#14032: CSRF cookie value is marked as safe and inserted in the HTML unchecked
-------------------------------------+--------------------------------------
Reporter: edevil | Owner: lukeplant
Status: assigned | Milestone:
Component: Core framework | Version: 1.2
Resolution: | Keywords: security csrf
Stage: Unreviewed | Has_patch: 0
Needs_docs: 0 | Needs_tests: 0
Needs_better_patch: 0 |
-------------------------------------+--------------------------------------
Comment (by lukeplant):
Replying to [comment:2 edevil]:
> The documentation specifies that subdomains can circumvent the CSRF
protection, which is a lot different than saying that subdomains can
insert HTML at will in your site.
That's exactly what I was saying - I accepted the ticket. I was merely
warning that Django in general is not secure against untrusted subdomains.
We are also vulnerable to session fixation attacks from untrusted
subdomains (something I do not know any solution for).
However, since this is security related, for future reference it would be
better to follow the guidelines here for a bug like this:
http://docs.djangoproject.com/en/dev/internals/contributing/#reporting-
security-issues
I will make sure these procedures are followed with this bug (apart from
the fact that the bug is already publicly visible), and the core
developers will discuss what needs to be done.
--
Ticket URL: <http://code.djangoproject.com/ticket/14032#comment:3>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
