Re: [Django] #29252: Add CSRF protection to LogoutView

[Django]

#29252: Add CSRF protection to LogoutView
-------------------------------------+-------------------------------------
     Reporter:  Filip Dimitrovski    |                    Owner:  nobody
         Type:  Bug                  |                   Status:  new
    Component:  contrib.auth         |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:  denial of            |             Triage Stage:
  service,csrf                       |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  1                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Description changed by Filip Dimitrovski:

Old description:

> The current implementation in django.contrib.auth.views.LogoutView allows
> both GET and POST requests without any CSRF protection. A simple
> {{{
>    <img src="http://djangoapp/logout"; />
> }}}
> on an exploit page could log out the user. While this is a low security
> risk, it's still a DoS issue and could prevent the user from using the
> app.

New description:

 The current implementation in django.contrib.auth.views.LogoutView allows
 both GET and POST requests without any CSRF protection. A simple
 {{{
    <img src="http://djangoapp/logout"; />
 }}}
 on an exploit page could log out the user. While this is a low security
 risk, it's still a DoS issue and could prevent the user from using the
 app.

 Instead of fixing the view, it maybe makes sense to just change the
 
[https://docs.djangoproject.com/en/2.0/topics/auth/default/#django.contrib.auth.views.LogoutView
 docs] to warn the programmer of such a problem and suggest overriding
 LogoutView and changing dispatch().

--

-- 
Ticket URL: <https://code.djangoproject.com/ticket/29252#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/070.dc0aa9746e9bde7664371d7c3751fb1d%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.