On Nov 15, 7:55 am, Luke Plant <[EMAIL PROTECTED]> wrote:
> You would have to change the middleware so that it does
> its 'rejection' business in process_view() instead of
> process_request() -- it would check the view for the flag, and require
> the CSRF token if it wasn't found.
>
> To me, this
On Saturday 10 November 2007 17:14:19 Gary Wilson wrote:
> By build it into admin, do you mean build it into newforms?
>
> Possibly changing BaseForm from:
>
> class BaseForm(StrAndUnicode):
> def __init__(self, data=None, files=None, auto_id='id_%s',
> prefix=None, initial=None, error_class=
On 14/11/2007, Chris Green <[EMAIL PROTECTED]> wrote:
>
>
> On Nov 10, 2007 8:58 PM, Malcolm Tredinnick <[EMAIL PROTECTED]>
> wrote:
>
> > Yeah, I'm not really sure what I mean, design-wise. I feel a little
> > uncomfortable about requiring the csrf key all the time in form
> > submissions, but I c
On Nov 10, 2007 8:58 PM, Malcolm Tredinnick <[EMAIL PROTECTED]> wrote:
> Yeah, I'm not really sure what I mean, design-wise. I feel a little
> uncomfortable about requiring the csrf key all the time in form
> submissions, but I can't pin down why yet. As a consequence of that, the
> middleware do
On Sat, 2007-11-10 at 11:14 -0600, Gary Wilson wrote:
> Malcolm Tredinnick wrote:
> > I do agree with Chris, though. It's completely unrelated to
> > auto-escaping (which will land today, most likely, since I've been
> > merging it and updating it yesterday and the day before).
>
> w00t!
For va
Malcolm Tredinnick wrote:
> I do agree with Chris, though. It's completely unrelated to
> auto-escaping (which will land today, most likely, since I've been
> merging it and updating it yesterday and the day before).
w00t!
> Not sure if we should build it into admin or make the middleware a
> re
Hi,
I just switched on the middleware and all my ajax post actions are broken
now. I am going to dive in the source and try to figure out how to generate
enough token that I can embed in the page on page load, so that all my
requests go fine. I would appreciate some tips if someone can tell me if
On Wed, 2007-11-07 at 19:11 -0600, James Bennett wrote:
> On Nov 7, 2007 7:08 PM, James Bennett <[EMAIL PROTECTED]> wrote:
> > Which means that this basically boils down to an annoyance attack,
> > changing a user's password without their knowledge. But that's already
> > exposed to anyone who can
On Nov 7, 2007 7:08 PM, James Bennett <[EMAIL PROTECTED]> wrote:
> Which means that this basically boils down to an annoyance attack,
> changing a user's password without their knowledge. But that's already
> exposed to anyone who can guess the user's email address, so anyone
> who simply wants to
On Nov 7, 2007 5:22 PM, Malcolm Tredinnick <[EMAIL PROTECTED]> wrote:
> I have quite a different view about the severity of this. Out of the
> box, Django has a CSRF vulnerability if you use admin. I'm not inclined
> to dismiss this as a nothing event that you can work around by somehow
> magicall
On Wed, 2007-11-07 at 11:08 -0600, James Bennett wrote:
> If/when we ever do finally sit down and implement an auto-escaping
> proposal, I'd like to suggest we also just go ahead and turn on the
> CSRF middleware by default, because apparently the fact that it isn't
> enabled by default is leading
On Nov 8, 6:08 am, "James Bennett" <[EMAIL PROTECTED]> wrote:
> If/when we ever do finally sit down and implement an auto-escaping
> proposal, I'd like to suggest we also just go ahead and turn on the
> CSRF middleware by default
Why do those two have to be tied together?
How about we just def
If/when we ever do finally sit down and implement an auto-escaping
proposal, I'd like to suggest we also just go ahead and turn on the
CSRF middleware by default, because apparently the fact that it isn't
enabled by default is leading people to scream about security
vulnerabilities in Django[1], w
13 matches
Mail list logo
