CSRF Header broken on uWSGI
164 views
Skip to first unread message
Camilo Nova
Mar 7, 2011, 6:56:07 PM3/7/11
to Django developers
Hi, im currently on:
- Django version 1.3 rc 1
- uWSGI 0.9.6.8
- Python 2.6.5
- jQuery 1.5.1
This is my configuration from my production server, where i have an
application that does
simple operations on data, the general case is to have a form and send
data over POST.
Everything works fine until i try to make an AJAX call to a single
view that pulls me some
data from DB, when i access my view from a non-ajax way it returns me
the data, but when
i try to get it via ajax the uWSGI process hangs until it been killed.
I use this snippet (from http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax)
:
$('html').ajaxSend(function(event, xhr, settings) {
function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie != '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = jQuery.trim(cookies[i]);
// Does this cookie string begin with the name we
want?
if (cookie.substring(0, name.length + 1) == (name +
'=')) {
cookieValue =
decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
if (!(/^http:.*/.test(settings.url) || /
^https:.*/.test(settings.url))) {
// Only send the token to relative URLs i.e. locally.
xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
}
});
Local works great, but in production it fails, first i discover this
snippet won't work
on jQuery 1.5, it only works on jQuery 1.5.1, seems good for me to put
that in the
docs, to avoid people dont waste time as me.
It works fine in my production server using this snippet:
$('html').ajaxSend(function (event, xhr, settings) {
function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie !== '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = $.trim(cookies[i]);
// Does this cookie string begin with the name we
want?
if (cookie.substring(0, name.length + 1) === (name +
'=')) {
cookieValue =
decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
if (!(/^http:.*/.test(settings.url) || /
^https:.*/.test(settings.url))) {
// Only send the token to relative URLs i.e. locally.
//xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
if (settings.data === null) {
settings.data = '';
}
settings.data = settings.data + '&csrfmiddlewaretoken=' +
getCookie('csrftoken');
}
});
For me seems like a problem when django reads the request header or
something, i would
like to share this, and see if we can find any solution, because for
me using the header is
more cleaner than sending the csrf value on the data.
What you guys think?
- Django version 1.3 rc 1
- uWSGI 0.9.6.8
- Python 2.6.5
- jQuery 1.5.1
This is my configuration from my production server, where i have an
application that does
simple operations on data, the general case is to have a form and send
data over POST.
Everything works fine until i try to make an AJAX call to a single
view that pulls me some
data from DB, when i access my view from a non-ajax way it returns me
the data, but when
i try to get it via ajax the uWSGI process hangs until it been killed.
I use this snippet (from http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax)
:
$('html').ajaxSend(function(event, xhr, settings) {
function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie != '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = jQuery.trim(cookies[i]);
// Does this cookie string begin with the name we
want?
if (cookie.substring(0, name.length + 1) == (name +
'=')) {
cookieValue =
decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
if (!(/^http:.*/.test(settings.url) || /
^https:.*/.test(settings.url))) {
// Only send the token to relative URLs i.e. locally.
xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
}
});
Local works great, but in production it fails, first i discover this
snippet won't work
on jQuery 1.5, it only works on jQuery 1.5.1, seems good for me to put
that in the
docs, to avoid people dont waste time as me.
It works fine in my production server using this snippet:
$('html').ajaxSend(function (event, xhr, settings) {
function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie !== '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = $.trim(cookies[i]);
// Does this cookie string begin with the name we
want?
if (cookie.substring(0, name.length + 1) === (name +
'=')) {
cookieValue =
decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
if (!(/^http:.*/.test(settings.url) || /
^https:.*/.test(settings.url))) {
// Only send the token to relative URLs i.e. locally.
//xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
if (settings.data === null) {
settings.data = '';
}
settings.data = settings.data + '&csrfmiddlewaretoken=' +
getCookie('csrftoken');
}
});
For me seems like a problem when django reads the request header or
something, i would
like to share this, and see if we can find any solution, because for
me using the header is
more cleaner than sending the csrf value on the data.
What you guys think?
Gabriel Hurley
Mar 8, 2011, 12:59:02 AM3/8/11
to django-d...@googlegroups.com
From the information you've given I can't say what's causing your process to hang, but as to your other point about jQuery... yes, jQuery 1.5.0 had a legitimate bug that prevented headers from being properly set on AJAX requests. It was one of the reasons they pushed out the 1.5.1 release so quickly. In general we haven't documented cases where specific point releases of third party libraries had known bugs, but since I got bit by this as well I'm more inclined than usual to make an exception. Obviously, though, the impact of that problem will decrease over time as people catch up on newer jQuery releases.
All the best,
- Gabriel
Camilo Nova
Mar 9, 2011, 8:07:19 AM3/9/11
to Django developers
Gabriel, thanks for your response.
How can i test the code that makes this crsf verification from the
header, from my
other testings this only happens after django make a fix in the latest
security release.
I would like to make a test enviroment, where can i start to look?
On Mar 8, 12:59 am, Gabriel Hurley <gab...@gmail.com> wrote:
> From the information you've given I can't say what's causing your process to
> hang, but as to your other point about jQuery... yes, jQuery 1.5.0 had a
> legitimate bug <http://bugs.jquery.com/ticket/8360> that prevented headers
How can i test the code that makes this crsf verification from the
header, from my
other testings this only happens after django make a fix in the latest
security release.
I would like to make a test enviroment, where can i start to look?
On Mar 8, 12:59 am, Gabriel Hurley <gab...@gmail.com> wrote:
> From the information you've given I can't say what's causing your process to
> hang, but as to your other point about jQuery... yes, jQuery 1.5.0 had a
Luke Plant
Mar 9, 2011, 1:06:12 PM3/9/11
to django-d...@googlegroups.com
On 09/03/11 13:07, Camilo Nova wrote:
> Gabriel, thanks for your response.
>
> How can i test the code that makes this crsf verification from the
> header, from my
> other testings this only happens after django make a fix in the latest
> security release.
>
> I would like to make a test enviroment, where can i start to look?
> Gabriel, thanks for your response.
>
> How can i test the code that makes this crsf verification from the
> header, from my
> other testings this only happens after django make a fix in the latest
> security release.
>
> I would like to make a test enviroment, where can i start to look?
It sounds like you are asking how you can write a test that will catch
this kind of problem. Since this is an AJAX issue, your test will have
to include browser automation of some kind, like Selenium. But this is
not django-developers territory now...
Other tests for the CSRF verification are included in Django's own test
suite, in tests/regressiontests/csrf_tests.
Luke
--
"Despair: It's always darkest just before it goes pitch black."
(despair.com)
Luke Plant || http://lukeplant.me.uk/
Reply all
Reply to author
Forward
0 new messages