[Zope-dev] CSRF protection for z3c.form

Laurence Rowe l at lrowe.co.uk
Mon Apr 4 10:53:07 EDT 2011


On 4 April 2011 14:57, Stephan Richter <srichter at cosmos.phy.tufts.edu> wrote:
> On Monday, April 04, 2011, Laurence Rowe wrote:
>> I'd be interested to know how other z3c.form users approach CSRF protection
>> and what approach they would recommend.
>
> Hi Lawrence,
>
> I am okay with (1), but find (3) ore attractive. Since I am not familiar with
> the token solution to avoid CSRF attacks, can you briefly describe the sequence
> that is used to avoid those requests? Maybe we can some up with a tightly
> integrated solution. I have no problem with modifying z3c.form to support such
> a feature.

Hi Stephen,

The authenticator is described on
http://pypi.python.org/pypi/plone.protect, but basically it adds an
HMAC-SHA signed token into the form submission. By validating this you
know that the submission came from a form that your site rendered,
rather than an opportunistic 'drive-by' attack from another site.

I'm happy to go with (3). I assume it is not common for z3c.form users
to have non-button actions or customize the ButtonActionHandler?

Laurence


More information about the Zope-Dev mailing list