[Django] #28699: Problem with CSRF in Django 1.11.6

classic Classic list List threaded Threaded
28 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[Django] #28699: Problem with CSRF in Django 1.11.6

Django
#28699: Problem with CSRF in Django 1.11.6
-----------------------------------------+------------------------
               Reporter:  stephanm       |          Owner:  nobody
                   Type:  Uncategorized  |         Status:  new
              Component:  Uncategorized  |        Version:  1.11
               Severity:  Normal         |       Keywords:
           Triage Stage:  Unreviewed     |      Has patch:  0
    Needs documentation:  0              |    Needs tests:  0
Patch needs improvement:  0              |  Easy pickings:  0
                  UI/UX:  0              |
-----------------------------------------+------------------------
 I have a problem with csrf protection starting with django 1.11.6
 (django 1.11.5 has not this problem).

 I am doing all time exactly what is explained in
 https://docs.djangoproject.com/en/1.11/howto/auth-remote-user/

 My settings:
 {{{#!python
      MIDDLEWARE = [
         "django.contrib.sessions.middleware.SessionMiddleware",
         "django.middleware.locale.LocaleMiddleware",
         "django.middleware.common.CommonMiddleware",
         "django.middleware.csrf.CsrfViewMiddleware",
         "django.contrib.auth.middleware.AuthenticationMiddleware",
         # "django.contrib.auth.middleware.RemoteUserMiddleware",
         # own middleware because behind proxy we get HTTP_REMOTE_USER
         # instead of REMOTE_USER
         "lib.auth.middleware.RemoteUserMiddlewareProxy",
         "django.contrib.messages.middleware.MessageMiddleware",
         "django.middleware.clickjacking.XFrameOptionsMiddleware",
     ]

     AUTHENTICATION_BACKENDS = [
         # "django.contrib.auth.backends.RemoteUserBackend",
         "lib.auth.backends.RemoteUserBackendTooling",
         # default is:
         "django.contrib.auth.backends.ModelBackend",
     ]
 }}}

 {{{#!python
 # content of lib.auth.middleware.RemoteUserMiddlewareProxy
 from django.contrib.auth.middleware import RemoteUserMiddleware


 class RemoteUserMiddlewareProxy(RemoteUserMiddleware):
     header = "HTTP_REMOTE_USER"
 }}}

 {{{#!python
 # content of lib.auth.backends.RemoteUserBackendTooling
 from django.contrib.auth.backends import RemoteUserBackend


 class RemoteUserBackendTooling(RemoteUserBackend):

     create_unknown_user = False

     def clean_username(self, username):
         """
         Performs any cleaning on the "username" prior to using it to get
 or
         create the user object.  Returns the cleaned username.

         By default, returns the username unchanged.
         """
         if username.startswith("IT\\"):
             username = username[3:]
         return username
 "
 }}}

 My C# Application does a login by using the normal
 "django.contrib.auth.backends.ModelBackend", not using the REMOTE_USER !
 It calls a function in my views.py:
 {{{#!python
     def auth_login_json(request):
         # code...
         # POST data with user & password

 }}}

 Now the csrf protection fails with an http error 403
 (only with django 1.11.6, ... django 1.11.5 works)

 I found two possibilities to make it work again:

 1. In MIDDLEWARE, comment out
 "lib.auth.middleware.RemoteUserMiddlewareProxy"
    but the other remote user login functionality is gone.
 2. I add @csrf_exempt to auth_login_json function like this:

 {{{#!python
     @csrf_exempt
     def auth_login_json(request):
         # code...
         # POST data with user & password

 }}}

 Reading the changelog
 https://docs.djangoproject.com/en/1.11/releases/1.11.6/
 I suppose this behaviour change comes with
 https://code.djangoproject.com/ticket/28488

 My question: Was I wrong all the years or is this a bug?

