Enable CSRF protection by default

Most of these forms look pretty benign, but the user profile form, which
includes an SSH key field, certainly needs to be protected.

The survey form is unprotected because it's served over insecure HTTP
and the Varnish proxy strips cookies, which is required by the builtin
CSRF protection.

Marti Raudsepp

diff --git a/pgweb/account/views.py b/pgweb/account/views.py
index b76b749cc8f6e094a4b6d5d08db46c0e7e35af9d..19c6b55592d81bf01f9c80f2091a0028ff559fa9 100644 (file)
--- a/pgweb/account/views.py
+++ b/pgweb/account/views.py
@@ -190,10 +190,8 @@ def signup_complete(request):
 ####
 ## Community authentication endpoint
 ####
-from django.views.decorators.csrf import csrf_protect
 
 @ssl_required
-@csrf_protect
 def communityauth(request, siteid):
        # Get whatever site the user is trying to log in to.
        site = get_object_or_404(CommunityAuthSite, pk=siteid)
@@ -257,7 +255,6 @@ def communityauth(request, siteid):
 
 
 @ssl_required
-@csrf_protect
 def communityauth_logout(request, siteid):
        # Get whatever site the user is trying to log in to.
        site = get_object_or_404(CommunityAuthSite, pk=siteid)

diff --git a/pgweb/settings.py b/pgweb/settings.py
index 886f5bdc355912da87702c0674e90bb51913cca8..0742d08626c44fa17485375c6c40489a96539abf 100644 (file)
--- a/pgweb/settings.py
+++ b/pgweb/settings.py
@@ -60,6 +60,7 @@ TEMPLATE_LOADERS = (
 MIDDLEWARE_CLASSES = [
     'django.middleware.common.CommonMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'util.middleware.PgMiddleware',
 ]

diff --git a/pgweb/survey/views.py b/pgweb/survey/views.py
index d3347d88ac1f628722157f5235f0b4553bc0d23c..65f0afc63ac91fa12198d4999563ccff02745142 100644 (file)
--- a/pgweb/survey/views.py
+++ b/pgweb/survey/views.py
@@ -2,6 +2,7 @@ from django.shortcuts import render_to_response, get_object_or_404
 from django.http import HttpResponse, Http404, HttpResponseRedirect
 from django.db import connection
 from django.template.defaultfilters import slugify
+from django.views.decorators.csrf import csrf_exempt
 
 from pgweb.util.contexts import NavContext
 from pgweb.util.misc import get_client_ip
@@ -18,6 +19,8 @@ def results(request, surveyid, junk=None):
                'surveylist': surveylist,
        }, NavContext(request, 'community'))
 
+# Served over insecure HTTP, the Varnish proxy strips cookies
+@csrf_exempt
 def vote(request, surveyid):
        surv = get_object_or_404(Survey, pk=surveyid)
 

diff --git a/templates/account/userprofileform.html b/templates/account/userprofileform.html
index 73fd3a60c69461dc1cf1a964bcfaccfaf8351a1e..43fe798c71acb7dd015a00b7db5ea55a93252a4b 100644 (file)
--- a/templates/account/userprofileform.html
+++ b/templates/account/userprofileform.html
@@ -2,7 +2,7 @@
 {%block title%}Edit user profile{%endblock%}
 {%block contents%}
 <h1>Edit user profile</h1>
-<form method="post" action=".">
+<form method="post" action=".">{% csrf_token %}
 
 <table class="pgGenericFormTable">
 {%if form.errors%}

diff --git a/templates/base/form.html b/templates/base/form.html
index f00b67a62586312cf3b7695d84e43e7f5c2b0121..ed076dc3abf3025e684b5a55da4f2451afc52ea5 100644 (file)
--- a/templates/base/form.html
+++ b/templates/base/form.html
@@ -3,7 +3,7 @@
 {%block title%}{{operation|default:"Edit"}} {{formitemtype}}{%endblock%}
 {%block contents%}
 <h1>{{operation|default:"Edit"}} {{formitemtype}}</h1>
-<form method="post" action=".">
+<form method="post" action=".">{% csrf_token %}
 {%if form_intro%}
 <p>
 {{form_intro|safe}}

diff --git a/templates/core/admin_mergeorg.html b/templates/core/admin_mergeorg.html
index 6adf2b1e37244dfe33c7d5e71e174b967eda4ed4..cde62ba83eeb01f6b7162b9cfbde0c079f8ca296 100644 (file)
--- a/templates/core/admin_mergeorg.html
+++ b/templates/core/admin_mergeorg.html
@@ -10,7 +10,7 @@
 {%block content%}
 <div id="content-main">
 <h1>Merge organisations</h1>
-<form method="post" action=".">
+<form method="post" action=".">{% csrf_token %}
 <table>
 {{form.as_table}}
 </table>

diff --git a/templates/core/admin_purge.html b/templates/core/admin_purge.html
index 1405570a27053357257200c7571c5cfe7f2d063a..d7e91f1faf9d3d2fc46c898bc5e28dadc481c5e2 100644 (file)
--- a/templates/core/admin_purge.html
+++ b/templates/core/admin_purge.html
@@ -17,7 +17,7 @@
   </div>
 {%endif%}
 
- <form method="POST" action=".">
+ <form method="POST" action=".">{% csrf_token %}
 URL (regex): <input type="text" name="url">
   <input type="submit" value="Purge" />
  </form>

diff --git a/templates/core/community.html b/templates/core/community.html
index 3c343ce48600b0708b1709322624652ff9646086..a4158eff1b8c870442451836f153f26d5a49fa62 100644 (file)
--- a/templates/core/community.html
+++ b/templates/core/community.html
@@ -18,7 +18,7 @@
     <dt>User Survey</dt>
     <dd>{{survey.question}}</dd>
     <dd>
-      <form method="post" action="/community/survey/vote/{{survey.id}}/">
+      <form method="post" action="/community/survey/vote/{{survey.id}}/"><!-- CSRF exempt -->
       <p>
       {%for q in survey.questions%}
       <input type="radio" name="answer" value="{{q.value}}" id="surv_opt_{{q.value}}" /><label for="surv_opt_{{q.value}}">{{q.text}}</label><br />