Opened 7 years ago

Last modified 7 years ago

#29252 closed Bug

Add CSRF protection to LogoutView — at Initial Version

Reported by: Filip Dimitrovski Owned by: nobody
Component: contrib.auth Version: dev
Severity: Normal Keywords: denial of service, csrf
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

The current implementation in django.contrib.auth.views.LogoutView allows both GET and POST requests without any CSRF protection. A simple

   <img src="http://djangoapp/logout" />

on an exploit page could log out the user. While this is a low security risk, it's still a DoS issue and could prevent the user from using the app.

Change History (0)

Note: See TracTickets for help on using tickets.
Back to Top