tgext.routes changes
Alessandro Molina
alessandro.molina at gmail.com
Wed Apr 13 10:08:35 UTC 2016
On Wed, Apr 13, 2016 at 9:42 AM, Thomas De Schampheleire <
patrickdepinguin at gmail.com> wrote:
>
> >
> > (Aside: I did not look at the tgext.routes code, but I assume the
> override support is opt-in? Enabling it automatically for all applications
> could cause security issues for applications that don't have CSRF
> protection.)
>
> AFAIU there is no opt-in currently: the following lines were added
> unconditionally:
>
> # routes middleware overrides methods using _method param.
> if environ['REQUEST_METHOD'] == 'GET' and '_method' in state.request.GET:
> environ['REQUEST_METHOD'] = state.request.GET['_method'].upper()
> elif environ['REQUEST_METHOD'] == 'POST' and '_method' in
> state.request.POST:
> environ['REQUEST_METHOD'] = state.request.POST['_method'].upper()
Nope, there is no opt-in.
There isn't in routes itself too:
https://github.com/bbangert/routes/blob/master/routes/middleware.py#L61-L70
Also even though you would opt-out you can still perform CSRF in any case
by using an XMLHTTPRequest or a form.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20160413/702cabfd/attachment.html>
More information about the kallithea-general
mailing list