Re: Security Advisory: BREACH and Django

2013-08-07 Thread simonb
How about requiring that if csrfmiddlewaretoken is set, no matter what http method (GET, POST...), it is correct otherwise 403 response. Simon -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop

Re: Security Advisory: BREACH and Django

2013-08-07 Thread Curtis Maloney
They don't try to guess the CSRF directly, AIUI. They use a form field to affect their test. The easiest solution I can see is the one mentioned in the document -- instead of outputting the raw value, output SALT || (SALT ^ TOKEN) so the actual value is never in the response, but it can be

Re: django.utils.functional.cached_property

2013-08-07 Thread Anssi Kääriäinen
+1 to documenting it. On Wednesday, August 7, 2013 12:28:59 AM UTC+3, Daniele Procida wrote: > > Is there any reason why django.utils.functional.cached_property should not > be documented, so that it can easily be used? > > > > I'd have a lot of

Re: Use case for #14914 (to_db_python)

2013-08-07 Thread Anssi Kääriäinen
On Monday, August 5, 2013 8:02:52 AM UTC+3, Jani Tiainen wrote: > > Hi, > > You seem to found kind of an issue which happens with GeoDjango part as > well. Most of the geodjango operations require quite heavy to/from data > mangling while reading and/or writing data. > > Currently there isn't

Re: Security Advisory: BREACH and Django

2013-08-07 Thread Simon Blanchard
I think they nibble at it. They look at the compressed length - the shorter the compressed length closer they are. But if an incorrect CSRF was never reflected there would be nothing for them to nibble at. It says this in the paper: "However, we remark that requiring a valid CSRF token for all

Model.__eq__

2013-08-07 Thread Anssi Kääriäinen
The way Model.__eq__ works currently should be improved. There is one definite bug in __eq__, that is deferred instances aren't never equal to non-deferred instances with same PK. There are also two possible improvements: make proxy models equal to their concrete parents (this also fixes

Re: django.utils.functional.cached_property

2013-08-07 Thread Marc Tamlyn
+1 On 7 August 2013 08:16, Anssi Kääriäinen wrote: > +1 to documenting it. > > > On Wednesday, August 7, 2013 12:28:59 AM UTC+3, Daniele Procida wrote: >> >> Is there any reason why django.utils.functional.**cached_property should >> not be documented, so that it can

Re: django.utils.functional.cached_property

2013-08-07 Thread Aymeric Augustin
2013/8/6 Daniele Procida > Is there any reason why django.utils.functional.cached_property should not > be documented, so that it can easily be used? > > > Yes, it's stable enough. The main drawback of the current implementation

Re: django.utils.functional.cached_property

2013-08-07 Thread Daniele Procida
On Wed, Aug 7, 2013, Aymeric Augustin wrote: >2013/8/6 Daniele Procida > >> Is there any reason why django.utils.functional.cached_property should not >> be documented, so that it can easily be used? >> >>

Re: Improving ForeignKeyRawIdWidget (raw_id_fields in admin)

2013-08-07 Thread Simon Meers
On 13 June 2013 07:41, Simon Meers wrote: > On 13 June 2013 03:33, wrote: > >> I think that the usability of ForeignKeyRawIdWidget could be vastly >> improved if the representation part of the widget (the object name, in >> bold) were to be updated

Re: Proposal: Modifying the CSRF protection scheme

2013-08-07 Thread Shai Berger
Hi, You can find my work-in-progress at https://github.com/django/django/pull/1454. It is nowhere near ready yet -- it is still missing some pieces and has commented-out debug printing, but I'm done for tonight, and I think it is advanced enough that people may want to take a look and comment.

Re: django.utils.functional.cached_property

2013-08-07 Thread Russell Keith-Magee
On Wed, Aug 7, 2013 at 8:10 PM, Daniele Procida wrote: > On Wed, Aug 7, 2013, Aymeric Augustin > wrote: > > >2013/8/6 Daniele Procida > > > >> Is there any reason why django.utils.functional.cached_property should > not >

Re: django.utils.functional.cached_property

2013-08-07 Thread Curtis Maloney
On 8 August 2013 09:31, Russell Keith-Magee wrote: > On Wed, Aug 7, 2013 at 8:10 PM, Daniele Procida wrote: > >> On Wed, Aug 7, 2013, Aymeric Augustin >> wrote: >> >> >The main drawback of the current implementation

Re: Security Advisory: BREACH and Django

2013-08-07 Thread Alex Ogier
That's too hard to enforce. It would mean that you can't show user content on any public page, or any page that you want to be accessible from outside links. For example, you couldn't show blog comments to unregistered users. It would be too disruptive. Modifying the format of the secret token is

Re: Security Advisory: BREACH and Django

2013-08-07 Thread Simon Blanchard
Could you explain why? And why it matters if the user is registered or not? Alternatively, if the token is present and wrong and it's not a POST, reset the token. Thanks On Thu, Aug 8, 2013 at 11:24 AM, Alex Ogier wrote: > That's too hard to enforce. It would mean that