Yes, indeed -- we should do this, and do it quick. CSRFMiddleware is a
hack; this would be quite a bit nicer.
I've not thought this through nearly as much as you or Brian obvious
have, so I'll leave you two to discuss, however, I have one thought...
On Mon, Sep 22, 2008 at 4:16 PM, Simon Willison <si...@simonwillison.net> wrote:
> You've reminded me of another problem with SafeForm: how does it
> interact with ModelForms? Is there a SafeModelForm as well? What about
> FormSets?
This makes me think -- is it possible that CSRF protection at the form
level is too low? Perhaps it's something that needs to be happening
at, say, the view level? Some sort of decorator, and/or a tag to spit
out the CSRF token in the template...
Just a thought, and now I'll butt out and let you two actually get
some work done.
Jacob
Timestamp and REMOTE_ADDR wouldn't make a proper token unless we also
On Sep 23, 12:13 pm, oggy <ognjen.ma...@gmail.com> wrote:
> Could we just include something like a signed salt+timestamp
> +REMOTE_ADDR in a hidden field? It's not exactly bulletproof because
> of the possibility of a same-IP-CSRF (affecting people behind
> proxies), but it's dead simple and doesn't require a lot of code
> change: Form -> SafeForm + request as the first parameter to __init__.
> Heck, I'd even trust sed to do it for me ;).
included the timestamp and REMOTE_ADDR as hidden fields -- the server
needs to be able to *regenerate* the token when the form is submitted
in order to validate the POSTed token.
There is another option, a template tag. I would implement it as a
middleware and a template tag. Template tag csrf_protect, will require
CSRFMiddleware and django.core.context_processors.request, will add a
input file containing something derived from {{ request }} and
middleware will check and raise HttpForbidden. Its so ugly that it
does not deserve a form validation error in my opinion. This will
require least amount of changes in existing sites.
--
Amit Upadhyay
Vakow! www.vakow.com
+91-9820-295-512