Hi, > Today we've released Django 1.3.1 and Django 1.2.6 to deal with > several security issues reported to us. Details of these issues and > the releases, along with several important advisory notes, are > available in the blog post on djangoproject.com: > > https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
I've been thinking about the problems caused by the CSRF cookies being settable by other servers sharing the same domain name, as mentioned at the URL above: > Advisory: Cross-subdomain CSRF attacks > > Due to the nature of HTTP cookies, a cookie can be set from a subdomain > which will be valid for the entire domain. This means that an attacker > who controls a subdomain can, for example, set a CSRF cookie which will > be valid for the entire domain. If I understand it correctly, our CSRF protection works by putting the same random nonce in a form field and a cookie. The protection comes from the fact that the bad guy can only control the form field but not the cookie. But in the case above, he can control the cookie too and the protection fails. Is that correct? Would it not be possible to move the second instance of the nonce (that will be compared to the form field) from a cookie to a session variable (at least when a session is available)? Would that result in other problems instead? / Kent Engström -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
