[Zope-dev] (optional) CSRF protection in zope.formlib

Leonardo Rochael Almeida leorochael at gmail.com
Wed Sep 18 17:26:13 CEST 2013


Hi Jan-Wij,

+1 for implementing convenient CSRF.

I wonder if you could make your implementation more orthogonal by
implementing a CSRF "field/widget", and make your `protected` attribute
simply trigger the inclusion of this field implicitly.

This way you wouldn't need to change the `*pageform.pt` templates like you
do now, and `setupToken()`/`checkToken()` would move to the widget code.

Cheers,

Leo


On Wed, Sep 18, 2013 at 11:41 AM, Jan-Wijbrand Kolman <janwijbrand at gmail.com
> wrote:

> Hi,
>
> I've been working on CSRF protection for zope.formlib.
>
> I have a "csrfprotection" branch in my zope.formlib fork on github. The
> changes against the current zope.formlib mainline can be found here:
>
> https://github.com/**janwijbrand/zope.formlib/**compare/csrfprotection<https://github.com/janwijbrand/zope.formlib/compare/csrfprotection>
>
> When creating form components based on zope.formlib.form.FormBase, one can
> enable this protection just by setting the attribute ``protected`` to True
> on the component.
>
> This implementation is based on the following assumptions:
>
> * We do not want to keep server-side state(!)
>
> * An "attacker" that attempts CSRF cannot get to information stored in
> cookies that are meant for the domain of the (forged) request.
>
> * The token stored in the cookie is sufficiently random and long, to be
> practically "unguessable" by the attacker.
>
> * The form submit is deemed valid as long as the token in the cookie is
> identical to a hidden input value that is part of the form submit.
>
> My questions:
>
> * Do you find this feature useful enough to be, in principle, included in
> zope.formlib?
>
> * I'd like to kindly request someone to review my branch and provide
> feedback.
>
> The included test cases describe a few more questions and concerns about
> this implementation.
>
> Thank you in advance!
>
> kind regards, jw
>
> ______________________________**_________________
> Zope-Dev maillist  -  Zope-Dev at zope.org
> https://mail.zope.org/mailman/**listinfo/zope-dev<https://mail.zope.org/mailman/listinfo/zope-dev>
> **  No cross posts or HTML encoding!  **
> (Related lists -
> https://mail.zope.org/mailman/**listinfo/zope-announce<https://mail.zope.org/mailman/listinfo/zope-announce>
> https://mail.zope.org/mailman/**listinfo/zope<https://mail.zope.org/mailman/listinfo/zope>)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.zope.org/pipermail/zope-dev/attachments/20130918/81b0e32c/attachment.html>


More information about the Zope-Dev mailing list