Re: [Django] #19436: ensure_csrf_cookie decorator issues a "CSRF token missing or incorrect" warning.

[Django]

#19436: ensure_csrf_cookie decorator issues a "CSRF token missing or incorrect"
warning.
-------------------------------------+-------------------------------------
     Reporter:  wrr@…                |                    Owner:  nobody
         Type:  Bug                  |                   Status:  reopened
    Component:  Uncategorized        |                  Version:  1.4
     Severity:  Normal               |               Resolution:
     Keywords:  csrf                 |             Triage Stage:  Design
    Has patch:  0                    |  decision needed
  Needs tests:  0                    |      Needs documentation:  0
Easy pickings:  0                    |  Patch needs improvement:  0
                                     |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by wrr@…):

 Actually, if you don't enable CsrfViewMiddleware, the decorator does not
 raise 403, it prints 'WARNING django.request Forbidden (CSRF token missing
 or incorrect.)' but always accepts the request (as it should). This is
 because the decorator overwrites _reject():


 {{{
 class _EnsureCsrfCookie(CsrfViewMiddleware):
     def _reject(self, request, reason):
         return None
 }}}


 I have a single view that establishes CSRF token with a POST request and
 does nothing more. And several views that require and validate the token
 (for severals reasons I do not use CsrfViewMiddleware to do the
 validation). I'm using POST to establish the token as an extra precaution
 to make sure the token does not leak to a different origin site.

 Anyway, I'm not convinced this requires design discussion. It seems like
 an obvious bug in the implementation. The printed warning is incorrect,
 request is not forbidden, 403 is not returned. The decorator, according to
 the documentation, should only set a cookie, not perform any validation.
 It seems like the warning is a result of a shortcut in the decorator
 implementation that reuses CsrfViewMiddleware but does not disable
 validation related warnings, that are not relevant for the decorator.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/19436#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.