diff options
| author | Donald Stufft <donald@stufft.io> | 2016-04-15 17:41:35 -0400 |
|---|---|---|
| committer | Donald Stufft <donald@stufft.io> | 2016-04-15 18:31:23 -0400 |
| commit | f12005b92fa9bb33f082bd50747eb11791605cff (patch) | |
| tree | ba171caede0f861a5ded96309615b10351a7484b /docs | |
| parent | bf33b200bbb72114ca55150724b0a4c51d7ef535 (diff) | |
| download | pyramid-f12005b92fa9bb33f082bd50747eb11791605cff.tar.gz pyramid-f12005b92fa9bb33f082bd50747eb11791605cff.tar.bz2 pyramid-f12005b92fa9bb33f082bd50747eb11791605cff.zip | |
Only Accept CSRF Tokens in headers or POST bodies
Previously `check_csrf_token` would allow passing in a CSRF token in through a
the URL of a request. However this is a security issue because a CSRF token
must not be allowed to leak, and URLs regularly get copy/pasted or otherwise
end up leaking to the outside world.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/narr/sessions.rst | 7 | ||||
| -rw-r--r-- | docs/narr/viewconfig.rst | 2 |
2 files changed, 4 insertions, 5 deletions
diff --git a/docs/narr/sessions.rst b/docs/narr/sessions.rst index d66e86258..ad086268b 100644 --- a/docs/narr/sessions.rst +++ b/docs/narr/sessions.rst @@ -391,8 +391,8 @@ will return ``True``, otherwise it will raise ``HTTPBadRequest``. Optionally, you can specify ``raises=False`` to have the check return ``False`` instead of raising an exception. -By default, it checks for a GET or POST parameter named ``csrf_token`` or a -header named ``X-CSRF-Token``. +By default, it checks for a POST parameter named ``csrf_token`` or a header +named ``X-CSRF-Token``. .. code-block:: python @@ -430,8 +430,7 @@ If ``require_csrf`` is ``True`` but does not explicitly define a token to check, then the token name is pulled from whatever was set in the ``pyramid.require_default_csrf`` setting. Finally, if that setting does not explicitly define a token, then ``csrf_token`` is the token required. This token -name will be required in ``request.params`` which is a combination of the -query string and a submitted form body. +name will be required in ``request.POST`` which is the submitted form body. It is always possible to pass the token in the ``X-CSRF-Token`` header as well. There is currently no way to define an alternate name for this header without diff --git a/docs/narr/viewconfig.rst b/docs/narr/viewconfig.rst index e645185f5..40db5fbeb 100644 --- a/docs/narr/viewconfig.rst +++ b/docs/narr/viewconfig.rst @@ -459,7 +459,7 @@ configured view. check name. If CSRF checking is performed, the checked value will be the value of - ``request.params[check_name]``. This value will be compared against the + ``request.POST[check_name]``. This value will be compared against the value of ``request.session.get_csrf_token()``, and the check will pass if these two values are the same. If the check passes, the associated view will be permitted to execute. If the check fails, the associated view will not be |