#15619: Logout link should be protected
--------------------------------------------------+----------------------
Reporter: void | Owner: nobody
Status: reopened | Milestone: 1.4
Component: django.contrib.admin | Version: SVN
Resolution: | Keywords:
Triage Stage: Design decision needed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 |
--------------------------------------------------+----------------------
Changes (by PaulM):
* status: closed => reopened
* milestone: => 1.4
* stage: Unreviewed => Design decision needed
* resolution: wontfix =>
Comment:
On the recommendation of Alex Gaynor, I'm reopening this ticket.
The issue is that this presents a really tempting avenue for DoS type
attacks. The attack (which I have, through great force of will, refrained
from illustrating in this post) is to simply embed the non-side-effect-
free url as an image. The link obviously does not display a picture, but
the browser does retrieve the content, forcing the user to log out. This
makes removal of offensive content particularly obnoxious for
administrators.
Fixing this could involve requiring a form, or (since using a link to log
out is convenient) a nonce of some sort. Some forums implement the
functionality with a pass-through page which submits a form via
javascript.
--
Ticket URL: <http://code.djangoproject.com/ticket/15619#comment:4>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
