-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJUhdV8AAoJEC0ft5FqUuEhhA0P/A8KDDtJ1lD5oMOu5dVrjmap
UxAWIzBgWvS4gfDm5SnpY5+Fj3jq2E+cSu125Lks+A0xwuQMeIYt7CVXaYygoiJD
FNqS7SpPaexYACT8kPG/UkaR5anyLB0GzYoLZO8LBpekTAScvdBR9iSXYWi6QDie
6WaHG7EZPTwI/wqsg0wPXW2xw9DgymJEQ2YAVlk4kBaY8pKFhO4hM7xhsPrCskvY
JzMPMbNcil4lQxRLVMaZ4LI+HgyZUJT0mZhcdGrPM/ONIedYgBLFnBca2Q+uzYf1
03TDEcweeEBzl8gJu3g5KJmTd2RkJ2nB2D1qRLm3hN+5hp1q7lQ3ITxyM5CXg/LE
XsgzIHNlq0ODfdDaJrbgocALpfqbPVNDEF4jfyv4e1UyAUJbqgUdjVs6vx6gOhvP
o6FrqIKmb3uzPUrF4NTZKeQnhpj2tuvYa9Y3mtQRBTUcM3e/KXs8cSnfA/PwyUEE
yyWokrSQvphWZe/YbAhlpMBynRzAKVH+irLS7lAQlfV2BHwombGqrMWf4aUPujWv
9TmNT91vdj4RDC1rm7i600QhAlF0L0H7StoK4wU/TlSxBpvvYHyCcqeVrW0S3CD3
1Pnh+Zrbz4THf9C5+dBIoRQ8+eagfD+MsetuEmJhSQZTrvW3LLjVNL4IHM9/G26p
MA83RmTL4fJMq2ANh0vz
=NT8i
-----END PGP SIGNATURE-----
Hi Larry,
On 12/08/2014 07:14 AM, Larry Martell wrote:
> On Sat, Dec 6, 2014 at 1:41 AM, James Schneider <jrschneider83@gmail.com> wrote:
>> Check out Collin's email from earlier, it has an example using curl but you
>> should be able to adapt your web request with the cookie and POST values via
>> the python script. The cookie and POST values for the CSRF token can be
>> anything, they just need to match.
>>
>> https://groups.google.com/d/msgid/django-users/fb6e54a8-c9e7-45f7-882f-bc05c8ee90d2%40googlegroups.com?utm_medium=email&utm_source=footer
>
> Thanks. This is very simple. So simple I didn't even think of this.
> But then can't anyone override the CSRF protection very easily?
This is explained in the link to a previous thread that I posted above.
The CSRF protection works because malicious JS can't control the value
of the CSRF cookie submitted by your browser.
Carl
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/5485D578.9060201%40oddbird.net.
For more options, visit https://groups.google.com/d/optout.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment