Re: [Django] #29208: Mistake in the documentation, request.POST['username'] is not working, but request.POST.get('username') is working!

[Django]

#29208: Mistake in the documentation, request.POST['username'] is not working, 
but
request.POST.get('username') is working!
----------------------------------+--------------------------------------
     Reporter:  Marat Mkhitaryan  |                    Owner:  nobody
         Type:  Bug               |                   Status:  closed
    Component:  Documentation     |                  Version:  2.0
     Severity:  Normal            |               Resolution:  wontfix
     Keywords:                    |             Triage Stage:  Unreviewed
    Has patch:  0                 |      Needs documentation:  0
  Needs tests:  0                 |  Patch needs improvement:  0
Easy pickings:  0                 |                    UI/UX:  0
----------------------------------+--------------------------------------

Comment (by Mogoh Viol):

 I stumbled into this just this week and I say this is still a problem and
 bad style.

 The reason, why this is a problem, because it depends on the POST request
 the user sends.
 ''Normally'', what the user sends is depending on the form provide by the
 server.
 But it is trivially to craft a POST request that does not contain a
 username or a password or whatever.

 A malicious attacker could just provoke a application crash and an
 internal server error (which happened to me).
 This in itself is of course not a security breach but an attacker should
 never be able to provoke a crash like this.

 In my case this curl commands provoked the crash:


 This one is for obtaining csfr cookies and tokens:

 {{{
 curl -sS --location --cookie-jar cookies.txt
 http://localhost:8080/en/intern/login/ | grep 'csrfmiddlewaretoken'
 }}}

 Here we send the POST request with omiting the password:

 {{{
 curl -X POST --data "csrfmiddlewaretoken=<----------TOKEN
 HERE----------->&username=x" --cookie cookies.txt -sS --location --dump-
 header - http://localhost:8080/en/intern/login/ -o /dev/null
 }}}



 And the fix as Marat Mkhitaryan suggestes is as trivial as the attack.
 So please let's change this.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/29208#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/073.f97f0f610f271e5cc2d2d9c5f909b8c6%40djangoproject.com.