From dbd2c266b735c01548d63704d76525f08fff100c Mon Sep 17 00:00:00 2001 From: Peter Kuma Date: Fri, 24 Oct 2014 14:44:22 +0200 Subject: [PATCH] Fix CSRF cookie path --- mediagoblin/config_spec.ini | 4 ++++ mediagoblin/meddleware/csrf.py | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/mediagoblin/config_spec.ini b/mediagoblin/config_spec.ini index dade842..7cb739a 100644 --- a/mediagoblin/config_spec.ini +++ b/mediagoblin/config_spec.ini @@ -86,6 +86,10 @@ allow_attachments = boolean(default=False) # Cookie stuff csrf_cookie_name = string(default='mediagoblin_csrftoken') +# CSRF cookie path. Set to the path of your mediagoblin installation +# if not running under the root path of a domain. +csrf_cookie_path = string(default='/') + # Push stuff push_urls = string_list(default=list()) diff --git a/mediagoblin/meddleware/csrf.py b/mediagoblin/meddleware/csrf.py index 6cad6fa..914e9ca 100644 --- a/mediagoblin/meddleware/csrf.py +++ b/mediagoblin/meddleware/csrf.py @@ -105,7 +105,7 @@ class CsrfMeddleware(BaseMeddleware): response.set_cookie( mg_globals.app_config['csrf_cookie_name'], request.environ['CSRF_TOKEN'], - path=request.environ['SCRIPT_NAME'], + path=mg_globals.app_config['csrf_cookie_path'], domain=mg_globals.app_config.get('csrf_cookie_domain'), secure=(request.scheme.lower() == 'https'), httponly=True) -- 1.7.10.4