#14032: CSRF cookie value is marked as safe and inserted in the HTML unchecked
----------------------------+-----------------------------------------------
Reporter: edevil | Owner: nobody
Status: new | Milestone:
Component: Core framework | Version: 1.2
Keywords: security csrf | Stage: Unreviewed
Has_patch: 0 |
----------------------------+-----------------------------------------------
The value of the CSRF Cookie is inserted, unescaped, in the HTML.
According to django/template/defaulttags.py:
{{{
class CsrfTokenNode(Node):
def render(self, context):
csrf_token = context.get('csrf_token', None)
if csrf_token:
if csrf_token == 'NOTPROVIDED':
return mark_safe(u"")
else:
return mark_safe(u"<div style='display:none'><input
type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" %
(csrf_token))
}}}
This csrf_token value is the value of the token. There are scenarios when
a subdomain attacker can set the CSRF cookie for the whole domain and this
ends up in the victim's site. The cookie value is never reset so it can
even be used to persist a XSS attack. Also, the CSRF cookie should also
support the option to be a secure and/or httponly cookie.
--
Ticket URL: <http://code.djangoproject.com/ticket/14032>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
