#16430: Stronger wording for CSRF protection in `modifying upload handlers on
the
fly`
---------------------------+-------------------------------
Reporter: tomchristie | Owner: nobody
Type: Uncategorized | Status: new
Milestone: | Component: Uncategorized
Version: 1.3 | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Easy pickings: 0
UI/UX: 0 |
---------------------------+-------------------------------
The text in [https://docs.djangoproject.com/en/dev/topics/http/file-
uploads/#modifying-upload-handlers-on-the-fly modifying upload handlers on
the fly] could be more strongly worded regarding CSRF protection.
It might be better if the text "Assuming you do need CSRF protection, you
will then need to use csrf_protect() on the function that actually
processes the request." simply read "You will then need to use
csrf_protect() on the function that actually processes the request."
Obviously it's a bit of a subjective issue, but I think the stronger
implication that we're simply explaining how to defer ''when the CSRF
validation runs'', rather than making a decision about ''if it should be
run'' would be slightly better.
--
Ticket URL: <https://code.djangoproject.com/ticket/16430>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
