[Zope-dev] CSRF protection for z3c.form

Stephan Richter srichter at cosmos.phy.tufts.edu
Mon Apr 4 11:53:03 EDT 2011


On Monday, April 04, 2011, Laurence Rowe wrote:
> The authenticator is described on
> http://pypi.python.org/pypi/plone.protect, but basically it adds an
> HMAC-SHA signed token into the form submission. By validating this you
> know that the submission came from a form that your site rendered,
> rather than an opportunistic 'drive-by' attack from another site.

So why don't we make this a built-in feature then? The token manager (I think 
you call it the authenticator) needs to be smart, since it needs to deal with 
stale tokens and similar issues, but otherwise we could just add an 
authentication mechanism into z3c.form.

Mmh, if the token gets stored in the session variable, then we do not even 
have to worry about token management, since the session container has already 
that logic.

I have a feeling I am missing a level of complexity here...

> I'm happy to go with (3). I assume it is not common for z3c.form users
> to have non-button actions or customize the ButtonActionHandler?

Not in my experience.

Regards,
Stephan
-- 
Entrepreneur and Software Geek
Google me. "Zope Stephan Richter"


More information about the Zope-Dev mailing list