require_csrf to replace check_csrf #2413
Conversation
| @@ -1660,18 +1665,19 @@ token unless ``disable_csrf=True`` is passed to the view: | |||
| from pyramid.response import Response | |||
| from pyramid.session import check_csrf_token | |||
|
|
|||
| def require_csrf_view(view, info): | |||
| def csrf_view(view, info): | |||
There was a problem hiding this comment.
This should probably match the actual csrf_view we ship more closely (related to the val stuff), and add just the check for request.method == POST.
mmerickel
force-pushed
the
feature/require-csrf
branch
2 times, most recently
from
5147b84 to
06a4b61
Compare
|
I've rebased this PR on master. Two remaining questions on the impl:
|
|
|
I will reverse the order. I'm working on implementing this feature now... it touches several more systems than the simple implementation but I think it'll be worth it. I'm adding The only quirk I've added is that if you set |
|
That sounds good to me :-). |
|
Is there any interest in discussing how to enable/disable this feature based on whether authorization is done via headers or cookies? As I understand it, CSRF is only required when auth is via cookies that a browser will send automatically. I'm not too worried about this but I wanted to just hypothesize how an app could turn this on or off on a per-request basis. Like maybe someone could override this thing with one that supports a per-request setting to turn it off that they could set in their auth policy or something. |
|
Okay, I've done that work. I'd appreciate some review of the implementation. |
mmerickel
force-pushed
the
feature/require-csrf
branch
from
a3e4ae9 to
9b6ab12
Compare
| If CSRF checks fail then a :class:`pyramid.exceptions.BadCSRFToken` exception | ||
| will be raised. This exception may be caught and handled by an | ||
| :term:`exception view` but, by default, will result in a ``400 Bad Request`` | ||
| resposne being sent to the client. |
|
Besides the typo, this looks great :-) |
mmerickel
force-pushed
the
feature/require-csrf
branch
from
9b6ab12 to
31d0396
Compare
- only check csrf on POST - support "pyramid.require_default_csrf" setting - support "require_csrf=True" to fallback to the global setting to determine the token name
|
👍 this looks fantastic! Thanks @mmerickel! |
|
Okay so the only point remaining is to fix the scaffolds which I'm afraid to do while @stevepiercy is messing with the easy_install vs pip stuff. I need some guidance on when that might be done so we can add it. We just need to slip in a little |
Well that's not quite right. If we do this we also need to setup the scaffolds to configure a session factory. I'm fine with that but it's a new thing. The session will require adding another secret to the settings at least, as well as a bit of code. I think that's fine for the alchemy and zodb scaffolds... I'm a little more wary of adding it to the starter scaffold which may not want a session. I could also update the view deriver to ignore the checks if there's no session factory. |
Do we currently have any "secrets" in the settings? I am now worried that if we add this secret, and keep it the default, that people will end up running their applications using the config file and be vulnerable to remote code execution... |
|
@mmerickel I'm down to the last file to update, so today. I've moved |
Yes, the alchemy tutorial added the auth policy secret to the settings as the tutorial was previously using a hard-coded string which was even worse. |
mmerickel
force-pushed
the
feature/require-csrf
branch
from
31d0396 to
769da12
Compare
|
Hmmm, okay, guess adding one more secret isn't that big of a deal then. |
|
The bigger issue is like I said it requires adding a session to the app which means invalidating it on boundaries as well as possibly explaining such things. On the bonus side it means we could possibly add flash messages to the tutorial in the future to make it nicer. I had previously envisioned adding this stuff in a new chapter but the invalidation might just need to go earlier. The alternative is to leave this stuff out of the scaffolds for this release and stew on whether to update the scaffolds / tutorials. |
|
I hadn't thought of the fact that we'd have to add session to the basic scaffolds, not sure it is worth adding that by default especially since a lot of people prefer to use Could we possibly leave it in the .ini commented out with a comment that you'll need to enable a session before enabling the feature? |
|
I think we should punt that change for a later version and just ship this feature as something people can turn on. We should consider (I already wanted to do this but it was getting out of scope) adding a session chapter to the tutorial at which point it will be more clear. |
|
Could you merge master into this please? Then I'll click the merge button. |
- Closes Pylons#2473. - See also Pylons#2413 and Pylons#2469.
Fixes #2367
check_csrf.check_csrfto point torequire_csrfinstead.docs/whatsnew-*docs/api/session.rstdocs/narr/hooks.rstdocs/narr/sessions.rstdocs/narr/viewconfig.rstpyramid/session.pypyramid/view.pypyramid/config/predicates.pypyramid/config/views.pypyramid/tests/tests_session.pypyramid/tests/test_predicates.pyUpdate scaffolds to set. See branch https://github.com/Pylons/pyramid/tree/docs/easy-install-to-pip.2104.pyramid.require_default_csrf = yesindevelopment.iniandproduction.ini