[damned-lies] Protect forms against CSRF (Fixes #685165)

From: Claude Paroz <claudep src gnome org>
To: commits-list gnome org
Cc:
Subject: [damned-lies] Protect forms against CSRF (Fixes #685165)
Date: Mon, 1 Oct 2012 09:33:22 +0000 (UTC)
commit 203bfb0d161d96677839ade3c5f60291f1282f2d
Author: Claude Paroz <claude 2xlibre net>
Date:   Mon Oct 1 11:32:37 2012 +0200

    Protect forms against CSRF (Fixes #685165)

 settings.py                                        |    1 +
 templates/base.html                                |    1 +
 templates/login.html                               |    2 ++
 templates/module_edit_branches.html                |    1 +
 templates/people/person_detail.html                |    1 +
 templates/people/person_detail_change_form.html    |    1 +
 templates/people/person_password_change_form.html  |    1 +
 templates/people/person_team_join_form.html        |    1 +
 templates/people/person_team_membership.html       |    1 +
 templates/registration/password_reset_confirm.html |    1 +
 templates/registration/register.html               |    1 +
 templates/teams/team_detail.html                   |    1 +
 templates/teams/team_edit.html                     |    1 +
 templates/vertimus/vertimus_detail.html            |    1 +
 14 files changed, 15 insertions(+), 0 deletions(-)
---
diff --git a/settings.py b/settings.py
index 90d6dff..b3a25f2 100644
--- a/settings.py
+++ b/settings.py
@@ -116,6 +116,7 @@ MIDDLEWARE_CLASSES = (
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.locale.LocaleMiddleware',
     'django.middleware.common.CommonMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.transaction.TransactionMiddleware',
diff --git a/templates/base.html b/templates/base.html
index 2ad3bf8..f491214 100644
--- a/templates/base.html
+++ b/templates/base.html
@@ -38,6 +38,7 @@
                 <a class="root" href="http://www.gnome.org/";>GNOME.org</a>
                 {% if user.is_authenticated %}
                     <form action="{% url 'login' %}" method="post">
+                        {% csrf_token %}
                         <a href="{{ user.get_absolute_url }}"><img src="{{ STATIC_URL }}img/nobody-16.png" alt="Person">&nbsp;{{ user.person }}</a> &bull;
                         <input type="hidden" name="logout" value="1">
                         <input type="submit" value="{% trans 'Log out' %}">
diff --git a/templates/login.html b/templates/login.html
index a69cb00..f26fba9 100644
--- a/templates/login.html
+++ b/templates/login.html
@@ -15,6 +15,7 @@
 
 <p>{% trans 'Log in with your username and password:' %}</p>
 <form action="{% url 'login' %}" method="post" id="login-form" class="login">
+  {% csrf_token %}
   <div class="form-row">
     <label for="id_username">{% trans 'Username:' %}</label> <input type="text" name="username" id="id_username" />
   </div>
@@ -34,6 +35,7 @@
 {% if openid_path %}
     <p>{% trans 'Or use your OpenID:' %}</p>
     <form action="{{ openid_path }}" method="post" id="openid-login-form" class="login">
+      {% csrf_token %}
       <div class="form-row">
         <label for="id_openid_identifier"><img src="{% url 'openid-logo' %}" alt=""> {% trans 'OpenID:' %}</label> <input type="text" name="openid_identifier" id="id_openid_identifier" />
       </div>
diff --git a/templates/module_edit_branches.html b/templates/module_edit_branches.html
index ed79ce4..32713c5 100644
--- a/templates/module_edit_branches.html
+++ b/templates/module_edit_branches.html
@@ -14,6 +14,7 @@
 {% endif %}
 
 <form action="#" method="POST" class="djform">
+{% csrf_token %}
 <table>
 <tr><td><h4>{% trans "Branch" %}</h4></td><td><h4>{% trans "Release" %}</h4></td><td><h4>{% trans "Category" %}</h4></td></tr>
 {% for field1, field2 in form.get_branches %}
diff --git a/templates/people/person_detail.html b/templates/people/person_detail.html
index 63c458e..5e1b00d 100644
--- a/templates/people/person_detail.html
+++ b/templates/people/person_detail.html
@@ -23,6 +23,7 @@ $(document).ready(function()
   <br clear="right" />
   <div id="language_menu">
     <form action="/i18n/setlang/" method="post">
+      {% csrf_token %}
       <h2>{% trans "Site Language" %}</h2>
       <select name="language">
       {% for lang in all_languages %}
diff --git a/templates/people/person_detail_change_form.html b/templates/people/person_detail_change_form.html
index 36d30b8..6f95d8a 100644
--- a/templates/people/person_detail_change_form.html
+++ b/templates/people/person_detail_change_form.html
@@ -7,6 +7,7 @@
 <h2>{% trans "Change your details" %}</h2>
 
