csrfmiddlewaretoken confuses Launchpad
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Fix Released
|
Medium
|
David Owen |
Bug Description
The production OpenID provider appears to have the Django cross site
request forgery (XSRF) protection middleware enabled which interacts
poorly with Launchpad's OpenID client.
The middleware generates a token (csrfmiddleware
XSRF attacks and inserts it into every form. Unfortunately that
includes the form that is generated when the OpenID return_to URL is
longer than some browsers can handle (e.g., when attempting to long in
from this page:
https:/
Since the Launchpad OpenID client verifies that no form values have been
injected as a security precaution, the behavior prevents logging-in in
on pages with very long URLs (see bug 597324).
As a short-term work-around, Launchpad is ignoring the
csrfmiddlewaretoken field when verifying the OpenID response.
The XSRF protection can be disabled on a per-page basis using the
@csrf_exempt decorator (see http://
for details).
Related branches
- Ricardo Kirkner (community): Approve
-
Diff: 89 lines (+63/-2)2 files modifiedidentityprovider/tests/test_middleware.py (+60/-2)
identityprovider/views/server.py (+3/-0)
Changed in canonical-isd-qa: | |
milestone: | none → canonical-identity-provider+2.8.0 |
Changed in canonical-identity-provider: | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in canonical-isd-qa: | |
importance: | Undecided → Medium |
Changed in canonical-identity-provider: | |
assignee: | nobody → David Owen (dsowen) |
status: | Triaged → In Progress |
Changed in canonical-identity-provider: | |
status: | In Progress → Fix Committed |
Changed in canonical-isd-qa: | |
status: | New → Fix Committed |
status: | Fix Committed → Confirmed |
assignee: | nobody → Dave Morley (davmor2) |
Changed in canonical-identity-provider: | |
status: | Fix Committed → Fix Released |
Thanks for the report!
The view is overloaded, so a decorator won't work. We'll have to set the property on the response directly. server.py:508, where we set content-type for openid post responses, looks like the right place.
Because the view is overloaded, we'll need to add some additional automated tests to make sure we don't lose CSRF protection on the other aspects.