[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fixing CSRF exploits in Infrastructure



On Tue November 25 2008, Toshio Kuratomi wrote:

> For these issues we could either concentrate on fixing or mitigating
> them.  Fixing them would require the laborious changes I talked about
> earlier to change the way the framework already processes the POST and
> GET parameters before they get to us.

I guess it would be enough only to check whether the request is a POST-request 
without checking where the variables come from. This is maybe available in 
this variable: cherrypy.request.method

> Mitigation is easier -- we should 
> make it part of our best practices to never have links or GET driven
> forms that make state changes when designing the UI and templates.

This is also needed, if you check for the request method, because otherwise 
you would have broken links.

Regards,
Till

Attachment: signature.asc
Description: This is a digitally signed message part.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]