Don't know if a DOS attack is possible by sending many request with very long
CSRF tokens?
IMHO it's a good idea to check the length before do anything with it.
e.g.:
------------------------------------------------------------------------------
diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py
index b5a8579..8e03635 100644
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@@ -72,7 +72,10 @@ def get_token(request):
def _sanitize_token(token):
# Allow only alphanum, and ensure we return a 'str' for the sake of the post
# processing middleware.
- token = re.sub('[^a-zA-Z0-9]', '', str(token.decode('ascii', 'ignore')))
+ if len(token) != 32:
+ token = ""
+ else:
+ token = re.sub('[^a-zA-Z0-9]', '', str(token.decode('ascii', 'ignore')))
if token == "":
# In case the cookie has been truncated to nothing at some point.
return _get_new_csrf_key()
------------------------------------------------------------------------------
--
Mfg.
Jens Diemer
Hi Jens,
On 09/12/2011 10:20 AM, Jens Diemer wrote:
>
> I wonder that the CSRF token send from the client didn't be validated.
Well, it is sanitized to only alphanumeric characters, but you're right
that the length is never checked.
> Don't know if a DOS attack is possible by sending many request with very
> long CSRF tokens?
>
> IMHO it's a good idea to check the length before do anything with it.
Sanity-checking the length sounds reasonable to me - do you mind opening
a ticket for this and attaching your patch?
Thanks,
Carl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5ubHQACgkQ8W4rlRKtE2frrQCgr8HhCPKaPGKyTocUGnmiU9Ku
ekYAoNgZqJ/n4SJnd1tD2Zkpeb/+du47
=ZWv6
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups "Django developers" group.
To post to this group, send email to django-d...@googlegroups.com.
To unsubscribe from this group, send email to django-develop...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To post to this group, send email to django-d...@googlegroups.com.
> To unsubscribe from this group, send email to
> django-develop...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-developers?hl=en.
>
>
--
Sent from my mobile device
Done ;)
Ticked:
https://code.djangoproject.com/ticket/16827
Patch:
https://github.com/django/django/pull/45