Skip to content

Commit

Permalink
Update internal link for sphinx 1.3.x. refs: #1 #2
Browse files Browse the repository at this point in the history
  • Loading branch information
Surgo committed Oct 13, 2012
1 parent 4d7f9c9 commit 7135135
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 15 deletions.
2 changes: 1 addition & 1 deletion docs/admin_css.txt
Original file line number Diff line number Diff line change
Expand Up @@ -170,4 +170,4 @@ Labels
Form labels should always precede the field, except in the case
of checkboxes and radio buttons, where the ``input`` should come first. Any
explanation or help text should follow the ``label`` in a ``p`` with class
``.help``.
``.help``.
28 changes: 14 additions & 14 deletions docs/csrf.txt
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
Cross Site Request Forgery Protection
=====================================

The CsrfMiddleware class provides easy-to-use protection against
`Cross Site Request Forgeries`_. This type of attack occurs when a malicious
The CsrfMiddleware class provides easy-to-use protection against
`Cross Site Request Forgeries`_. This type of attack occurs when a malicious
web site creates a link or form button that is intended to perform some action
on your web site, using the credentials of a logged-in user who is tricked
into clicking on the link in their browser.
Expand All @@ -17,7 +17,7 @@ middleware into your list of installed middleware.

How to use it
=============
Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to
Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to
your list of middleware classes, ``MIDDLEWARE_CLASSES``. It needs to process
the response after the SessionMiddleware, so must come before it in the
list. It also must process the response before things like compression
Expand All @@ -27,14 +27,14 @@ How it works
============
CsrfMiddleware does two things:

1. It modifies outgoing requests by adding a hidden form field to all
'POST' forms, with the name 'csrfmiddlewaretoken' and a value which is
a hash of the session ID plus a secret. If there is no session ID set,
this modification of the response isn't done, so there is very little
1. It modifies outgoing requests by adding a hidden form field to all
'POST' forms, with the name 'csrfmiddlewaretoken' and a value which is
a hash of the session ID plus a secret. If there is no session ID set,
this modification of the response isn't done, so there is very little
performance penalty for those requests that don't have a session.

2. On all incoming POST requests that have the session cookie set, it
checks that the 'csrfmiddlewaretoken' is present and correct. If it
2. On all incoming POST requests that have the session cookie set, it
checks that the 'csrfmiddlewaretoken' is present and correct. If it
isn't, the user will get a 403 error.

This ensures that only forms that have originated from your web site
Expand All @@ -43,13 +43,13 @@ can be used to POST data back.
It deliberately only targets HTTP POST requests (and the corresponding
POST forms). GET requests ought never to have side effects (if you are
using HTTP GET and POST correctly), and so a CSRF attack with a GET
request will always be harmless.
request will always be harmless.

POST requests that are not accompanied by a session cookie are not protected,
but they do not need to be protected, since the 'attacking' web site
could make these kind of requests anyway.

The Content-Type is checked before modifying the response, and only
The Content-Type is checked before modifying the response, and only
pages that are served as 'text/html' or 'application/xml+xhtml'
are modified.

Expand All @@ -59,9 +59,9 @@ CsrfMiddleware requires Django's session framework to work. If you have
a custom authentication system that manually sets cookies and the like,
it won't help you.

If your app creates HTML pages and forms in some unusual way, (e.g.
it sends fragments of HTML in javascript document.write statements)
you might bypass the filter that adds the hidden field to the form,
If your app creates HTML pages and forms in some unusual way, (e.g.
it sends fragments of HTML in javascript document.write statements)
you might bypass the filter that adds the hidden field to the form,
in which case form submission will always fail. It may still be possible
to use the middleware, provided you can find some way to get the
CSRF token and ensure that is included when your form is submitted.
Expand Down

0 comments on commit 7135135

Please sign in to comment.