Author: lukeplant
Date: 2009-03-19 18:14:20 -0500 (Thu, 19 Mar 2009)
New Revision: 10094
Modified:
django/trunk/django/conf/global_settings.py
django/trunk/django/conf/project_template/settings.py
django/trunk/docs/ref/contrib/csrf.txt
django/trunk/docs/releases/1.1-alpha-1.txt
Log:
Added CSRF middleware to default settings and updated docs.
Updated docs to reflect the change, and the fact that using the
two separate middleware is preferred to using the combined one.
Modified: django/trunk/django/conf/global_settings.py
===================================================================
--- django/trunk/django/conf/global_settings.py 2009-03-19 22:46:49 UTC (rev
10093)
+++ django/trunk/django/conf/global_settings.py 2009-03-19 23:14:20 UTC (rev
10094)
@@ -301,10 +301,12 @@
# this middleware classes will be applied in the order given, and in the
# response phase the middleware will be applied in reverse order.
MIDDLEWARE_CLASSES = (
+# 'django.middleware.gzip.GZipMiddleware',
+ 'django.contrib.csrf.middleware.CsrfViewMiddleware',
+ 'django.contrib.csrf.middleware.CsrfResponseMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
# 'django.middleware.http.ConditionalGetMiddleware',
-# 'django.middleware.gzip.GZipMiddleware',
'django.middleware.common.CommonMiddleware',
)
Modified: django/trunk/django/conf/project_template/settings.py
===================================================================
--- django/trunk/django/conf/project_template/settings.py 2009-03-19
22:46:49 UTC (rev 10093)
+++ django/trunk/django/conf/project_template/settings.py 2009-03-19
23:14:20 UTC (rev 10094)
@@ -59,6 +59,8 @@
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
+ 'django.contrib.csrf.middleware.CsrfViewMiddleware',
+ 'django.contrib.csrf.middleware.CsrfResponseMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
)
Modified: django/trunk/docs/ref/contrib/csrf.txt
===================================================================
--- django/trunk/docs/ref/contrib/csrf.txt 2009-03-19 22:46:49 UTC (rev
10093)
+++ django/trunk/docs/ref/contrib/csrf.txt 2009-03-19 23:14:20 UTC (rev
10094)
@@ -7,46 +7,47 @@
.. module:: django.contrib.csrf
:synopsis: Protects against Cross Site Request Forgeries
-The CsrfMiddleware class provides easy-to-use protection against
-`Cross Site Request Forgeries`_. This type of attack occurs when a malicious
-Web site creates a link or form button that is intended to perform some action
-on your Web site, using the credentials of a logged-in user who is tricked
-into clicking on the link in their browser.
+The CsrfMiddleware classes provides easy-to-use protection against
+`Cross Site Request Forgeries`_. This type of attack occurs when a
+malicious Web site creates a link or form button that is intended to
+perform some action on your Web site, using the credentials of a
+logged-in user who is tricked into clicking on the link in their
+browser.
The first defense against CSRF attacks is to ensure that GET requests
-are side-effect free. POST requests can then be protected by adding this
-middleware into your list of installed middleware.
+are side-effect free. POST requests can then be protected by adding
+these middleware into your list of installed middleware.
.. _Cross Site Request Forgeries:
http://www.squarefree.com/securitytips/web-developers.html#CSRF
How to use it
=============
-Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to
-your list of middleware classes, :setting:`MIDDLEWARE_CLASSES`. It needs to
process
-the response after the SessionMiddleware, so must come before it in the
-list. It also must process the response before things like compression
-happen to the response, so it must come after GZipMiddleware in the
-list.
+Add the middleware
+``'django.contrib.csrf.middleware.CsrfViewMiddleware'`` and
+``'django.contrib.csrf.middleware.CsrfResponseMiddleware'`` to your
+list of middleware classes,
+:setting:`MIDDLEWARE_CLASSES`. ``CsrfResponseMiddleware`` needs to
+process the response after the ``SessionMiddleware``, so must come
+before it in the list. It also must process the response before
+things like compression happen to the response, so it must come after
+``GZipMiddleware`` in the list.
-The ``CsrfMiddleware`` class is actually composed of two middleware:
-``CsrfViewMiddleware`` which performs the checks on incoming requests,
-and ``CsrfResponseMiddleware`` which performs post-processing of the
-result. This allows the individual components to be used and/or
-replaced instead of using ``CsrfMiddleware``.
+The ``CsrfMiddleware`` class, which combines the two classes, is also
+available, for backwards compatibility with Django 1.0.
.. versionchanged:: 1.1
- (previous versions of Django did not provide these two components
- of ``CsrfMiddleware`` as described above)
+ previous versions of Django did not provide these two components
+ of ``CsrfMiddleware`` as described above.
Exceptions
----------
.. versionadded:: 1.1
-To manually exclude a view function from being handled by the
-CsrfMiddleware, you can use the ``csrf_exempt`` decorator, found in
-the ``django.contrib.csrf.middleware`` module. For example::
+To manually exclude a view function from being handled by either of
+the two CSRF middleware, you can use the ``csrf_exempt`` decorator,
+found in the ``django.contrib.csrf.middleware`` module. For example::
from django.contrib.csrf.middleware import csrf_exempt
@@ -54,12 +55,12 @@
return HttpResponse('Hello world')
my_view = csrf_exempt(my_view)
-Like the middleware itself, the ``csrf_exempt`` decorator is composed
-of two parts: a ``csrf_view_exempt`` decorator and a
-``csrf_response_exempt`` decorator, found in the same module. These
-disable the view protection mechanism (``CsrfViewMiddleware``) and the
-response post-processing (``CsrfResponseMiddleware``) respectively.
-They can be used individually if required.
+Like the middleware, the ``csrf_exempt`` decorator is composed of two
+parts: a ``csrf_view_exempt`` decorator and a ``csrf_response_exempt``
+decorator, found in the same module. These disable the view
+protection mechanism (``CsrfViewMiddleware``) and the response
+post-processing (``CsrfResponseMiddleware``) respectively. They can
+be used individually if required.
You don't have to worry about doing this for most AJAX views. Any
request sent with "X-Requested-With: XMLHttpRequest" is automatically
@@ -68,7 +69,7 @@
How it works
============
-CsrfMiddleware does two things:
+The CSRF middleware do two things:
1. It modifies outgoing requests by adding a hidden form field to all
'POST' forms, with the name 'csrfmiddlewaretoken' and a value which is
@@ -112,9 +113,9 @@
Limitations
===========
-CsrfMiddleware requires Django's session framework to work. If you have
-a custom authentication system that manually sets cookies and the like,
-it won't help you.
+These middleware require Django's session framework to work. If you
+have a custom authentication system that manually sets cookies and the
+like, it won't help you.
If your app creates HTML pages and forms in some unusual way, (e.g.
it sends fragments of HTML in JavaScript document.write statements)
Modified: django/trunk/docs/releases/1.1-alpha-1.txt
===================================================================
--- django/trunk/docs/releases/1.1-alpha-1.txt 2009-03-19 22:46:49 UTC (rev
10093)
+++ django/trunk/docs/releases/1.1-alpha-1.txt 2009-03-19 23:14:20 UTC (rev
10094)
@@ -74,8 +74,14 @@
``CsrfMiddleware`` class (which does both) remains for
backwards-compatibility, but using the split classes is now recommended in
order to allow fine-grained control of when and where the CSRF processing
- takes place.
+ takes place. Decorators are provided for selectively turning it off for
+ certain views.
+ Also, these middleware are now enabled by default when creating new projects.
+ It is recommended to add these middleware, if not already present, to
existing
+ projects, to provide protection for the admin (which has no other CSRF
+ protection) and other apps.
+
* :func:`~django.core.urlresolvers.reverse` and code which uses it (e.g., the
``{% url %}`` template tag) now works with URLs in Django's administrative
site, provided that the admin URLs are set up via
``include(admin.site.urls)``
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
