.py'))
>
> Cheers,
> Ian
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To post to this group, send email to django-developers@googlegroups.com.
> To unsubscribe from this group, send email to
> django-developers+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-developers?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
Re: secret key from file...
That's just interesting. I've never seen the use of `execfile()` before. We use a devsettings.py and use it to override an individual server or local settings, and then on the live/deployed server, no devsettings.py is even included. Hence the try...except wrapped around it. It's a nice little pattern that gets us by, but yes, things like this do show that there needs to be one overall "recommended" method for maintaining separate settings on a per server/environment basis. On Mar 22, 2011, at 7:05 PM, Ian Kelly wrote: > On Tue, Mar 22, 2011 at 4:49 PM, Matt Robenolt > wrote: >> Why not just do an import for your custom settings? >> >> try: >>from site_settings import * >> except ImportError: >>pass > > No particularly compelling reason that I know of, the import machinery > is just unnecessary in this case. The site_settings.py is viewed as > an extension of the settings.py, so it doesn't need to be loaded as a > module in its own right. And for the same reason we know exactly > where we expect the file to be, so there's no need to consult > sys.path. > > I suppose it just comes down to a matter of taste. > > Cheers, > Ian > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: Django urls in JavaScript
How could this even begin to be solved without incurring another http request to resolve the url pattern? The only way I can imagine it is if we had a generic /resolve/ path that took some get parameters to return a full URL, or even it translate to a 301 redirect, but that'll get messy with POSTs. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: Django urls in JavaScript
So you're basically proposing to write a Javascript library that is a translation of URLResolver, and essentially have a dynamic "Javascript" file that could be included that would contain your URL patterns? Just trying to make sure we're on the same page. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: Django urls in JavaScript
There also proposes the problem of selecting which urls are "published" in this file and which aren't. Any ideas for that? I'm sure lots of people wouldn't want their entire sitemap exposed to the public in one large js file. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: Django urls in JavaScript
I think the biggest problem with translating the reverse() lookup is the
lack of kwargs and named capture groups in Javascript regex. So a pattern
such as: /page/(?P\d+)/ would not translate whatsoever. Then on the
Javascript side, we wouldn't be able to use: reverse('goto_page', [],
{page_id: 5}); It would have nowhere to map up the page_id variable to. We
could probably get away with some sort of pseudo regex rules in Javascript.
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
Re: Django urls in JavaScript
It could just be a combo of both. There'd be one file for the urlresolver.js, and a patterns.js. Interesting. Now, could the patterns in Python be translated to Javascript properly? I'll do some playing around today and see if I can come up with some basics. Even if this doesn't land in Django core, it could be a nice library. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: Django urls in JavaScript
Ahh, I missed that from your original post. I like that. :) -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
