Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF protection for /-/messages tool and writable canned queries #793

Closed
simonw opened this issue Jun 2, 2020 · 3 comments
Closed

CSRF protection for /-/messages tool and writable canned queries #793

simonw opened this issue Jun 2, 2020 · 3 comments
Labels
security small
Milestone
Datasette 0.44

Comments

@simonw
Copy link
Owner

simonw commented Jun 2, 2020

The /-/messages debug tool will need CSRF protection or people will be able to add messages using a hidden form on another website.
Originally posted by @simonw in #790 (comment)
@simonw simonw added the small label Jun 2, 2020
@simonw simonw added this to the Datasette 1.0 milestone Jun 2, 2020
@simonw
Copy link
Owner Author

simonw commented Jun 2, 2020

This is a minor security issue with master at the moment, but I'll resolve this before I ship the next release.

@simonw simonw added the security label Jun 2, 2020
@simonw simonw changed the title CSRF protection for /-/messages debug tool CSRF protection for /-/messages tool and writable canned queries Jun 3, 2020
@simonw
Copy link
Owner Author

simonw commented Jun 3, 2020
edited
Loading

I need this for writable canned queries in #698 and #796 too.

@simonw
Copy link
Owner Author

simonw commented Jun 3, 2020

I need to land and release the fix for signing cookies in simonw/asgi-csrf#2

simonw added a commit that referenced this issue Jun 5, 2020
@simonw
CSRF protection, refs #793
e994b21
@simonw simonw mentioned this issue Jun 5, 2020
Merged
simonw added a commit that referenced this issue Jun 5, 2020
@simonw
Wrapping up work on CSRF
fe43963 
- Use new csrftoken() function, refs simonw/asgi-csrf#7
- Check for Vary: Cookie hedaer, refs simonw/asgi-csrf#8

Refs #793 and #798
@simonw simonw closed this as completed in 84a9c4f Jun 5, 2020
@simonw simonw modified the milestones: Datasette 1.0, Datasette 0.44 Jun 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security small
Projects
None yet
Milestone
Datasette 0.44
Development

No branches or pull requests
1 participant
@simonw