 <form action="" method="POST" class="djform">
+  {% csrf_token %}
   <table>
     {{ form.as_table }}
     <tr>
diff --git a/templates/people/person_password_change_form.html b/templates/people/person_password_change_form.html
index 86f4553..ae33883 100644
--- a/templates/people/person_password_change_form.html
+++ b/templates/people/person_password_change_form.html
@@ -8,6 +8,7 @@
 <p>{% trans "Please enter your old password, for security's sake, and then enter your new password twice so we can verify you typed it in correctly." %}</p>
 
 <form action="" method="post" class="djform">
+  {% csrf_token %}
   <table>
   <tr>
     <td colspan="2">{{ form.old_password.errors }}</td>
diff --git a/templates/people/person_team_join_form.html b/templates/people/person_team_join_form.html
index 4f4abef..5a7a7ec 100644
--- a/templates/people/person_team_join_form.html
+++ b/templates/people/person_team_join_form.html
@@ -8,6 +8,7 @@
 <h2>{% trans "Join a new team" %}</h2>
 
 <form action="" method="POST">
+  {% csrf_token %}
   <p><em>{% trans "I would like to join the following team as 'translator':" %}</em><br />
     {{ form.teams }}
     <input type="submit" value="{% trans "Join" %}">
diff --git a/templates/people/person_team_membership.html b/templates/people/person_team_membership.html
index 8673085..9a0f2bb 100644
--- a/templates/people/person_team_membership.html
+++ b/templates/people/person_team_membership.html
@@ -10,6 +10,7 @@
   <li>{% blocktrans with role.team|linked_with:role.team.get_description|safe as team_name %}Member of {{ team_name }} team ({{ role_name }}){% endblocktrans %}
       {% if on_own_page %}
       <form class="inline" method="GET" action="{% url 'person_team_leave' role.team.name %}">
+        {% csrf_token %}
         <input type="submit" value="{% trans "Leave" %}"
                onClick="javascript:return confirm('{% trans "Are you sure you want to leave the team?" %}')">
       </form>
diff --git a/templates/registration/password_reset_confirm.html b/templates/registration/password_reset_confirm.html
index a293fbb..316708f 100644
--- a/templates/registration/password_reset_confirm.html
+++ b/templates/registration/password_reset_confirm.html
@@ -12,6 +12,7 @@
 <p>{% trans "Please enter your new password twice so we can verify you typed it in correctly." %}</p>
 
 <form action="" method="post">
+{% csrf_token %}
 {% if form.new_password1.errors %}{{ form.new_password1.errors }}{% endif %}
 <p class="aligned wide"><label for="id_new_password1">{% trans 'New password:' %}</label>{{ form.new_password1 }}</p>
 {% if form.new_password2.errors %}{{ form.new_password2.errors }}{% endif %}
diff --git a/templates/registration/register.html b/templates/registration/register.html
index a4ca770..8ee96ee 100644
--- a/templates/registration/register.html
+++ b/templates/registration/register.html
@@ -14,6 +14,7 @@
 <p>{% trans "After registration and connection, you will be able to join an existing team from your profile page." %}</p>
 
 <form action="/register/" method="post" id="login-form" class="login">
+  {% csrf_token %}
   <div class="form-row">
     {{ form.username.errors }}
     <label for="id_username">{{ form.username.label }}</label> {{ form.username }} <span class="help">{{ form.username.help_text }}</span>
diff --git a/templates/teams/team_detail.html b/templates/teams/team_detail.html
index 562e99d..de9e2a3 100644
--- a/templates/teams/team_detail.html
+++ b/templates/teams/team_detail.html
@@ -84,6 +84,7 @@ $(document).ready(function() {
 
         {% if group.form %}
         <form action="#" method="POST">
+        {% csrf_token %}
         <ul>
         {% for field in group.form.get_fields %}
           <li>{{ field.label|safe }} {{ field }}</li>
diff --git a/templates/teams/team_edit.html b/templates/teams/team_edit.html
index b64f1b1..e3be824 100644
--- a/templates/teams/team_edit.html
+++ b/templates/teams/team_edit.html
@@ -16,6 +16,7 @@ $(document).ready(function() {
 <h1>{% blocktrans with team.get_description as lang %}{{ lang }} Translation Team{% endblocktrans %}</h1>
 
 <form action="#" method="POST" class="djform">
+{% csrf_token %}
 <table>
   {% if form.coordinatorship %}
   <tr><th>{{ form.coordinatorship.label }}:</th>
diff --git a/templates/vertimus/vertimus_detail.html b/templates/vertimus/vertimus_detail.html
index 73bd315..c8a3208 100644
--- a/templates/vertimus/vertimus_detail.html
+++ b/templates/vertimus/vertimus_detail.html
@@ -226,6 +226,7 @@ $(document).ready(function() {
       {% endfor %}
     </script>
 
+    {% csrf_token %}
     <table>
       {{ action_form.action|as_tr }}
       {{ action_form.comment|as_tr }}
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]