getting false-rejection of form-post for CSRF violation

62 views
Skip to first unread message

Bill Seitz

unread,
May 30, 2012, 2:57:54 PM5/30/12
to web.py
I'm trying to build up a newbie-learning app that includes lots of
cookbook stuff. I'm starting from the old 'blog' app.
https://groups.google.com/group/webpy/browse_thread/thread/7ea1c52bc19a46c1

I've put the app in GitHub. https://github.com/BillSeitz/webpy-blog-plus

I've recently added support for CSRF. But I'm getting false-positives
(rejection). Can anyone figure out why?

My notes since starting this app are at:
http://webseitz.fluxent.com/wiki/ExtendingWebpyBlogAppWithCookbookFeatures

Jason Macgowan

unread,
May 30, 2012, 6:53:20 PM5/30/12
to we...@googlegroups.com
Try setting web.config.debug = False and test again; it seems to cause
issues with sessions
> --
> You received this message because you are subscribed to the Google Groups "web.py" group.
> To post to this group, send email to we...@googlegroups.com.
> To unsubscribe from this group, send email to webpy+un...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/webpy?hl=en.
>

Bill Seitz

unread,
May 30, 2012, 8:25:42 PM5/30/12
to web.py
Is the cookbook wrong about the workaround? http://webpy.org/cookbook/session_with_reloader

Plus, making that change did no good.

On May 30, 5:53 pm, Jason Macgowan <jasonmacgo...@gmail.com> wrote:
> Try setting web.config.debug = False and test again; it seems to cause
> issues with sessions
>
>
>
>
>
>
>
> On Wed, May 30, 2012 at 2:57 PM, Bill Seitz <flux...@gmail.com> wrote:
> > I'm trying to build up a newbie-learning app that includes lots of
> > cookbook stuff. I'm starting from the old 'blog' app.
> >https://groups.google.com/group/webpy/browse_thread/thread/7ea1c52bc1...
>
> > I've put the app in GitHub.https://github.com/BillSeitz/webpy-blog-plus
>
> > I've recently added support for CSRF. But I'm getting false-positives
> > (rejection). Can anyone figure out why?
>
> > My notes since starting this app are at:
> >http://webseitz.fluxent.com/wiki/ExtendingWebpyBlogAppWithCookbookFea...

Jason Macgowan

unread,
May 30, 2012, 9:45:32 PM5/30/12
to we...@googlegroups.com
Ah..I didn't read your code thoroughly enough.

Alas, I have found the problem though:

t_globals['csrf_token'] = csrf_token is only run once (when you run
blog.py) while your csrf_protect decorator is run at every request.
This may not be the BEST solution, but changing the GET request in the
New class to reassign t_globals for each request made it work for me:

class New:
# ...
def GET(self):
t_globals['csrf_token'] = csrf_token()
form = self.form()
return render.new(form)
#...

Bill Seitz

unread,
May 31, 2012, 11:06:09 AM5/31/12
to web.py
Yes, of course!

Hmm, under a scenario where someone's opening multiple forms at the
same time (e.g. opening edit forms for multiple blog posts and moving
text around before saving any), you'd actually want instance-specific
tokens, right? (I'm not going to worry about that case for now, but I
could see it being an issue, right?)

On May 30, 8:45 pm, Jason Macgowan <jasonmacgo...@gmail.com> wrote:
> Ah..I didn't read your code thoroughly enough.
>
> Alas, I have found the problem though:
>
> t_globals['csrf_token'] = csrf_token is only run once (when you run
> blog.py) while your csrf_protect decorator is run at every request.
> This may not be the BEST solution, but changing the GET request in the
> New class to reassign t_globals for each request made it work for me:
>
> class New:
>  # ...
>     def GET(self):
>         t_globals['csrf_token'] = csrf_token()
>         form = self.form()
>         return render.new(form)
> #...
>
>
>
>
>
>
>
> On Wed, May 30, 2012 at 8:25 PM, Bill Seitz <flux...@gmail.com> wrote:
> > Is the cookbook wrong about the workaround?http://webpy.org/cookbook/session_with_reloader

Jason Macgowan

unread,
May 31, 2012, 11:39:36 AM5/31/12
to we...@googlegroups.com
I suppose holding a list of valid uuid's in session and "pop"ing them after they are used could work.  Security is not my strong suit, but I don't think that would raise any issues
Reply all
Reply to author
Forward
0 new messages