Closed Bug 637525 Opened 14 years ago Closed 14 years ago

Upgrade Django to Address CSRF Weakness

Categories

(developer.mozilla.org Graveyard :: User management, task)

Product:
developer.mozilla.org Graveyard
Component:
User management
Type:
task
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: mcoates, Unassigned)

Details

(Keywords: wsec-csrf, Whiteboard: [infrasec:crsf][ws:critical])

Django needs to be upgraded to the current version to address a weakness in CSRF handling. Note: This upgrade requires changes to the code in order for AJAX requests to continue working. Specifically, the AJAX requests must be modified to inlclude the CSRF token or the request will fail. http://www.djangoproject.com/weblog/2011/feb/08/security/ Please schedule MDN to upgrade django as soon as possible
Wil, is this you? Who handles dev.m.o?
Might be Les now, some stuff just shifted around. Morgamic has the chart!
Chart should be on a wiki somewhere. :)
Still wrapping my head around MDN. The only spot I know that uses Django CSRF in MDN is the submission form for Demo Studio, which also uses a captcha. Not sure if there are more...? lcrouch might know too
Demo submission, but probably also content flagging and/or rating? Anything that does a POST I think.
Whiteboard: [infrasec:crsf][ws:critical]
Ping - is more work needed here to upgrade MDN?
Yeah, we still need to upgrade MDN from 1.2.3 to 1.2.5. I will add this to our next release.
Target Milestone: --- → 0.9.5
Assignee: nobody → lcrouch
Raymond, we need to pass thru all the MDN stuff - landing, learning, and demos - and make sure 1.2.5 didn't break anything. Good use for the expanded selenium test suite.
Assignee: lcrouch → mozbugs.retornam
Status: NEW → RESOLVED
Closed: 14 years ago
Keywords: qawanted
Resolution: --- → FIXED
Assignee: mozbugs.retornam → nobody
has this been propped to production yet?
it's on stage9, I can't check production - unless someone knows how to check without import django; django.VERSION ? assigning to IT. python26 manage.py shell import django django.VERSION
Assignee: nobody → server-ops
(In reply to comment #11) > it's on stage9, I can't check production - unless someone knows how to check > without import django; django.VERSION ? > > assigning to IT. > > python26 manage.py shell > import django > django.VERSION Django should be whatever we have in kuma-lib: https://github.com/mozilla/kuma-lib/tree/master/src Can't hurt to have IT check this, but we have a problem if it's anything different than what's here (the submodule in kuma-lib): https://github.com/django/django/blob/b8ac1085778ebed65a5c6d2af6dda4eff82bb66f/django/__init__.py
Any update on this?
(In reply to comment #13) > Any update on this? adding people who deal with mdn nowadays
Production reports this: In [2]: django.VERSION Out[2]: (1, 2, 5, 'final', 0)
that is the latest version as of now.
Status: RESOLVED → VERIFIED
Component: Administration → User management
Keywords: wsec-csrf
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.