On Wed, 2007-11-07 at 11:08 -0600, James Bennett wrote: > If/when we ever do finally sit down and implement an auto-escaping > proposal, I'd like to suggest we also just go ahead and turn on the > CSRF middleware by default, because apparently the fact that it isn't > enabled by default is leading people to scream about security > vulnerabilities in Django[1], which in turn causes package maintainers > to email me because the existence of a CVE makes it appear that > there's an actual problem here (as opposed to the actual report[2] > which concludes that users should enable the CSRF middleware, and > whose author -- I thought -- concluded that there was no problem after > being pointed in the direction of that middleware).
I have quite a different view about the severity of this. Out of the box, Django has a CSRF vulnerability if you use admin. I'm not inclined to dismiss this as a nothing event that you can work around by somehow magically divining that you need to include an optional package if you're using admin. Now, it's very disappointing that the original reported to SecurityFocus didn't report it to us first, but that only makes the original reporter irresponsible and unprofessional, not wrong. I do agree with Chris, though. It's completely unrelated to auto-escaping (which will land today, most likely, since I've been merging it and updating it yesterday and the day before). Not sure if we should build it into admin or make the middleware a requirement for admin, but this isn't a "dismiss it with a wave of the hand" situation for me. > > [1] http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5828 > [2] http://www.securityfocus.com/archive/1/482983/100/0/threaded Regards, Malcolm -- Telepath required. You know where to apply... http://www.pointy-stick.com/blog/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
