Django's comments framework and CSRF

醉酒当歌 提交于 2019-12-10 10:47:48

问题


I understand that the Django's comments framework was designed for anonymous public comments like you commonly see below a blog or an artcile. In other words, anyone can post comments.

I am using the comments framework for only allowing logged in users to display comments. What I did was modify the form.html and hid the name, URL, and email field (leaving the security fields intact). So pretty much the user only sees a comment field. I wanted to use Django's comments since it already has some nice security features like timestamp check, honeypot field, and anti-double-posting features. The user information is grabbed from the request.user RequestContext and I get the user information about the comment by comment.user.get_full_name as oppose to comment.name or comment.user.email vs comment.email.

I also start to read up about Django's CSRF protection. In most cases, people talk about how CSRF prevent hackers to, say, transfer money from a logged in user's bank account by using their cookie or something.

In my case, does CSRF prevent people from posting as other users? In other words, can a hacker create their own POST form and post under a different user.pk to fake other people?


回答1:


To directly answer your question -- no, CSRF doesn't allow a hacker to pretend to be another user and submit a comment. What it could allow is an attacker to make a real, logged in user submit the comment for them.

A CSRF is an attack where someone without permission to access a resource tricks someone who does have permission into accessing it.

So, for example, CSRF protection could prevent someone from tricking a user into posting a comment with a spam or malware link in it. Alternatively, the request they trick the user into making could be malformed, made to crash your webserver, or include code meant to slip through the validation process and cause damage to your database or compromise your site in other ways.

So without CSRF protection someone could, theoretically, trick a logged in user into submitting a comment they didn't actually write.

With CSRF protection, Django will detect that it wasn't real data submitted through the actual form on your site, and will reject it.



来源:https://stackoverflow.com/questions/9987678/djangos-comments-framework-and-csrf

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!