[Gelistirici] [paketler-commits] r35120 - in devel/programming/languages/python/Django: . files

[S.Çağlar Onur]

Eren;

13 Kas 2007 Sal tarihinde, paketler-commits at pardus.org.tr şunları yazmıştı: 
> Author: erenturkay
> Date: Tue Nov 13 05:41:04 2007
> New Revision: 35120
>
> Added:
>   
> devel/programming/languages/python/Django/files/enable-csrf-protecting-by-d
>efault.patch Modified:
>    devel/programming/languages/python/Django/pspec.xml
> Log:
> Huh, ninjas are working :), we love Pardus, we love Django!
>
> * Enable csrf protecting middleware by default, when user creates a
> project, csrf middleware will be automatically added.
>
> * See the page for understanding what csrf is;
>
> http://www.securityfocus.com/archive/1/482983 (PoC is available)
> http://www.djangoproject.com/documentation/csrf/

Bu yama hatalı buna [1] göre hatalı, daha doğrusu yanlış sırada;

[...]
To activate this CSRF protection, 
add 'django.contrib.csrf.middleware.CsrfMiddleware' to the MIDDLEWARE_CLASSES 
setting in your settings file. This middleware needs to process the response 
after SessionMiddleware, so CsrfMiddleware must appear before 
SessionMiddleware in the list (because the response middleware is processed 
last-to-first). Also, it must process the response before the response gets 
compressed or otherwise mangled, so CsrfMiddleware must come after 
GZipMiddleware. Once you’ve added that to your MIDDLEWARE_CLASSES setting, 
you’re done. See the section “Order of MIDDLEWARE_CLASSES” in Chapter 13 for 
more explanation.
[...]

[1] http://www.djangobook.com/en/1.0/chapter14/
-- 
S.Çağlar Onur <caglar at pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/

Linux is like living in a teepee. No Windows, no Gates and an Apache in house!
-------------- sonraki bölüm --------------
A non-text attachment was scrubbed...
Name: kullanılamıyor
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://liste.pardus.org.tr/gelistirici/attachments/20080523/df14c3da/attachment-0002.pgp>