Django's comments framework and CSRF
https://stackoverflow.com/questions/9987678
-
28-05-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian質問
I understand that the Django's comments framework was designed for anonymous public comments like you commonly see below a blog or an artcile. In other words, anyone can post comments.
I am using the comments framework for only allowing logged in users to display comments. What I did was modify the form.html and hid the name, URL, and email field (leaving the security fields intact). So pretty much the user only sees a comment field. I wanted to use Django's comments since it already has some nice security features like timestamp check, honeypot field, and anti-double-posting features. The user information is grabbed from the request.user RequestContext and I get the user information about the comment by comment.user.get_full_name as oppose to comment.name or comment.user.email vs comment.email.
I also start to read up about Django's CSRF protection. In most cases, people talk about how CSRF prevent hackers to, say, transfer money from a logged in user's bank account by using their cookie or something.
In my case, does CSRF prevent people from posting as other users? In other words, can a hacker create their own POST form and post under a different user.pk to fake other people?
解決
To directly answer your question -- no, CSRF doesn't allow a hacker to pretend to be another user and submit a comment. What it could allow is an attacker to make a real, logged in user submit the comment for them.
A CSRF is an attack where someone without permission to access a resource tricks someone who does have permission into accessing it.
So, for example, CSRF protection could prevent someone from tricking a user into posting a comment with a spam or malware link in it. Alternatively, the request they trick the user into making could be malformed, made to crash your webserver, or include code meant to slip through the validation process and cause damage to your database or compromise your site in other ways.
So without CSRF protection someone could, theoretically, trick a logged in user into submitting a comment they didn't actually write.
With CSRF protection, Django will detect that it wasn't real data submitted through the actual form on your site, and will reject it.
