"CSRF verification failed" when sending simple GET request using curl

[scabbage]

I'm new to Django. I have installed the latest Django and completed
the four-page tutorial. I created a very simple view as below:

========
from django.http import HttpResponse

def test(request):
return HttpResponse('My name is ' + request.GET['name'])
========

I'm able to navigate to "http://localhost:8000/demo/test?name=Bob" and
get the following response:

My name is Bob


However, when I tried this:

$ curl -d "name=Bob" http://localhost:8000/demo/test


I got some errors like this:

========
Forbidden (403)
CSRF verification failed. Request aborted.

Help
Reason given for failure:
No CSRF or session cookie.

...
========

Does anyone have any ideas?

Thanks.

[Jirka Vejrazka]

> However, when I tried this:
>
>    $ curl -d "name=Bob" http://localhost:8000/demo/test

curl -d sends data using POST method, not GET method (see curl
documentation). Django expects CSRF token in all POST requests, check
http://docs.djangoproject.com/en/dev/ref/contrib/csrf/

HTH

Jirka

[Martin Pajuste]

-d flag sends the specified data in a POST request to the HTTP server, since you don't supply CSRF token, Django assumes the post is malicious.
See more http://docs.djangoproject.com/en/dev/ref/contrib/csrf/?from=olddocs

[Martin Pajuste]

curl -d "name=Bob" -G http://localhost:8000/demo/test

[scabbage]

How do I add CSRF token to curl then?

What if I wanna expose my views as web services without providing a
UI, how do I make sure clients (e.g. Ajax, actionscript, etc) can use
it without this CSRF issue?


Thanks.

[Andy McKay]

> What if I wanna expose my views as web services without providing a
> UI, how do I make sure clients (e.g. Ajax, actionscript, etc) can use
> it without this CSRF issue?

You can mark things as exempt if you'd like to and are aware of the implications:

http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#exceptions
--
Andy McKay
an...@clearwind.ca
twitter: @andymckay

[scabbage]

Is there a way to completely disable CSRF handling?

Is there an documentation about how to create web services APIs using
Django without frontends?

Thanks.

On Jan 19, 3:26 pm, Andy McKay <a...@clearwind.ca> wrote:
> > What if I wanna expose my views as web services without providing a
> > UI, how do I make sure clients (e.g. Ajax, actionscript, etc) can use
> > it without this CSRF issue?
>
> You can mark things as exempt if you'd like to and are aware of the implications:
>
> http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#exceptions
> --
>   Andy McKay

>   a...@clearwind.ca
>   twitter: @andymckay

[arlolra]

maybe use something like piston

https://bitbucket.org/jespern/django-piston/wiki/Home

[Daniel Roseman]

On Wednesday, January 19, 2011 11:07:04 PM UTC, scabbage wrote:

How do I add CSRF token to curl then?

What if I wanna expose my views as web services without providing a
UI, how do I make sure clients (e.g. Ajax, actionscript, etc) can use
it without this CSRF issue?


Thanks.

AJAX requests are automatically CSRF exempt. See:

http://docs.djangoproject.com/en/1.2/ref/contrib/csrf/#ajax 

--

DR.

[Shawn Milochik]

On Jan 19, 2011, at 8:01 PM, scabbage wrote:

> Is there a way to completely disable CSRF handling?

Sure, just remove the CSRF middleware from your settings.py.

[Russell Keith-Magee]

While this advice is 100% accurate, I'd would *strongly* caution you
not to follow it.

If someone has a problem losing their house keys, the solution isn't
to remove your front door. Yes, removing the door does remove the need
for keys, but also leaves your house open to the weather, animals,
criminals, and so on. The fix, while it does solve the immediate
problem, makes the overall situation much worse.

Django's CSRF framework exists, and is enabled by default, for a
reason. CSRF attacks are both real and common, and defence against
CSRF is an important part of any serious web deployment.

If you're having difficulty with CSRF, the solution isn't to disable
CSRF. The solution is to work out what CSRF protection means, and how
to use it correctly. Although it's a little esoteric, and a little
unusual if you've come from a web framework that doesn't enforce good
security practices, it isn't *that* hard to use. You would be well
served to understand what is going on, rather than making the CSRF
problem go away by ignoring it.

Yours,
Russ Magee %-)

[scabbage]

How do I include CSRF token in a curl request then? I use curl for
debugging. Cannot seem to find any info on Google :(

On Jan 20, 5:11 am, Russell Keith-Magee <russ...@keith-magee.com>
wrote:

[Russell Keith-Magee]

On Fri, Jan 21, 2011 at 4:40 AM, scabbage <guan...@gmail.com> wrote:
> How do I include CSRF token in a curl request then? I use curl for
> debugging. Cannot seem to find any info on Google :(

The CSRF token is just a hidden field on your form. When you render
your template, the CSRF token will be included on the rendered page.
Include that token as part of your post data as you would any other
field value.

Yours,
Russ Magee %-)

[scabbage]

That's what I'm looking for.

Thanks :)

On Jan 20, 4:32 pm, Russell Keith-Magee <russ...@keith-magee.com>
wrote:

[scabbage]

I tried the following:

1. Change everything to use POST
2. Do
$ curl -d
"name=Bob&csrfmiddlewaretoken=926ab8c4fca858fdf0c441784687d402"
http://localhost:8000/demo/test/

But I'm still getting the same CSRF error. Not sure why.

Also, the token seems to stay the same after restarting the server. Is
this expected?

On Jan 20, 4:32 pm, Russell Keith-Magee <russ...@keith-magee.com>
wrote:

[Osiaq]

Maybe decorate the view with @csrf_extempt and test it
like this:

---views.py---

from django.core.context_processors import csrf
from django.views.decorators.csrf import csrf_exempt

@csrf_exempt
def contact(request):
form = ContactForm()
...some wicked logic here ...
return render_to_response('contact.html', {
'form': form,
})