[CKAN-Security] (no subject)

Thrawn shell_layer-github at yahoo.com.au
Mon Nov 24 05:35:37 UTC 2014


Hi, folks.

I'm still not subscribed to this list, so I won't see any replies, but I thought I'd let you know that I've developed a simple CSRF protection based on double-submitting cookies.

Currently it's implemented as part of a custom plugin, so it's not something to be just applied directly to CKAN code, but it's small, and I thought reading through it might give people some ideas.

The basic algorithm is:
- Intercept the 'render' function. Generate a random token and perform string substitution to add it to all HTML forms, then also add it as a cookie.
- Intercept the BaseController '__before__' function. If the request is a POST other than the API, then check that the token is present in a cookie and in the request body.

Anyone interested in adding this to CKAN core?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: data2.csrf.diff
Type: text/x-patch
Size: 2590 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20141123/7b79d6f8/attachment.bin>


More information about the Security mailing list