[Django] #26165: Add an FAQ that explains why Django's CSRF isn't vulnerable
Django
------------------------------------------------+------------------------
Reporter: timgraham | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: master
Severity: Normal | Keywords:
Triage Stage: Accepted | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
It's a common invalid report to the security mailing list.
There are some public threads like https://groups.google.com/d/topic
/django-developers/zpqGUyAdjH8/discussion but it would nice to be have a
canonical answer to point to.
--
Ticket URL: <https://code.djangoproject.com/ticket/26165>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: timgraham | Owner: acemaster
Type: | Status: assigned
Cleanup/optimization |
Component: Documentation | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by acemaster):
* status: new => assigned
* owner: nobody => acemaster
--
Ticket URL: <https://code.djangoproject.com/ticket/26165#comment:1>
Django
Reporter: timgraham | Owner: acemaster
Type: | Status: assigned
Cleanup/optimization |
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by acemaster):
* stage: Accepted => Ready for checkin
Comment:
FAQ has been made. Branch ticket_26165 on fork acemaster Link here:
https://github.com/acemaster/django/tree/ticket_26165
--
Ticket URL: <https://code.djangoproject.com/ticket/26165#comment:2>
Django
Reporter: timgraham | Owner: acemaster
Type: | Status: assigned
Cleanup/optimization |
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* has_patch: 0 => 1
* stage: Ready for checkin => Accepted
Comment:
Please don't mark your own ticket as "Ready for checkin" -- see the
[https://docs.djangoproject.com/en/dev/internals/contributing/triaging-
tickets/ triaging guidelines].
I created a [https://github.com/django/django/pull/6081 pull request] from
your branch..
--
Ticket URL: <https://code.djangoproject.com/ticket/26165#comment:3>
Django
Reporter: timgraham | Owner: acemaster
Type: | Status: assigned
Cleanup/optimization |
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/26165#comment:4>
Django
Reporter: timgraham | Owner: acemaster
Type: | Status: assigned
Cleanup/optimization |
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* needs_better_patch: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/26165#comment:5>
Django
Reporter: timgraham | Owner: acemaster
Type: | Status: assigned
Cleanup/optimization |
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by zachborboa):
* cc: zachborboa@… (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/26165#comment:6>
Django
Reporter: timgraham | Owner: acemaster
Cleanup/optimization |
Component: Documentation | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"a1b1688c7d6c1a6d307bd22669bd20f08e948f8d" a1b1688]:
{{{
#!CommitTicketReference repository=""
revision="a1b1688c7d6c1a6d307bd22669bd20f08e948f8d"
Fixed #26165 -- Added some FAQs about CSRF protection.
Thanks Florian Apolloner and Shai Berger for review.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26165#comment:7>
Django
Reporter: timgraham | Owner: acemaster
Type: | Status: closed
Cleanup/optimization |
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"73d8e646d743aad79d6067ae3d8facf83b1e76a4" 73d8e646]:
{{{
#!CommitTicketReference repository=""
revision="73d8e646d743aad79d6067ae3d8facf83b1e76a4"
[1.9.x] Fixed #26165 -- Added some FAQs about CSRF protection.
Thanks Florian Apolloner and Shai Berger for review.
Backport of a1b1688c7d6c1a6d307bd22669bd20f08e948f8d from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26165#comment:8>