

Django Security Releases Issued - zain
http://www.djangoproject.com/weblog/2011/feb/08/security/

======
aston
These guys are not the only ones to make this mistake. Check the first line of
Tornado's XSRF check:

    
    
        def check_xsrf_cookie(self):
            """Verifies that the '_xsrf' cookie matches the '_xsrf' argument.
    
            To prevent cross-site request forgery, we set an '_xsrf' cookie
            and include the same '_xsrf' value as an argument with all POST
            requests. If the two do not match, we reject the form submission
            as a potential forgery.
    
            See http://en.wikipedia.org/wiki/Cross-site_request_forgery
            """
            if self.request.headers.get("X-Requested-With") == "XMLHttpRequest":
                return
            token = self.get_argument("_xsrf", None)
            if not token:
                raise HTTPError(403, "'_xsrf' argument missing from POST")
            if self.xsrf_token != token:
                raise HTTPError(403, "XSRF cookie does not match POST argument")

~~~
marcinw
Tipfy looks to be as well:

[http://code.google.com/p/tipfy/source/browse/tipfyext/wtform...](http://code.google.com/p/tipfy/source/browse/tipfyext/wtforms/form.py#60)

~~~
moraesmoraes
A new release fixed this issue. Thank you!

------
ubernostrum
Since this also affected Rails, a minor clarification:

We spoke with Ben Bangert of Pylons/Pyramid, and did some checking of source
code there and in other projects, and as far as we knew last week, Django was
the only Python framework affected by the CSRF issue. If you find another
project which is affected, please notify them ASAP.

------
nbpoole
Cross-posting the recent discussion about the new Ruby on Rails release, which
included a fix for the same CSRF issue:

<http://news.ycombinator.com/item?id=2195283>

------
bryanh
A bothersome change, especially for all those employing jQuery plugins that
don't have a quick method to add the CSRF token to AJAX requests.

I think I might just add @csrf_exempt, as long as we aren't changing vital
info via the request...

~~~
nbpoole
Out of curiosity, why doesn't hooking beforeSend (as suggested in the blog
post) work?

~~~
bryanh
I haven't had a chance to try it, but if it gracefully handles every jQuery
plug-ins' use of the .ajax() method, I don't see why it wouldn't work.

~~~
Pewpewarrows
This is correct. So long as the plugins themselves are using jQuery's own
$.ajax() method (or one of its derivatives that in turn call it), then
anything in ajaxSetup will be reflected in those requests.

------
svlla
"This is technically backwards-incompatible, but the security risks have been
judged to outweigh the compatibility concerns in this case."

Good choice. I wonder when weak password hashing in Django will be given the
same exception.

~~~
simonw
As discussed on another thread, shipping bcrypt by default isn't technically
feasible yet due to the Python binding for it failing to compile cleanly on
Windows: <http://news.ycombinator.com/item?id=2177989>

~~~
tedunangst
Something like PBKDF2 is trivially implementable in pure python with the
provided primitives. There's no excuse not to do it.

