[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fixing CSRF exploits in Infrastructure

On Tue November 25 2008, Toshio Kuratomi wrote:

> For these issues we could either concentrate on fixing or mitigating
> them.  Fixing them would require the laborious changes I talked about
> earlier to change the way the framework already processes the POST and
> GET parameters before they get to us.

I guess it would be enough only to check whether the request is a POST-request 
without checking where the variables come from. This is maybe available in 
this variable: cherrypy.request.method

> Mitigation is easier -- we should 
> make it part of our best practices to never have links or GET driven
> forms that make state changes when designing the UI and templates.

This is also needed, if you check for the request method, because otherwise 
you would have broken links.


Attachment: signature.asc
Description: This is a digitally signed message part.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]