--
Ticket URL: <https://code.djangoproject.com/ticket/28699>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/051.df6b4e1ce172b2a6d6d0a38ca13a295a%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

Django
#28699: Problem with CSRF in Django 1.11.6
--------------------------+--------------------------------------
     Reporter:  stephanm  |                    Owner:  nobody
         Type:  Bug       |                   Status:  new
    Component:  CSRF      |                  Version:  1.11
     Severity:  Normal    |               Resolution:
     Keywords:            |             Triage Stage:  Unreviewed
    Has patch:  0         |      Needs documentation:  0
  Needs tests:  0         |  Patch needs improvement:  0
Easy pickings:  0         |                    UI/UX:  0
--------------------------+--------------------------------------
Changes (by Tim Graham):

 * cc: Florian Apolloner (added)
 * type:  Uncategorized => Bug
 * component:  Uncategorized => CSRF


--
Ticket URL: <https://code.djangoproject.com/ticket/28699#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.eadb7481bf3a4a47f1e3c3b434b57097%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

Django
In reply to this post by Django
#28699: Problem with CSRF in Django 1.11.6
--------------------------+--------------------------------------
     Reporter:  stephanm  |                    Owner:  nobody
         Type:  Bug       |                   Status:  new
    Component:  CSRF      |                  Version:  1.11
     Severity:  Normal    |               Resolution:
     Keywords:            |             Triage Stage:  Unreviewed
    Has patch:  0         |      Needs documentation:  0
  Needs tests:  0         |  Patch needs improvement:  0
Easy pickings:  0         |                    UI/UX:  0
--------------------------+--------------------------------------

Comment (by Florian Apolloner):

 Can your share your code/setup? I do not see anything obvious -- your C#
 app should always have gotten an CSRF error, or did it include a csrf
 token?

--
Ticket URL: <https://code.djangoproject.com/ticket/28699#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.90a37582f2f635f73a7f227b69f4f8bf%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

Django
In reply to this post by Django
#28699: Problem with CSRF in Django 1.11.6
--------------------------+--------------------------------------
     Reporter:  stephanm  |                    Owner:  nobody
         Type:  Bug       |                   Status:  new
    Component:  CSRF      |                  Version:  1.11
     Severity:  Normal    |               Resolution:
     Keywords:            |             Triage Stage:  Unreviewed
    Has patch:  0         |      Needs documentation:  0
  Needs tests:  0         |  Patch needs improvement:  0
Easy pickings:  0         |                    UI/UX:  0
--------------------------+--------------------------------------

Comment (by Florian Apolloner):

 Actually I might have an idea, can you check if commenting out
 https://github.com/django/django/blob/4d60261b2a77460b4c127c3d832518b95e11a0ac/django/contrib/auth/__init__.py#L128
 fixes the issue? This seems to be caused by the `auth.login` call from the
 RemoteUserMiddleware which then resets tokens :/

--
Ticket URL: <https://code.djangoproject.com/ticket/28699#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.ec1c39eb9f1eb6af98113c4e97f82be6%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

Django
In reply to this post by Django
#28699: Problem with CSRF in Django 1.11.6
--------------------------+--------------------------------------
     Reporter:  stephanm  |                    Owner:  nobody
         Type:  Bug       |                   Status:  new
    Component:  CSRF      |                  Version:  1.11
     Severity:  Normal    |               Resolution:
     Keywords:            |             Triage Stage:  Unreviewed
    Has patch:  0         |      Needs documentation:  0
  Needs tests:  0         |  Patch needs improvement:  0
Easy pickings:  0         |                    UI/UX:  0
--------------------------+--------------------------------------

Comment (by stephanm):

 Hi Florian,

 just commented out the "rotate_token(request)" line in login as you told
 me.

 **Now it works again.**

 Perhaps I am doing something wrong too, I didn't understand exactly the
 csrf workflow.
 I use Apache on Windows with a plugin which allows me to use NTLM as
 Single Sign On.
 My django runs as reverse proxy and gets the remote_user from apache,
 which is intended for the normal users which come with their browsers.

 But my c# application does a normal login.

 Is there some howto explainig how an external program c#
 should login, showing when and how the csrf tokens
 appears in the cookies during the HTTP conversation
 and what of them should be taken?

 Thanks.

