Two {% csrf_token %} processed for _accounts/settings. Is this an issue?

42 views
Skip to first unread message

Al Go

unread,
Jan 9, 2022, 4:16:59 PM1/9/22
to django...@googlegroups.com
Hello,

I'm a complete newbie and discovering the codebase. Inspect element in http://127.0.0.1:8000/_accounts/settings/ (when running the testproject) shows two identical hidden input fields with name="csrfmiddlewaretoken". They seem to be generated by two occurrences of {% csrf_token %}:
- The first is in the template wiki/templates/wiki/accounts/account_settings.html, end of line 8
- The second is in the template wiki/templates/wiki/includes/form.html, beginning of line 1
The second template is included in the first one ({% csrf_token %} is immediately followed by {% wiki_form form %} on the next line).

Should/could the first occurrence above be removed? I'm guessing this would NOT cause any actual bug either way,

Chers,
Algorobot42

PS: I tried asking on #django, but kept getting the following error with the in browser liberia irc client: "Cannot join channel (+r) - you need to be logged into your NickServ account"

Robbi Nespu

unread,
Jan 11, 2022, 8:59:28 PM1/11/22
to django...@googlegroups.com


On 10/1/2022 4:56 am, Al Go wrote:
> PS: I tried asking on #django, but kept getting the following error with
> the in browser liberia irc client: "Cannot join channel (+r) - you need
> to be logged into your NickServ account"

You need to login on IRC, the channel set that rules (as normally to
fight bots)

+r means you won’t be able to join it unless you are registered and
identified to NickServ. You can follow steps on
https://libera.chat/guides/registration for registration

> Inspect element in http://127.0.0.1:8000/_accounts/settings/ (when running the testproject) shows two identical hidden input fields with name="csrfmiddlewaretoken". They seem to be generated by two occurrences of {% csrf_token %}:

CSRF middleware is activated by default

> Should/could the first occurrence above be removed? I'm guessing this would NOT cause any actual bug either way,

If your form POST target are external website/url , then it should be
removed because it cause leak of CSRF token which consider as
vulnerability issue.

If you form target are internal, you can remove it but it better to keep
it as defense against unsafe CSRF attack

read https://docs.djangoproject.com/en/4.0/ref/csrf/ for more
information if you might find something

regarding having more than 1 csrf token, it looks wrong. Should only
have 1 token per form like example
https://paste.debian.net/plain/1226800 as what I understand we only
should send a single CSRF token in the HTTP header.

Does you get any exception when submit the form that have 2 csrf token?


--
Regards
Robbi Nespu

PGP: D311 B5FF EEE6 0BE8 9C91 FA9E 0C81 FA30 3B3A 80BA
OpenPGP_0x0C81FA303B3A80BA.asc
Reply all
Reply to author
Forward
0 new messages