Re: [Django] #28699: Problem with CSRF in Django 1.11.6

2017-10-12 Thread Django 
#28699: Problem with CSRF in Django 1.11.6
-+
 Reporter:  stephanm |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  CSRF |  Version:  1.11
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by Florian Apolloner):

 Yes, something along those lines will be the final fix. I need to think
 about it a bit more though, cannot gurantee if or what I missed.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.266cccf3df497557f418d30458b500d3%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

2017-10-12 Thread Django 
#28699: Problem with CSRF in Django 1.11.6
-+
 Reporter:  stephanm |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  CSRF |  Version:  1.11
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by stephanm):

 Aha ... so, the fix will be whats mentioned in comment:7,
 the move of django.contrib.auth.middleware.AuthenticationMiddleware
 and the RemoteUserMiddleware... ? (plus fixes in the docs of course)

 Right? Or do you plan to do other changes?

 I ask this, so I could fix my code **now**.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.c1cf29df649fc1079c4d153113314fbd%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

2017-10-12 Thread Django 
#28699: Problem with CSRF in Django 1.11.6
-+
 Reporter:  stephanm |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  CSRF |  Version:  1.11
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by Florian Apolloner):

 It only affects the ''RemoteUserMiddleware'', which is not enabled by
 default.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.354dac3a004cd8704996800b01a9fb2c%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

2017-10-12 Thread Django 
#28699: Problem with CSRF in Django 1.11.6
-+
 Reporter:  stephanm |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  CSRF |  Version:  1.11
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by stephanm):

 Replying to [comment:7 Florian Apolloner]:
 > ...
 > before the CSRF middleware. The issue should be gone then, which will
 probably mean that the fix will just be a documentation fix.

 If the documentation fix is about to place AuthenticationMiddleware
 before the CsrfViewMiddleware in the MIDDLEWARE setting then you
 will have to do more than only changing the docs:

 - You have to move AuthenticationMiddleware before the CsrfViewMiddleware
 in the docs:\\
   https://docs.djangoproject.com/en/1.11/topics/http/middleware
 /#activating-middleware

 - You will have to change: `django-admin startproject`
   so that it generates the appropriate middleware ordering.

 - You will have to change the middleware-ordering docs in:\\
   https://docs.djangoproject.com/en/1.11/ref/middleware/#middleware-
 ordering

 - You will have to tell everybody that their settings.MIDDLEWARE has to
   be modified, otherwise some functionality may be broken

 - modify perhaps some other places in the docs i missed ...

 Is it really only a documentation fix?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.f4afa19e74734afb7857fced6da2fed6%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

2017-10-12 Thread Django 
#28699: Problem with CSRF in Django 1.11.6
-+
 Reporter:  stephanm |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  CSRF |  Version:  1.11
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by Florian Apolloner):

 > One strange thing I didn't understand: the csrf token in the returned
 json data and in the cookie are different

 Yes, the token changes every request to account for BREACH style attacks.
 you have to take the first half of it and xor it to the second one
 (basically) to get the constant "secret" behind it which is reused during
 the requests.

 As for your code:
 {{{
 from django.middleware.csrf import get_token
 get_token(request)
 }}}
 in your view should be enough, Django will take care of setting the cookie
 etc accordingly.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.5f6406396ef33cb3e1398d37033de8be%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

2017-10-12 Thread Django 
#28699: Problem with CSRF in Django 1.11.6
-+
 Reporter:  stephanm |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  CSRF |  Version:  1.11
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by stephanm):

 Hi,

 I restored the original Django 1.11.6  and moved the lines you mentioned
 *before* before the CSRF middleware and I can confirm that **it works
 now**!

 Concerning my C# Application, It calls the following
 function in my views.py with a GET call to
 get the carf_token:
 {{{#!python
 def auth_get_csrf_token_json(request):
 token = csrf(request)
 csrf_token = str(token["csrf_token"])  # ab django 1.5
 response = JsonResponse({"dataType": "csrf", "data": {"csrftoken":
 csrf_token}})
 # I set the cookie in the past but it seems not necessary
 ##response.set_cookie("csrftoken", csrf_token)
 return response
 }}}

 Note:
  - I send back the csrf token in as json data but in
my C# app I use the csrf token which is in the **cookie**.
  - One strange thing I didn't understand: the csrf token
in the returned json data and in the cookie are **different**

 Honestly I was never sure where to get this **initial** csrf token
 to be able to POST my login data.
 So I did my experiments until I found this solution which worked for me
 (some times ago).