--
Ticket URL: <https://code.djangoproject.com/ticket/28699#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.4ec66f9b60f07d92da4e05110c124609%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

Django
In reply to this post by Django
#28699: Problem with CSRF in Django 1.11.6
---------------------------------+------------------------------------
     Reporter:  stephanm         |                    Owner:  nobody
         Type:  Bug              |                   Status:  new
    Component:  CSRF             |                  Version:  1.11
     Severity:  Release blocker  |               Resolution:
     Keywords:                   |             Triage Stage:  Accepted
    Has patch:  0                |      Needs documentation:  0
  Needs tests:  0                |  Patch needs improvement:  0
Easy pickings:  0                |                    UI/UX:  0
---------------------------------+------------------------------------
Changes (by Florian Apolloner):

 * severity:  Normal => Release blocker
 * stage:  Unreviewed => Accepted


Comment:

 Ok, thanks -- given this I can reproduce it. This is a bug in Django
 (kinda), but probably a hard one to fix :(

--
Ticket URL: <https://code.djangoproject.com/ticket/28699#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.3cda4b1dc8dbedea14cc1b65dac8a931%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

Django
In reply to this post by Django
#28699: Problem with CSRF in Django 1.11.6
---------------------------------+------------------------------------
     Reporter:  stephanm         |                    Owner:  nobody
         Type:  Bug              |                   Status:  new
    Component:  CSRF             |                  Version:  1.11
     Severity:  Release blocker  |               Resolution:
     Keywords:                   |             Triage Stage:  Accepted
    Has patch:  0                |      Needs documentation:  0
  Needs tests:  0                |  Patch needs improvement:  0
Easy pickings:  0                |                    UI/UX:  0
---------------------------------+------------------------------------

Comment (by Florian Apolloner):

 Actually I am still not sure what and why is happening here. How does your
 C# app login exactly? Ie where from does it get the csrf token and is the
 C# app affected by the single sign on stuff?

--
Ticket URL: <https://code.djangoproject.com/ticket/28699#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.aed96a2252a5da3a4d01906d51c9c8ad%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

Django
In reply to this post by Django
#28699: Problem with CSRF in Django 1.11.6
---------------------------------+------------------------------------
     Reporter:  stephanm         |                    Owner:  nobody
         Type:  Bug              |                   Status:  new
    Component:  CSRF             |                  Version:  1.11
     Severity:  Release blocker  |               Resolution:
     Keywords:                   |             Triage Stage:  Accepted
    Has patch:  0                |      Needs documentation:  0
  Needs tests:  0                |  Patch needs improvement:  0
Easy pickings:  0                |                    UI/UX:  0
---------------------------------+------------------------------------

Comment (by Florian Apolloner):

 Please restore the original Django 1.11.6 and move
 ```
         "django.contrib.auth.middleware.AuthenticationMiddleware",
         "lib.auth.middleware.RemoteUserMiddlewareProxy",
 ```
 before the CSRF middleware. The issue should be gone then, which will
 probably mean that the fix will just be a documentation fix.

--
Ticket URL: <https://code.djangoproject.com/ticket/28699#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.b8cf7002ecaac8be355294cbaa8fbe77%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

Django
In reply to this post by Django
#28699: Problem with CSRF in Django 1.11.6
---------------------------------+------------------------------------
     Reporter:  stephanm         |                    Owner:  nobody
         Type:  Bug              |                   Status:  new
    Component:  CSRF             |                  Version:  1.11
     Severity:  Release blocker  |               Resolution:
     Keywords:                   |             Triage Stage:  Accepted
    Has patch:  0                |      Needs documentation:  0
  Needs tests:  0                |  Patch needs improvement:  0
Easy pickings:  0                |                    UI/UX:  0
---------------------------------+------------------------------------

Comment (by stephanm):

 Hi,

 I restored the original Django 1.11.6  and moved the lines you mentioned
 *before* before the CSRF middleware and I can confirm that **it works
 now**!

 Concerning my C# Application, It calls the following
 function in my views.py with a GET call to
 get the carf_token:
 {{{#!python
 def auth_get_csrf_token_json(request):
     token = csrf(request)
     csrf_token = str(token["csrf_token"])  # ab django 1.5
     response = JsonResponse({"dataType": "csrf", "data": {"csrftoken":
 csrf_token}})
     # I set the cookie in the past but it seems not necessary
     ##response.set_cookie("csrftoken", csrf_token)
     return response
 }}}

 Note:
  - I send back the csrf token in as json data but in
    my C# app I use the csrf token which is in the **cookie**.
  - One strange thing I didn't understand: the csrf token
    in the returned json data and in the cookie are **different**

 Honestly I was never sure where to get this **initial** csrf token
 to be able to POST my login data.
 So I did my experiments until I found this solution which worked for me
 (some times ago).

