[Django] #29252: Add CSRF protection to LogoutView

[Django]

#29252: Add CSRF protection to LogoutView
-------------------------------------+-------------------------------------
Reporter: Filip | Owner: nobody
Dimitrovski |
Type: Bug | Status: new
Component: | Version: master
contrib.auth | Keywords: denial of
Severity: Normal | service,csrf
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
The current implementation in django.contrib.auth.views.LogoutView allows
both GET and POST requests without any CSRF protection. A simple
{{{
<img src="http://djangoapp/logout" />
}}}
on an exploit page could log out the user. While this is a low security
risk, it's still a DoS issue and could prevent the user from using the
app.

--
Ticket URL: <https://code.djangoproject.com/ticket/29252>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#29252: Add CSRF protection to LogoutView
-------------------------------------+-------------------------------------

Reporter: Filip Dimitrovski | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: denial of | Triage Stage:
service,csrf | Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Filip Dimitrovski):

* easy: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/29252#comment:1>

[Django]

#29252: Add CSRF protection to LogoutView
-------------------------------------+-------------------------------------

Reporter: Filip Dimitrovski | Owner: nobody
Type: Bug | Status: new

Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: denial of | Triage Stage:
service,csrf | Unreviewed

Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Description changed by Filip Dimitrovski:

Old description:

> The current implementation in django.contrib.auth.views.LogoutView allows
> both GET and POST requests without any CSRF protection. A simple
> {{{
> <img src="http://djangoapp/logout" />
> }}}
> on an exploit page could log out the user. While this is a low security
> risk, it's still a DoS issue and could prevent the user from using the
> app.

New description:

The current implementation in django.contrib.auth.views.LogoutView allows
both GET and POST requests without any CSRF protection. A simple
{{{
<img src="http://djangoapp/logout" />
}}}
on an exploit page could log out the user. While this is a low security
risk, it's still a DoS issue and could prevent the user from using the
app.

Instead of fixing the view, it maybe makes sense to just change the
[https://docs.djangoproject.com/en/2.0/topics/auth/default/#django.contrib.auth.views.LogoutView
docs] to warn the programmer of such a problem and suggest overriding
LogoutView and changing dispatch().

--

--
Ticket URL: <https://code.djangoproject.com/ticket/29252#comment:2>

[Django]

#29252: Add CSRF protection to LogoutView
-------------------------------------+-------------------------------------

Reporter: Filip Dimitrovski | Owner: nobody

Type: Bug | Status: closed
Component: contrib.auth | Version: master
Severity: Normal | Resolution: duplicate

Keywords: denial of | Triage Stage:
service,csrf | Unreviewed

Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Tim Graham):

* status: new => closed
* resolution: => duplicate

Comment:

Duplicate of #15619.

--
Ticket URL: <https://code.djangoproject.com/ticket/29252#comment:3>