+1 On 9/12/11, Carl Meyer <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Jens, > > On 09/12/2011 10:20 AM, Jens Diemer wrote: >> >> I wonder that the CSRF token send from the client didn't be validated. > > Well, it is sanitized to only alphanumeric characters, but you're right > that the length is never checked. > >> Don't know if a DOS attack is possible by sending many request with very >> long CSRF tokens? >> >> IMHO it's a good idea to check the length before do anything with it. > > Sanity-checking the length sounds reasonable to me - do you mind opening > a ticket for this and attaching your patch? > > Thanks, > > Carl > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk5ubHQACgkQ8W4rlRKtE2frrQCgr8HhCPKaPGKyTocUGnmiU9Ku > ekYAoNgZqJ/n4SJnd1tD2Zkpeb/+du47 > =ZWv6 > -----END PGP SIGNATURE----- > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > >
-- Sent from my mobile device -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