--
Ticket URL: <https://code.djangoproject.com/ticket/28699#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.04eb6bbee96e6b4a984e5bcdf2ffbc6d%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

Django
In reply to this post by Django
#28699: Problem with CSRF in Django 1.11.6
---------------------------------+------------------------------------
     Reporter:  stephanm         |                    Owner:  nobody
         Type:  Bug              |                   Status:  new
    Component:  CSRF             |                  Version:  1.11
     Severity:  Release blocker  |               Resolution:
     Keywords:                   |             Triage Stage:  Accepted
    Has patch:  0                |      Needs documentation:  0
  Needs tests:  0                |  Patch needs improvement:  0
Easy pickings:  0                |                    UI/UX:  0
---------------------------------+------------------------------------

Comment (by Florian Apolloner):

 > One strange thing I didn't understand: the csrf token in the returned
 json data and in the cookie are different

 Yes, the token changes every request to account for BREACH style attacks.
 you have to take the first half of it and xor it to the second one
 (basically) to get the constant "secret" behind it which is reused during
 the requests.

 As for your code:
 {{{
 from django.middleware.csrf import get_token
 get_token(request)
 }}}
 in your view should be enough, Django will take care of setting the cookie
 etc accordingly.

--
Ticket URL: <https://code.djangoproject.com/ticket/28699#comment:9>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.5f6406396ef33cb3e1398d37033de8be%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

Django
In reply to this post by Django
#28699: Problem with CSRF in Django 1.11.6
---------------------------------+------------------------------------
     Reporter:  stephanm         |                    Owner:  nobody
         Type:  Bug              |                   Status:  new
    Component:  CSRF             |                  Version:  1.11
     Severity:  Release blocker  |               Resolution:
     Keywords:                   |             Triage Stage:  Accepted
    Has patch:  0                |      Needs documentation:  0
  Needs tests:  0                |  Patch needs improvement:  0
Easy pickings:  0                |                    UI/UX:  0
---------------------------------+------------------------------------

Comment (by stephanm):

 Replying to [comment:7 Florian Apolloner]:
 > ...
 > before the CSRF middleware. The issue should be gone then, which will
 probably mean that the fix will just be a documentation fix.

 If the documentation fix is about to place AuthenticationMiddleware
 before the CsrfViewMiddleware in the MIDDLEWARE setting then you
 will have to do more than only changing the docs:

 - You have to move AuthenticationMiddleware before the CsrfViewMiddleware
 in the docs:\\
   https://docs.djangoproject.com/en/1.11/topics/http/middleware
 /#activating-middleware

 - You will have to change: `django-admin startproject`
   so that it generates the appropriate middleware ordering.

 - You will have to change the middleware-ordering docs in:\\
   https://docs.djangoproject.com/en/1.11/ref/middleware/#middleware-
 ordering

 - You will have to tell everybody that their settings.MIDDLEWARE has to
   be modified, otherwise some functionality may be broken

 - modify perhaps some other places in the docs i missed ...

 Is it really only a documentation fix?

--
Ticket URL: <https://code.djangoproject.com/ticket/28699#comment:10>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.f4afa19e74734afb7857fced6da2fed6%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

Django
In reply to this post by Django
#28699: Problem with CSRF in Django 1.11.6
---------------------------------+------------------------------------
     Reporter:  stephanm         |                    Owner:  nobody
         Type:  Bug              |                   Status:  new
    Component:  CSRF             |                  Version:  1.11
     Severity:  Release blocker  |               Resolution:
     Keywords:                   |             Triage Stage:  Accepted
    Has patch:  0                |      Needs documentation:  0
  Needs tests:  0                |  Patch needs improvement:  0
Easy pickings:  0                |                    UI/UX:  0
---------------------------------+------------------------------------

Comment (by Florian Apolloner):

 It only affects the ''RemoteUserMiddleware'', which is not enabled by
 default.

