librelist archives

Flask-WTF security update

From:

danjac354@gmail.com

Date:

2011-02-09 @ 18:30

As with frameworks such as Django and Ruby on Rails, Flask-WTF skipped
CSRF validation in the case of AJAX requests as it was deemed safe
enough due to browser same-domain policies. This was to make it more
convenient when writing AJAX code.

However it has since come to light that some browser plugins have made
this feature insecure. A more complete discussion can be found here:

http://www.djangoproject.com/weblog/2011/feb/08/security/

From the latest version of Flask-WTF, 0.5.2, AJAX requests will
automatically do CSRF validation in the same way as any other POST
requests. You can disable this feature by setting CSRF_ENABLED to
False in your settings or by passing csrf_enabled=False in your form
constructor, but this is entirely at your own risk and is not
recommended for production sites.

It is recommended you upgrade to the latest version of Flask-WTF (0.5.2).

Django documented the CSRF handling  in ajax request according to this security 
update.
http://docs.djangoproject.com/en/1.2/ref/contrib/csrf/#ajax

Flask-WTF indicates following:

"You can pass in the CSRF field manually in your AJAX request by accessing the 
csrf field in your form directly:
var params = {'csrf' : '{{ form.csrf }}'};"

Can you elaborate it with an example?

Thanks.



________________________________
From: "danjac354@gmail.com" <danjac354@gmail.com>
To: flask@librelist.org
Sent: Wed, February 9, 2011 1:30:46 PM
Subject: [flask] Flask-WTF security update

As with frameworks such as Django and Ruby on Rails, Flask-WTF skipped
CSRF validation in the case of AJAX requests as it was deemed safe
enough due to browser same-domain policies. This was to make it more
convenient when writing AJAX code.

However it has since come to light that some browser plugins have made
this feature insecure. A more complete discussion can be found here:

http://www.djangoproject.com/weblog/2011/feb/08/security/

>From the latest version of Flask-WTF, 0.5.2, AJAX requests will
automatically do CSRF validation in the same way as any other POST
requests. You can disable this feature by setting CSRF_ENABLED to
False in your settings or by passing csrf_enabled=False in your form
constructor, but this is entirely at your own risk and is not
recommended for production sites.

It is recommended you upgrade to the latest version of Flask-WTF (0.5.2).



      

Thanks for quick update. I just saw it on Django site yesterday.


________________________________
From: "danjac354@gmail.com" <danjac354@gmail.com>
To: flask@librelist.org
Sent: Wed, February 9, 2011 1:30:46 PM
Subject: [flask] Flask-WTF security update

As with frameworks such as Django and Ruby on Rails, Flask-WTF skipped
CSRF validation in the case of AJAX requests as it was deemed safe
enough due to browser same-domain policies. This was to make it more
convenient when writing AJAX code.

However it has since come to light that some browser plugins have made
this feature insecure. A more complete discussion can be found here:

http://www.djangoproject.com/weblog/2011/feb/08/security/

>From the latest version of Flask-WTF, 0.5.2, AJAX requests will
automatically do CSRF validation in the same way as any other POST
requests. You can disable this feature by setting CSRF_ENABLED to
False in your settings or by passing csrf_enabled=False in your form
constructor, but this is entirely at your own risk and is not
recommended for production sites.

It is recommended you upgrade to the latest version of Flask-WTF (0.5.2).