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.04eb6bbee96e6b4a984e5bcdf2ffbc6d%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

2017-10-11 Thread Django 
#28699: Problem with CSRF in Django 1.11.6
-+
 Reporter:  stephanm |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  CSRF |  Version:  1.11
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by Florian Apolloner):

 Please restore the original Django 1.11.6 and move
 ```
 "django.contrib.auth.middleware.AuthenticationMiddleware",
 "lib.auth.middleware.RemoteUserMiddlewareProxy",
 ```
 before the CSRF middleware. The issue should be gone then, which will
 probably mean that the fix will just be a documentation fix.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.b8cf7002ecaac8be355294cbaa8fbe77%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

2017-10-11 Thread Django 
#28699: Problem with CSRF in Django 1.11.6
-+
 Reporter:  stephanm |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  CSRF |  Version:  1.11
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by Florian Apolloner):

 Actually I am still not sure what and why is happening here. How does your
 C# app login exactly? Ie where from does it get the csrf token and is the
 C# app affected by the single sign on stuff?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.aed96a2252a5da3a4d01906d51c9c8ad%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

2017-10-11 Thread Django 
#28699: Problem with CSRF in Django 1.11.6
-+
 Reporter:  stephanm |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  CSRF |  Version:  1.11
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+
Changes (by Florian Apolloner):

 * severity:  Normal => Release blocker
 * stage:  Unreviewed => Accepted


Comment:

 Ok, thanks -- given this I can reproduce it. This is a bug in Django
 (kinda), but probably a hard one to fix :(

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.3cda4b1dc8dbedea14cc1b65dac8a931%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

2017-10-11 Thread Django 
#28699: Problem with CSRF in Django 1.11.6
--+--
 Reporter:  stephanm  |Owner:  nobody
 Type:  Bug   |   Status:  new
Component:  CSRF  |  Version:  1.11
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Unreviewed
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+--

Comment (by stephanm):

 Hi Florian,

 just commented out the "rotate_token(request)" line in login as you told
 me.

 **Now it works again.**

 Perhaps I am doing something wrong too, I didn't understand exactly the
 csrf workflow.
 I use Apache on Windows with a plugin which allows me to use NTLM as
 Single Sign On.
 My django runs as reverse proxy and gets the remote_user from apache,
 which is intended for the normal users which come with their browsers.

 But my c# application does a normal login.

 Is there some howto explainig how an external program c#
 should login, showing when and how the csrf tokens
 appears in the cookies during the HTTP conversation
 and what of them should be taken?

 Thanks.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.4ec66f9b60f07d92da4e05110c124609%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

2017-10-11 Thread Django 
#28699: Problem with CSRF in Django 1.11.6
--+--
 Reporter:  stephanm  |Owner:  nobody
 Type:  Bug   |   Status:  new
Component:  CSRF  |  Version:  1.11
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Unreviewed
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+--

Comment (by Florian Apolloner):

 Actually I might have an idea, can you check if commenting out
 
https://github.com/django/django/blob/4d60261b2a77460b4c127c3d832518b95e11a0ac/django/contrib/auth/__init__.py#L128
 fixes the issue? This seems to be caused by the `auth.login` call from the
 RemoteUserMiddleware which then resets tokens :/

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.ec1c39eb9f1eb6af98113c4e97f82be6%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

2017-10-11 Thread Django 
#28699: Problem with CSRF in Django 1.11.6
--+--
 Reporter:  stephanm  |Owner:  nobody
 Type:  Bug   |   Status:  new
Component:  CSRF  |  Version:  1.11
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Unreviewed
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+--

Comment (by Florian Apolloner):

 Can your share your code/setup? I do not see anything obvious -- your C#
 app should always have gotten an CSRF error, or did it include a csrf
 token?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.90a37582f2f635f73a7f227b69f4f8bf%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

2017-10-11 Thread Django 
#28699: Problem with CSRF in Django 1.11.6
--+--
 Reporter:  stephanm  |Owner:  nobody
 Type:  Bug   |   Status:  new
Component:  CSRF  |  Version:  1.11
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Unreviewed
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+--
Changes (by Tim Graham):

 * cc: Florian Apolloner (added)
 * type:  Uncategorized => Bug
 * component:  Uncategorized => CSRF


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.eadb7481bf3a4a47f1e3c3b434b57097%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.