Re: [Django] #16384: Documentation should warn against accessing request.POST in middleware

Thu, 07 Jul 2011 12:59:59 -0700 

#16384: Documentation should warn against accessing request.POST in middleware
---------------------------------------+-------------------------------
               Reporter:  tomchristie  |          Owner:  tomchristie
                   Type:  Bug          |         Status:  new
              Milestone:               |      Component:  Documentation
                Version:  1.3          |       Severity:  Normal
             Resolution:               |       Keywords:
           Triage Stage:  Accepted     |      Has patch:  0
    Needs documentation:  0            |    Needs tests:  0
Patch needs improvement:  0            |  Easy pickings:  0
                  UI/UX:  0            |
---------------------------------------+-------------------------------

Comment (by tomchristie):

 > I'm feeling uneasy about the (implied) suggestion to use @csrf_exempt,
 because of the security implications.

 That's a good point, I think that part is badly written.  Django's docs
 ''do'' already adequately explain how to modify upload handlers on the fly
 using @csrf_exempt/@csrf_protect, so it should mention both (and link to
 that part of the documentation) rather than imply that you should just
 turn off CSRF validation.

 How about the following:

 "**Note**

 Accessing `request.POST` or `request.REQUEST` inside middleware from
 `process_request` or `process_view` will prevent any view running after
 the middleware from being able to
 [https://docs.djangoproject.com/en/dev/topics/http/file-uploads
 /#modifying-upload-handlers-on-the-fly modify the upload handlers for the
 request], and should normally be avoided.

 Note that [https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/#module-
 django.middleware.csrf the CSRF middleware] can be considered an
 exception, as it provides the @csrf_exempt and @csrf_protect decorators
 which allow views to explicitly control at what point the CSRF validation
 should occur."

-- 
Ticket URL: <https://code.djangoproject.com/ticket/16384#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Reply via email to