--
Ticket URL: <https://code.djangoproject.com/ticket/28699#comment:11>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.354dac3a004cd8704996800b01a9fb2c%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

Django
In reply to this post by Django
#28699: Problem with CSRF in Django 1.11.6
---------------------------------+------------------------------------
     Reporter:  stephanm         |                    Owner:  nobody
         Type:  Bug              |                   Status:  new
    Component:  CSRF             |                  Version:  1.11
     Severity:  Release blocker  |               Resolution:
     Keywords:                   |             Triage Stage:  Accepted
    Has patch:  0                |      Needs documentation:  0
  Needs tests:  0                |  Patch needs improvement:  0
Easy pickings:  0                |                    UI/UX:  0
---------------------------------+------------------------------------

Comment (by stephanm):

 Aha ... so, the fix will be whats mentioned in comment:7,
 the move of django.contrib.auth.middleware.AuthenticationMiddleware
 and the RemoteUserMiddleware... ? (plus fixes in the docs of course)

 Right? Or do you plan to do other changes?

 I ask this, so I could fix my code **now**.

--
Ticket URL: <https://code.djangoproject.com/ticket/28699#comment:12>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.c1cf29df649fc1079c4d153113314fbd%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28699: Problem with CSRF in Django 1.11.6

Django
In reply to this post by Django
#28699: Problem with CSRF in Django 1.11.6
---------------------------------+------------------------------------
     Reporter:  stephanm         |                    Owner:  nobody
         Type:  Bug              |                   Status:  new
    Component:  CSRF             |                  Version:  1.11
     Severity:  Release blocker  |               Resolution:
     Keywords:                   |             Triage Stage:  Accepted
    Has patch:  0                |      Needs documentation:  0
  Needs tests:  0                |  Patch needs improvement:  0
Easy pickings:  0                |                    UI/UX:  0
---------------------------------+------------------------------------

Comment (by Florian Apolloner):

 Yes, something along those lines will be the final fix. I need to think
 about it a bit more though, cannot gurantee if or what I missed.

--
Ticket URL: <https://code.djangoproject.com/ticket/28699#comment:13>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.266cccf3df497557f418d30458b500d3%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28699: Document middleware ordering requirements following CSRF change in Django 1.11.6 (was: Problem with CSRF in Django 1.11.6)

Django
In reply to this post by Django
#28699: Document middleware ordering requirements following CSRF change in Django
1.11.6
-------------------------------+------------------------------------
     Reporter:  stephanm       |                    Owner:  nobody
         Type:  Bug            |                   Status:  new
    Component:  Documentation  |                  Version:  1.11
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Accepted
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+------------------------------------
Changes (by Tim Graham):

 * component:  CSRF => Documentation
 * severity:  Release blocker => Normal


--
Ticket URL: <https://code.djangoproject.com/ticket/28699#comment:14>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.7c4e6e303d895a9599ae295d4ab6a798%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28699: Document middleware ordering requirements following CSRF change in Django 1.11.6

Django
In reply to this post by Django
#28699: Document middleware ordering requirements following CSRF change in Django
1.11.6
-------------------------------+------------------------------------
     Reporter:  stephanm       |                    Owner:  Rodrigo
         Type:  Bug            |                   Status:  assigned
    Component:  Documentation  |                  Version:  1.11
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Accepted
    Has patch:  1              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+------------------------------------
Changes (by Rodrigo):

 * owner:  nobody => Rodrigo
 * status:  new => assigned
 * has_patch:  0 => 1


Comment:

 [https://github.com/django/django/pull/10722 PR]

--
Ticket URL: <https://code.djangoproject.com/ticket/28699#comment:15>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.4fcb83b0d5deeb3a199db384ac9e4fbb%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28699: Document middleware ordering requirements following CSRF change in Django 1.11.6

Django
In reply to this post by Django
#28699: Document middleware ordering requirements following CSRF change in Django
1.11.6
-------------------------------+------------------------------------
     Reporter:  stephanm       |                    Owner:  Rodrigo
         Type:  Bug            |                   Status:  assigned
    Component:  Documentation  |                  Version:  1.11
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Accepted
    Has patch:  1              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+------------------------------------

Comment (by Carlton Gibson):

 The PR here looks fine, re the discussion, but I'm missing a crucial part
 in my understanding here: I can't see how you're meant to make a
 successful CSRF check in the **same request** as a `REMOTE_USER` login...

