Hi Aymeric, I agree there is no security vulnerability, because the middleware defaults to safe. That comment should be fixed.
The hard-coding was put there basically to make it easier to use, first for the case of simple migration instructions when this CSRF protection was introduced/changed, and secondly for the ongoing case - anything we could do to streamline the instructions and minimise things that go wrong was considered a good thing, so that we avoid the whole "just disable the CSRF middleware" temptation. Luke On 20/09/14 22:16, Aymeric Augustin wrote: > Hello, > > I'm wondering why django.template.context defines: > > # We need the CSRF processor no matter what the user has in their settings, > # because otherwise it is a security vulnerability, and we can't afford to > leave > # this to human error or failure to read migration instructions. > _builtin_context_processors = ('django.core.context_processors.csrf',) > > and then forcibly prepends it to settings.TEMPLATE_CONTEXT_PROCESSORS. > > If the template context processor was missing, {% csrf_token %} wouldn't > output anything in templates. Then it would be impossible to submit forms, > but that would be a bug. > > The CSRF context processor even has a branch that returns NOTPROVIDED. {% > csrf_token %} specifically tests for this case and doesn't output anything > when it happens. > > So I fail to find the security vulnerability the comment talks about. I > didn't find the answer in: > - > https://github.com/django/django/commit/8e70cef9b67433edd70935dcc30c621d1e7fc0a0 > - https://code.djangoproject.com/ticket/9977 > - https://code.djangoproject.com/wiki/CsrfProtection > > Does anyone remembers the reasoning? > > Thanks, > -- "Cross country skiing is great if you live in a small country." (Steven Wright) Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/542D1670.1010306%40cantab.net. For more options, visit https://groups.google.com/d/optout.