Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

disable csrf checking on all exception views unless explicitly turned on #2517

Merged
merged 1 commit into from
Apr 18, 2016
Merged

disable csrf checking on all exception views unless explicitly turned on #2517

merged 1 commit into from
Apr 18, 2016

Conversation

mmerickel
Copy link
Member

@mmerickel mmerickel commented Apr 18, 2016
edited
Loading

Use case: User turns on auto csrf checks and registers exception views.
Issue: User must remember to turn off csrf checks on exception views or they will raise csrf errors instead of handling the original exception.
Solution in this PR: Disable csrf checks on exception views by default.
Control: User can still turn on csrf checks on exception views if they really want by setting require_csrf=True explicitly on the exception view.

Basically the csrf checks on exception views are too strict causing inadvertent raising of BadCSRFToken exceptions while handling the original exception resulting in the new csrf exception being propagated out of pyramid and up the middleware chain.

ping @dstufft @bertjwregeer

@digitalresistor
Copy link
Member

👍 This is something I ran into while working on my app, I ended up explicitly setting require_csrf on my views, so that my exception views wouldn't get touched, but this is better.

@mmerickel mmerickel force-pushed the fix/disable-csrf-on-exception-views-by-default branch from 13bf072 to 6f524a9 Compare April 18, 2016 14:40
@mmerickel mmerickel merged commit 6c16fb0 into Pylons:master Apr 18, 2016
@pyup-bot pyup-bot mentioned this pull request Feb 26, 2017
Merged
@pyup-bot pyup-bot mentioned this pull request Apr 30, 2017
Merged
@pyup-bot pyup-bot mentioned this pull request Jun 30, 2017
Merged
This was referenced Sep 29, 2017
Merged
Merged
@pyup-bot pyup-bot mentioned this pull request Dec 12, 2017
Merged
@pyup-bot pyup-bot mentioned this pull request Jun 30, 2020
Closed
@mmerickel mmerickel deleted the fix/disable-csrf-on-exception-views-by-default branch November 29, 2020 03:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mmerickel @digitalresistor