That's the same ticket as this one, which is more recent and has been open for longer...
https://code.djangoproject.com/ticket/15619 FWIW, I agree we need to fix this. On Fri, Sep 21, 2012 at 6:56 AM, Aymeric Augustin <aymeric.augus...@polytechnique.org> wrote: > Le 20 sept. 2012 à 20:03, Carl Meyer <c...@oddbird.net> a écrit : > >> FWIW I agree, and I think #7989 should be reopened. I do logout-via-POST >> on all my projects nowadays to avoid logout CSRF, and it's really quite >> simple. You can easily style a form button to look however you want >> (including just like a link), so there's really no negative impact >> besides slightly more markup in the template. > > I'm also in favor of reconsidering #7989, because Django has become a > widely-used, general-purpose framework, and it has a responsibility to > promote good practices. > > For instance, readthedocs.org simply uses django.contrib.auth by the book > [1], and thus is vulnerable to logout XSRF. (Disqus and Pinterest aren't > vulnerable and RTD.org is the next site that crossed my mind — I'm not > picking on RTD.org in any way.) > > Django should provide as much built-in security as possible, especially for > low-budget sites that can't afford security consultants. > >> The only irritating bit is that the Django admin implements its own >> logout via GET, so you have to subclass AdminSite to fix that if you're >> using the admin. > > > Let's update the admin base template and logout view to use POST. > > -- > Aymeric. > > > [1] https://docs.djangoproject.com/en/dev/topics/auth/ says: > >> For example, using the defaults, add the following line to your URLconf: >> (r'^accounts/login/$', 'django.contrib.auth.views.login'), > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
