Context Navigation

Back to Ticket #1006

Ticket #1006: csrf-path-fix.diff

File csrf-path-fix.diff, 1.5 KB (added by Peter Kuma, 10 years ago)

mediagoblin/config_spec.ini

From dbd2c266b735c01548d63704d76525f08fff100c Mon Sep 17 00:00:00 2001
From: Peter Kuma <pkuma@pixelfederation.com>
Date: Fri, 24 Oct 2014 14:44:22 +0200
Subject: [PATCH] Fix CSRF cookie path

---
 mediagoblin/config_spec.ini    |    4 ++++
 mediagoblin/meddleware/csrf.py |    2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/mediagoblin/config_spec.ini b/mediagoblin/config_spec.ini
index dade842..7cb739a 100644

                allow_attachments = boolean(default=False)
 # Cookie stuff
 csrf_cookie_name = string(default='mediagoblin_csrftoken')
+# CSRF cookie path. Set to the path of your mediagoblin installation
+# if not running under the root path of a domain.
+csrf_cookie_path = string(default='/')
 # Push stuff
 push_urls = string_list(default=list())

mediagoblin/meddleware/csrf.py

diff --git a/mediagoblin/meddleware/csrf.py b/mediagoblin/meddleware/csrf.py
index 6cad6fa..914e9ca 100644

                class CsrfMeddleware(BaseMeddleware):
         response.set_cookie(
             mg_globals.app_config['csrf_cookie_name'],
             request.environ['CSRF_TOKEN'],
             path=request.environ['SCRIPT_NAME'],
+            path=mg_globals.app_config['csrf_cookie_path'],
             domain=mg_globals.app_config.get('csrf_cookie_domain'),
             secure=(request.scheme.lower() == 'https'),
             httponly=True)

Download in other formats:

Original Format

Legacy issue tracker

Context Navigation

Ticket #1006: csrf-path-fix.diff

mediagoblin/config_spec.ini

mediagoblin/meddleware/csrf.py

Download in other formats: