parent: bf33b2 | patch | commitdiff
Donald Stufft
2016-04-15 f12005b92fa9bb33f082bd50747eb11791605cff
refs
author Donald Stufft <donald@stufft.io>
Friday, April 15, 2016 23:41 +0200
committer Donald Stufft <donald@stufft.io>
Saturday, April 16, 2016 00:31 +0200
commitf12005b92fa9bb33f082bd50747eb11791605cff
tree ba171caede0f861a5ded96309615b10351a7484b tree | zip | gz
parent bf33b200bbb72114ca55150724b0a4c51d7ef535 view | diff 
Only Accept CSRF Tokens in headers or POST bodies

Previously `check_csrf_token` would allow passing in a CSRF token in through a
the URL of a request. However this is a security issue because a CSRF token
must not be allowed to leak, and URLs regularly get copy/pasted or otherwise
end up leaking to the outside world.
6 files modified
65 ■■■■■ changed files
docs/narr/sessions.rst 7 ●●●●● diff | view | raw | blame | history
docs/narr/viewconfig.rst 2 ●●● diff | view | raw | blame | history
pyramid/session.py 26 ●●●● diff | view | raw | blame | history
pyramid/tests/test_config/test_views.py 7 ●●●● diff | view | raw | blame | history
pyramid/tests/test_session.py 9 ●●●●● diff | view | raw | blame | history
pyramid/tests/test_viewderivers.py 14 ●●●●● diff | view | raw | blame | history