From 1799be9dd8666d10d6b4a04a9b75fc57f8626c6f Mon Sep 17 00:00:00 2001 From: Bert JW Regeer Date: Fri, 15 Apr 2016 16:44:55 -0600 Subject: Update CHANGES/whatsnew-1.7 for updated require_csrf --- CHANGES.txt | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index bc4b1aa79..0a7bdef1a 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -25,13 +25,15 @@ Features ``require_csrf=False`` on those views. See https://github.com/Pylons/pyramid/pull/2413 -- Added a ``require_csrf`` view option which will enforce CSRF checks on POST - requests. If the CSRF check fails a ``BadCSRFToken`` exception will be - raised and may be caught by exception views (the default response is a - ``400 Bad Request``). This option should be used in place of the deprecated - ``check_csrf`` view predicate which would normally result in unexpected - ``404 Not Found`` response to the client instead of a catchable exception. - See https://github.com/Pylons/pyramid/pull/2413 +- Added a ``require_csrf`` view option which will enforce CSRF checks on any + request with an unsafe method as defined by RFC2616. If the CSRF check fails + a ``BadCSRFToken`` exception will be raised and may be caught by exception + views (the default response is a ``400 Bad Request``). This option should be + used in place of the deprecated ``check_csrf`` view predicate which would + normally result in unexpected ``404 Not Found`` response to the client + instead of a catchable exception. See + https://github.com/Pylons/pyramid/pull/2413 and + https://github.com/Pylons/pyramid/pull/2500 - Pyramid HTTPExceptions will now take into account the best match for the clients Accept header, and depending on what is requested will return -- cgit v1.2.3 From 65dee6e4ca0c0c607e97db0c9e55768f10591a58 Mon Sep 17 00:00:00 2001 From: Donald Stufft Date: Fri, 15 Apr 2016 20:42:20 -0400 Subject: In addition to CSRF token, verify the origin too Add an additional layer of protection against CSRF by verifying the actual origin of the request in addition to the CSRF token. We only do this check on sites hosted behind HTTPS because only HTTPS sites have evidence to show that the Referrer header is not being spuriously removed by random middleware boxes. --- CHANGES.txt | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 0a7bdef1a..0cd2c0c9a 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -35,6 +35,18 @@ Features https://github.com/Pylons/pyramid/pull/2413 and https://github.com/Pylons/pyramid/pull/2500 +- Added an additional CSRF validation that checks the origin/referrer of a + request and makes sure it matches the current ``request.domain``. This + particular check is only active when accessing a site over HTTPS as otherwise + browsers don't always send the required information. If this additional CSRF + validation fails a ``BadCSRFOrigin`` exception will be raised and may be + caught by exception views (the default response is ``400 Bad Request``). + Additional allowed origins may be configured by setting + ``pyramid.csrf_trusted_origins`` to a list of domain names (with ports if on + a non standard port) to allow. Subdomains are not allowed unless the domain + name has been prefixed with a ``.``. See: + https://github.com/Pylons/pyramid/pull/2501 + - Pyramid HTTPExceptions will now take into account the best match for the clients Accept header, and depending on what is requested will return text/html, application/json or text/plain. The default for */* is still -- cgit v1.2.3 From 8ceb14f9fe014fd18a12ec3f3da7099cbed15c28 Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Sat, 16 Apr 2016 15:32:11 -0500 Subject: add docs and backward incompatibility notices for #2501 --- CHANGES.txt | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 0cd2c0c9a..d316594bc 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -15,6 +15,10 @@ Backward Incompatibilities See https://github.com/Pylons/pyramid/pull/2496 +- The ``check_csrf_token`` function no longer validates a csrf token in the + query string of a request. Only headers and request bodies are supported. + See https://github.com/Pylons/pyramid/pull/2500 + Features -------- @@ -44,14 +48,18 @@ Features Additional allowed origins may be configured by setting ``pyramid.csrf_trusted_origins`` to a list of domain names (with ports if on a non standard port) to allow. Subdomains are not allowed unless the domain - name has been prefixed with a ``.``. See: + name has been prefixed with a ``.``. See https://github.com/Pylons/pyramid/pull/2501 +- Added a new ``pyramid.session.check_csrf_origin`` API for validating the + origin or referrer headers against the request's domain. + See https://github.com/Pylons/pyramid/pull/2501 + - Pyramid HTTPExceptions will now take into account the best match for the clients Accept header, and depending on what is requested will return text/html, application/json or text/plain. The default for */* is still text/html, but if application/json is explicitly mentioned it will now - receive a valid JSON response. See: + receive a valid JSON response. See https://github.com/Pylons/pyramid/pull/2489 - A new event and interface (BeforeTraversal) has been introduced that will -- cgit v1.2.3