 As I read it, if `RemoteUserMiddleware` is first then:

 * `RemoteUserMiddleware.process_request()` calls `auth.login()` which
 calls `rotate_token()`:

 {{{
 def rotate_token(request):
     """
     Change the CSRF token in use for a request - should be done on login
     for security purposes.
     """
     request.META.update({
         "CSRF_COOKIE_USED": True,
         "CSRF_COOKIE": _get_new_csrf_token(),
     })
     request.csrf_cookie_needs_reset = True
 }}}

 * But then `CsrfViewMiddleware.process_request()` calls `_get_token()`
 which fetches the **old** `CSRF_COOKIE`, from either the session or the
 cookie, and
 [https://github.com/django/django/blob/4d60261b2a77460b4c127c3d832518b95e11a0ac/django/middleware/csrf.py#L201
 resets it on `request.META`].

 Unless I missed something, this is **negating the `rotate_token()` call**.
 Is that correct, or have I misread it? Given the docstring in
 `rotate_token()` isn't this a no-no?

 On the other hand, if `CsrfViewMiddleware` is first then the
 `rotate_token()` call will replace whatever `CSRF_COOKIE` was previously
 set, and so the actual CSRF check in `process_view()` will necessarily
 fail. (As we must be seeing here.)

--
Ticket URL: <https://code.djangoproject.com/ticket/28699#comment:16>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.2fdd9610d9be1de1862b67046eec3640%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28699: Document middleware ordering requirements following CSRF change in Django 1.11.6

Django
In reply to this post by Django
#28699: Document middleware ordering requirements following CSRF change in Django
1.11.6
-------------------------------+------------------------------------
     Reporter:  stephanm       |                    Owner:  Rodrigo
         Type:  Bug            |                   Status:  assigned
    Component:  Documentation  |                  Version:  1.11
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Accepted
    Has patch:  1              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+------------------------------------
Changes (by Carlton Gibson):

 * cc: Carlton Gibson (added)


--
Ticket URL: <https://code.djangoproject.com/ticket/28699#comment:17>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.34b09db5915d4e04fbd7bebf43f71028%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28699: Document middleware ordering requirements following CSRF change in Django 1.11.6

Django
In reply to this post by Django
#28699: Document middleware ordering requirements following CSRF change in Django
1.11.6
-------------------------------+------------------------------------
     Reporter:  stephanm       |                    Owner:  Rodrigo
         Type:  Bug            |                   Status:  assigned
    Component:  Documentation  |                  Version:  1.11
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Accepted
    Has patch:  1              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+------------------------------------

Comment (by Florian Apolloner):

 Replying to [comment:16 Carlton Gibson]:
 > Unless I missed something, this is **negating the `rotate_token()`
 call**. Is that correct, or have I misread it? Given the docstring in
 `rotate_token()` isn't this a no-no? If so, we can't recommend this.

 Yes, this seems correct

 > On the other hand, if `CsrfViewMiddleware` is first then the
 `rotate_token()` call will replace whatever `CSRF_COOKIE` was previously
 set, and so the actual CSRF check in `process_view()` will necessarily
 fail. (As we must be seeing here.)

 Also correct. I wonder if my patch in #28488 actually made the situation
 worse (speaks for the complexity of the middleware :/)

--
Ticket URL: <https://code.djangoproject.com/ticket/28699#comment:18>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.b2f6490fb2cddaf50b2bc8b7cbbe0e4b%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28699: Document middleware ordering requirements following CSRF change in Django 1.11.6

Django
In reply to this post by Django
#28699: Document middleware ordering requirements following CSRF change in Django
1.11.6
-------------------------------+------------------------------------
     Reporter:  stephanm       |                    Owner:  Rodrigo
         Type:  Bug            |                   Status:  assigned
    Component:  Documentation  |                  Version:  1.11
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Accepted
    Has patch:  1              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  1
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+------------------------------------
Changes (by Carlton Gibson):

 * needs_better_patch:  0 => 1


Comment:

 Okay. Thank you for following up Florian. I will dig dipper given your
 confirmation of my first reading.

--
Ticket URL: <https://code.djangoproject.com/ticket/28699#comment:19>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.16e6e94e28de3003d8dc4029bc61d443%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
12