Opened 5 years ago

Last modified 4 years ago

#1006 new defect

CSRF cookie not set if visiting a media page directly

Reported by: Peter Kuma Owned by:
Priority: major Milestone:
Component: programming Keywords:
Cc: Parent Tickets:

Description

When visiting a media page via a direct link (i.e. without going through the main page), the CSRF cookie is not set for the root path of the domain. Consequently, when a user tries to submit a comment, it fails with 403 Forbidden:

403 Forbidden

CSRF cookie not present. This is most likely the result of a cookie blocker or somesuch.<br/>Make sure to permit the settings of cookies for this domain

The reason for this is that the CSRF meddleware sets cookie path to request.environ['SCRIPT_NAME'], and the cookie is not sent when accessing the comment add page.

The issue can be fixed by introducing a new setting csrf_cookie_path, set by default to '/' and using it instead of request.environ['SCRIPT_NAME']. Django does something similar.

Attached is a patch.

Subtickets

Attachments (1)

csrf-path-fix.diff (1.5 KB) - added by Peter Kuma 5 years ago.

Download all attachments as: .zip

Change History (3)

Changed 5 years ago by Peter Kuma

Attachment: csrf-path-fix.diff added

comment:1 Changed 5 years ago by Peter Kuma

How to reproduce:

  • Log in to MediaGoblin and open a media.
  • Clear browser history (Ctrl+Alt+Del).
  • Refresh the page.
  • Log in.
  • Submit a comment.

You should get a 403 Forbidden page.

comment:2 Changed 4 years ago by Loic Dachary

Clear browser history (Ctrl+Alt+Del).

It's Shift-Ctrl-Del ;-)

I've not been able to reproduce the problem because after login I'm redirected to the user home page and when I go back to the media page the comment works fine.

Note: See TracTickets for help on using tickets.