Re: [Django] #26146: CsrfViewMiddleware responds to any arbitrary HTTP method outside of 'GET', 'HEAD', 'OPTIONS', and 'TRACE'

Wed, 27 Jan 2016 09:57:18 -0800 

#26146: CsrfViewMiddleware responds to any arbitrary HTTP method outside of 
'GET',
'HEAD', 'OPTIONS', and 'TRACE'
-------------------------------------+-------------------------------------
     Reporter:  finetype             |                    Owner:  nobody
         Type:                       |                   Status:  new
  Cleanup/optimization               |
    Component:  CSRF                 |                  Version:  1.8
     Severity:  Normal               |               Resolution:
     Keywords:  trace, track, csrf,  |             Triage Stage:  Accepted
  error, page                        |
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by carljm):

 ISTM that the behavior of the CSRF middleware there is fine; it _should_
 err on the side of being cautious, and assume that any HTTP verb it
 doesn't know for sure is in the "safe" list must be "unsafe" and need CSRF
 protection.

 The question is whether something _else_ in Django should validate that
 the incoming request method is within a list of known methods (and reject
 it with 405 METHOD NOT ALLOWED if not?) The OP doesn't clarify what
 behavior they expected here.

 Anything we would do on that score needs to be opt-in, I think; right now
 AFAIK nothing prevents someone from using Django with custom non-standard
 HTTP verbs, and we shouldn't just break that.

 Personally I'm not sure there's anything here that needs fixing, but I
 guess we could add some kind of `ValidateKnownHttpMethod` middleware that
 people can use if they want, or something.

--
Ticket URL: <https://code.djangoproject.com/ticket/26146#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.67b5be635f954ec38adee4392e534431%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to